This post is a few months overdue but here it is. I’ve been heavily involved in the security industry in one respect or another for well over a decade, and until recently, I had the luxury of being able to talk about whatever I pleased, especially when I got myself out of a few handcuffs that I was bound by a few years ago (around the time I started this blog). I had a lot to say and henceforth you had this website in all it’s glory. However, since I started my own company, I’ve had the fortune or mis-fortune, however you want to look at it, of being exposed to a lot of things I wouldn’t have been able to see otherwise.
That means, I am now under contract with lots of the same companies I have talked about in the past. These same companies I have talked about in positive and negative ways both. Clearly I’m not out to screw anyone, the negative stuff was mostly about my feelings regarding certain technologies. If you have seen me suspiciously not talking about things, it’s probably because I’m either too busy to talk about it or I have a reason I’m not talking about it. Long ago I used to say that I talk about 1/3 of what I know. Another 1/3rd was stuff that could only hurt people with no positive gain and the last 1/3rd was stuff that was just too theoretical or too out there for people to understand since it wasn’t yet provable. Unfortunately, the first 1/3rd (the stuff I can talk about) has been shrinking rapidly and being replaced by a fairly large percentage of things I cannot discuss. That means I’m less fun to read in blog posts, in interviews and at parties.
Rest assured, my knowledge has increased a lot since starting this website due in large part to how much more I have had the privilege of being exposed to. So the irony is, I know more but I can talk about less than ever before. Jeremiah and I were talking about this exact thing last week - he had the same feelings. Which means this blog is going to get more and more watered down with time, and there’s just nothing I can reasonably do about that, save quit and take up writing full time and I know how poorly writers get paid.
That’s the down-side. The up side is that I am not going to stop blogging, but it might not look like it has in the past, if you read my earlier posts. I thought this was an important distinction that I make public, just as I did when I told everyone that I was starting my own company so I could no longer be considered an unbiased source of information.
I started this site because of my family. I wanted a chance to make the Internet a safe place for them to interact with. What better way than to scream from the mountain top that is ha.ckers.org about the issues I see on a daily basis? I can, with lots of quantifiable evidence, say that things are worse now than they were when I started this site. But at least now people are finally aware of the problems, enough to carry that torch without my direct input. The topic of Webappsec was esoteric and lame to most people even two years ago, but now it’s finally come into it’s own, and not just because I decry it, but because there are dozens of websites and many companies devoted to the topic now. My hope is that maybe one of the readers of this site will pick up where I left off and do what I have I as of this moment been incapable of doing - make the Internet a safe place for all our families. I will continue to do the same with a slightly diminished vocal profile than before.
I apologize if this post seems like any sort of betrayal, as that’s sincerely the last thing I would want. But in the spirit of full disclosure, I wanted to at least let you know why things may seem a lot slower now than they did even a year ago. Although I can’t tell you what I know, I will tell you this - things are far worse than they appear, and there are no shortages of extremely vulnerable applications out there as I find zero-day vulnerabilities regularly. It’s simply amazing how bad things really are.
Lastly, I will talk about this more in the coming months, but I am writing a book that will probably be one of the few highly technical documents I put out to the public for a while. Even though it might appear that I’m writing less than ever, in actuality, I’m writing more. O’Reilly has tentatively agreed to publish it (contracts are not yet signed so no promises yet) and I’m really looking forward to getting it out into the hands of the people who do want to make a positive change towards the security of the Internet. If you’re one of those people I invite you to read the book when it’s finished. I’ll give more details at a later date.
I looked at my Google feedfetcher stat today in my logs - over 3,800 subscribers on Google news alone with over 7,000 total subscribers through various feed readers alone! For those of you who have followed this blog for the two years or so since I started it or for any substantial time, I really appreciate your readership. Thank you, everyone. I mean it! You’re like family to me - you know, like that close-talking crazy aunt that no one likes, who has all those cats.