The blog has been online for two weeks, and I am amazed, astonished, and gratified at the number of mail responses my posts have drawn.
If you are not aware, comments on posts are not enabled on the blog. This is a conscious decision to cut down on the time needed to manage the various bits of internet trash, trolls, spammers, and fools that seem to be compelled to thrust themselves into other’s lives.
Yes, there are tools for that, but those tools need to be maintained, and time spent on those management functions is time not spent writing posts and code.
Do read this as I will make time to read your emails and respond, but I really do not want to deal with comments advertising male enhancements, manscaping tools, footwear, and eyeglasses.
In short, I have a limited time on this planet and refuse to deal with those who would waste it.
Call this an introduction to the concept of acceptable losses.
Responses have ranged from requests for clarification on precise and technical points to disbelief in the existence of security best practices and the need for them to exist.
Let us begin:
One reader writes, “Is all these security best practices just a marketing ploy to sell services and tools?“
Ah, nope. On a global scale, one needs to examine the nightly news or visit any news media website to find current and relevant examples of what can happen.
On the scale of this site, Ah, nope, again. I have this theory that the more secure you are, the more secure I am. (Fewer resources to be used to perform attacks.)
The email exchange continues with, “Ok, all the best practices you are talking about, did you just create them from thin air?“
Ah, no again. Whilst I may quote some out-of-date concepts, they are all based on community minimum base standards. I will reference The Center for Internet Security, AWS Best Practices, and the Cloud Security Alliance. One can google “Internet Security Best Practices” and find massive resources.
Another reader takes me to task on best practices, “In your post C1 – Basic Cloudtrail Setup”, you did not enable s3 object and server logging. This is not in compliance with best practices and is a bad example.“
Ah, yep. I will quote from the post itself:
“As mentioned in a prior post, We will begin the task of creating a BASIC monitoring system for AWS events.“
And from that prior post, “I’ll produce a set of missives on how to get the BASICS done. These are NOT and end-all, be-all; they are BASICS.”
And lastly, from the Basics Page, “It is to be noted; Code and procedures here are intended to convey basic concepts and ideas. They are not to be used in production settings without proper design and review.”
And for my last information exchange discussion:
An online exchange with a reader; “In your O.P.C. post, you did not give ANY SPECIFICS of what happened.“
This is a correct statement; I will not knowingly amplify or publicize any attack or methodology. I will publicize how to detect or avoid said. To do the first turns up the volume of “trash traffic” and puts sharp things in children’s hands; to do the second reduces the “overall attack surface” of the internet, instructs young adults how to handle sharp things safely. This makes each one of us more secure.
These are the highlights; other emails contained requests for amplification or clarification. Some actually contained expressions of thanks for my efforts. ( I’ll refer to the Ferengi Rules of Acquisition, rule #33)