InfoSec sites are the worst

I dread every time I google something and the results is on a domain like cryptodavid.net (cool domain btw, feel free to buy it). They all have shitty enormous headers that make it impossible to read, ads everywhere (and they're custom so you have to hide them manually), nag me to subscribe to their fucking newsletter and keep showing popups for CHEAP ETHICAL HACKER TRAININGS.

When did those websites become even worse than SEO ones?

>When did those websites become even worse than SEO ones?
They haven't changed much, they were already like that in 1996.

Every single infosec person I've met in recent times was a massive asshat, it's no wonder their websites are so tacky.

>>3
It really isn't that surprising. Cryptography is still basically pseudomathematics, and since most people can't evaluate InfoSec-related claims, snake oil salesmen, NSA disinfo and just plain idiots pretending to be experts can flourish. Any field with these characteristics quickly turns into the nigger voodoo guru worship that should make your hair stand on end whenever you encounter it. Just look at the personality cults that certain InfoSec types have created around themselves on Twitter and try to find out what the fuck they actually did to be famous.

>>4

what the fuck they actually did to be famous.

They contribute to malware research/antibirus programs, which keep your personal machine safe.

>>4
yeah, cryptography as a field is the investment of trust into no one ever being smart enough to solve some given hard problem.

this shows in their attitude of "Don't ever write cryptography yourself. Just use a library written by someone who must definitely be a god. If no library has your functionality then it's a bad idea."

>>6
As much of a cargo-cult meme as ``don't write your own crypto'' is (just look at the ``quality'' of crap like OpenSSL, holy shit), the vast majority of homebrew crypto is absolutely terrible and ripe with elementary mistakes.

>>4
Infosec people are not crypto-people. Infosec people do pretend that they know crypto however. Compare DJB to matthew "dicks in anus" green or Tanja to Moxie "gay pride" Marlinspike for example.

>>5
Useless shite.

>>6

Don't ever write cryptography yourself. Just use a library written by someone who must definitely be a god. If no library has your functionality then it's a bad idea

Well, this is not a bad idea actually. While writing crypto for learning is considered fine by everyone, using it in production is a really really bad idea. There have been countless of cases of side-attacks and all kinds of RNG failures in the wild due to this. It so happens that most people can't write side-channel resistant algorithms.

What infosec sites are you looking at? Last I checked it was still cool for infosec sites to serve 90s style unstyled static pages. Maybe add explicit monospace fonts and make the background black if the author was feeling edgy...

>>9
more or less this. OP, your're are an anus

https://www.infosecurity-magazine.com
https://elie.net/blog

>>11

https://www.infosecurity-magazine.com/

Clearly bullshit aimed at suits. Why read this?

https://elie.net/blog

High profile Googler's personal page. Could just be an impressive $trendy_cms_of_the_month template but I can't tell anymore. Anyway I'm not seeing any nags after clearing the initial one so not too horrible.

Infosec people are the worst. But there are many different types of infosec people.

Firstly, there are the luddites who hate any new features in software because ``muh potential attack vectors.'' They want us all to use minimal software on desktops in enforced bunkers guarded by armed security guards. They don't get that their security guidelines aren't usable. We'll never progress with IoT and cloud security when many infosec people are anti-cloud and anti-IoT.

Then you get the morons who barely know how to run Nessus and Metasploit and think they're hot shit. Or you get the people who specialize in a specific area of security while completely ignoring everything else. Wow, you popped calc.exe on a very specific version of Windows 7 with very specific updates installed. Congratulations, that'll get you far in life.

Then there are the FUD people who find fucking hard-to-exploit security issues that have like 10 different prerequisite conditions, and then they write articles about how THE SKY IS FALLING AND EVERYTHING IS GETTING HACKED OH MY GOD but actually it's pretty much impossible to make use of the shitty vulnerability they found but they're hyping it up to get social media attention.

Then you get the egotistical retards who want everyone to listen to them, and they continually tweet bullshit like ``I told you so'' on twitter after a breach, as if they're fucking nostradamus or some shit, even though they're saying the same shit everybody else says and has been saying for years, yet they think they're special somehow.

And don't even get me started on the people who guilt-trip companies into hiring them based on their gender or race. If your claim to fame is ``I'm a woman of color in tech'' and you don't have a portfolio to show for it, fuck off. Stop watering down security with this shit.

Moving on, a lot of people who do pen tests or security consulting have shit personalities and shit social skills. They think they're god and people should do everything they say. They think non-security people are drooling retards and that the only important thing in life is to get domain admin. They often give shit security advice because they don't get that red teaming is way easier than defense, and that they're not the same at all. Wow, you can pop a shell. Congratulations! Not that hard, actually.

Then there are the corporate shills who sell shitty security appliances that don't actually make you more secure, but it helps you check the boxes for compliance. These people string together buzzwords that sound vaguely security-related, but it won't actually fix your security issues.

Then you get the people who find worthless XSS vulnerabilities and then act like douches about it rather than dealing with people responsibly and maturely. ``IF YOU DON'T PAY ME $10K FOR THIS WORTHLESS BUG RIGHT NOW, I'M GONNA TWEET ABOUT YOU SOOOO HARD, AND PUBLICLY DISCLOSE THE VULN AND EGG PEOPLE ON IN HOPES THAT SOMEONE MISUSES IT BUT PLEASE DON'T HOLD ME ACCOUNTABLE''

There are also the phishing guys who talk about phishing as if it's the same as more technical hacking. Wow, you convinced someone to click on an email attachment.It was actually a RAT. Great job, you're a 1337 hacker now! Tell me more about your overpriced consulting services that don't do jack shit for securing anything.

There are also lots of people who understand security well, but aren't good at explaining things. Poorly-written documentation, confusing Defcon presentations, etc. Don't blame other people when you yourself suck at getting the message across.

Then there are the ``infosec rockstar'' losers who are super insecure. The ``I'm not like those OTHER nerds'' people who try wayyyyy too hard to seem cool. Vaping, mohawks, saying edgy shit for shock value, t-shirts with lame jokes on them, dressing like they're 20 years younger than they actually are, piercings, drugs, etc. Because apparently being an IT or CS professional is too boring. Grow up.

Fuck off morons, SQL injection and OWASP shit and Tor and Kali does not make you a super genius. It makes you someone with a computer and like 10 hours to spare, this shit is easy af but it's not impressive.

FINDING SECURITY PROBLEMS IS EASY.

SECURING THINGS IS HARD.

GUESS WHAT MOST PEOPLE ``IN SECURITY'' DO?

POINT OUT LOW HANGING FRUIT.

>>13
I've been counting how many times you've contradicted yourself but got bored halfway through your post

>>14
When did I contradict myself? I am pretty sure I didn't. I was listing different types of people in infosec.

Go back to Twitter if you can't handle more than 280 characters.

>>15

FUD people who find fucking hard-to-exploit security issues
luddites who hate any new features in software

??

>>15
hackers exploit obscure academic bugs that have too many prerequisites
hackers only exploit low hanging fruit

>>16
many bugs people find are borderline useless, but they still come up with names and logos and websites (instead of just CVE numbers) to promote them anyway
>>17
there's a middleground, I also said there are different kinds of people in security

>>18
while your're are right about vulnerability branding/marketing, the other stuff you mention is very vague and opinion-based. especially given that what is useless and academic now might become dangerous later - see: DirtyCoW (one of the few branded exploits that were actually dangerous) which was known for years but not considered exploitable, until someone released a PoC that allowed trivial priv-esc.

>>19

released a PoC

Fucking slaver!

>>20
wouldn't a slaver be a type of person who does not release a PoC? releasing PoCs was what Lincoln did!

Proof of concept

>>22
captain anus obvious