It was an unusually quiet week due to the US elections taking up most people’s time. Despite that, here is what was on my radar.

Private Equity Firms Acquire CompTIA

CompTIA and Offsec certifications are some of the most ubiquitous entry-level security certifications. It seems that private equity firms have identified the certification industry as a highly lucrative “investment” as both have been purchased by different private equity firms in recent months. I don’t see any positive effects for the security industry from this. The accreditation board accrediting certifications like Security+ under ISO/IEC 17024 requires a recertification process. My guess, and what we’ve seen with the OSCP+, is that private equity companies are going to greatly increase the price of recertification to maximize recurring revenue As written about in The Certification Industrial Complex, I think certifications are not the best way to learn technical material and there are much higher ways to “prove your competence”. If you’re sensing distaste for private equity gobbling up certification companies, you’re correct – I’m truly worried about it.

If you’re a job seeker, demonstrating your competence by producing research, security tools, blogs, conference talks, CTF writeups, videos, or technical guides will give employers a much better idea of your skillset than a certification. Certifications cost a significant amount of both time and money. Demonstrating your skills publicly does not have to cost anything.

If you’re a hiring manager, it is more important now than ever to build a network of security professionals you might want to work with one day. Certifications may offer a quick way of filtering incoming resumes, but looking beyond the surface level “What certifications does this candidate have” and more towards “What has this candidate done?” will not only result in better candidates for your organization but will also make hiring more equitable. Private equity firms have no north star other than profit. They buy companies, increase short-term profits through anti-consumer practices, and then sell the company. All at a lower tax rate than a minimum wage worker.

Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops

In IOS 18.1, Apple has introduced a feature called Inactivity Reboot, that will restart an IOS device if it has not been unlocked for some time. This has caused police departments to be in an awkward situation where phones being held in forensic storage are rebooting to a “Before First Unlock” stage which is much harder for forensic tools to work with. This is reminiscent of the Apple/FBI encryption dispute where apple objected to court orders to extract information from locked iPhones.

I tend to favor the implementation of technical controls that better enforce what the end user believes to be true, especially for those who are non-technical. For example, when locking a phone, the expectation of most is that it is unable to be opened without being unlocked. When locking your phone, the average person does not expect it to be in an ambiguous “sort of locked, unless someone is looking at it with a forensics toolkit” state. When architecting for security, try to have technical controls that enforce what a typical user expects. Does a typical user expect cloud storage buckets to not be internet accessible by default, then they should be private by default.

Caught My Eye

• Iron Mountain Atomic Storage: This is an strangely interesting read about old mines, nuclear resistant datacenters, mushrooms, the cold war, and government clearance paperwork.
• Call for papers and trainers are open for various conferences
  • DEFCON Call for Trainers 2025: Providing training is one of the best things you can do for your career.
  • BSIDES Nashville Call For Papers 2025 : Open until January 8th, I will be submitting and you should too, I had a great time last year.
  • BSIDES San Diego Call For Papers 2025 : Open until December 1st, I would be submitting if I were closer to this conference.
• A Bankruptcy Level Event: Treat Your Points as Cash: A reminder that you should always test features of a system from multiple perspectives. In this case, a help desk employee being able to grant customers billions of “points” and attribute it to another employee.
• 2024 Reverse Engineering Survey: The State of the Industry. An interesting “State of the industry” style report. I’m surprised that 79% of respondents answered “Why do you reverse engineer” with “For Hobby Modding and CTFs”.
• Docker Security - Step-by-Step Hardening: A little over a year old, but still an incredible read about docker security.

Newsletter

Want this sent straight to your inbox? You can subscribe here to have it sent every Monday morning.