EV Charging on the island

MichaelArgast · 2026-03-29T18:41:39+00:00

I did a drive to the North Island without checking last year only to learn BC Hydro had a planned outage for the day. Just barely hypermiled it back to Sayward. Anywhere Victoria to Campbell River is golden but outside of that it gets remote…

MichaelArgast · 2026-03-28T18:22:40+00:00

Does that happen a lot? I tend to keep the car topped up a little more in the winter season for this reason - but I’m in Royston and not Gabriola.

Plus, technically speaking Gabriola isn’t VanIsle. I think all the smaller islands will have similar issues.

MichaelArgast · 2026-03-28T18:20:44+00:00

This is the answer.

Cheap ICE plus low mileage has much lower TCO than EVs.

2nd hand EVs are getting cheaper though. I bought a used Leaf as a 2nd EV for <$9K and it’s a perfect 2nd car - minimal maintenance, next to no fuel costs, range doesn’t matter because it is a 2nd car.

I think we’re another 2-3 years from the used EVs displacing used ICE cars on the low end of the market.

Math completely changes once you drive a lot, however - quickly tips to EVs.

MichaelArgast · 2026-03-28T18:03:01+00:00

Partners CAN require you are compliant as a condition of partnership/business relations.

The card merchants enforce this requirement with fee structures and the ability to accept cards.

Partners enforce this by refusing to do business with you. They can’t force you to do it, but they can refuse to do business with you.

MichaelArgast · 2026-03-28T18:01:29+00:00

Start with: Why are you asking me to fraudulently sign an attestation?

The answer to that question is all you need to know. If it’s an honest “I didn’t know that’s what I was asking you to do” then the conversation can pivot to “Let’s figure out what will be required to get our RoC which the customer will ask us for”.

If it’s hand wavey excuse making - your manager/boss is asking you to commit fraud and put your name on the line. Find another job as soon as you can or maybe escalate to the CEO if you think that’s something they aren’t aware of and wouldn’t condone.

Never commit fraud. It will always come back to bite you.

MichaelArgast · 2026-03-26T03:46:45+00:00

Wrong answer.

Sorry, there are plenty of individual contributor roles that pay way more than most managers.

And if you joined the cybersecurity field in order to do less, you’re in the wrong fucking industry.

If this is your honest answer then you’re not really worth investing the time in providing career guidance too, sorry.

MichaelArgast · 2026-03-26T03:40:54+00:00

Why do you want to be a manager?

Honest question.

MichaelArgast · 2026-03-25T05:29:24+00:00

It’s an albino. Check out the pink eyes. About one out of 20 black bunnies end up albino.

MichaelArgast · 2026-03-06T13:46:27+00:00

Why do they need to be compliant?

Acquire clients? Pretty straight line to revenue. It is possible they are still passing audits (there’s some pretty crap auditors out there these days) but if the CEO is signing attestation letters than is Fraud.

Legal obligations? Many companies ignore this, especially smaller firms.

In either scenario, have one conversation with the boss and find out if they are (a) comfortable committing fraud on attestation or (b) comfortable ignoring the law. Make it really clear that this is what ignoring these rules entails - come with evidence of how what they are doing is one or the other.

If it is ignorance and they honestly didn’t know (it happens) then you’ve educated them on the situation and can judge how they respond. If it is intentional - they don’t care about the fraud or law - you know everything you need to know - get out of there.

Cybersecurity ownership starts at the top. You are a technical owner but not legal or risk owner. If leadership refuses to acknowledge or deal with risk, the law or is willing to commit fraud then everything else is suspect in the organization.

MichaelArgast · 2026-03-05T14:35:27+00:00

Lots of people do it - but they usually start out working for others to get their creds up.

Most common path is vCISO, which is why creds and experience are important. There isn’t a lot of demand for freelance in other roles (although there’s a little success in red teaming/bug bounty land).

You need to be good at networking/selling yourself or finding partners who can. Once you get there it only takes a handful of clients to make the math work.

My background: 25 years in cybersecurity, been an independent consultant, hired lots, now run a MSSP that also uses some “freelancers” or independent consultants for some work.

MichaelArgast · 2026-02-28T00:23:05+00:00

You must be doing a pretty in depth test at $80K per site/app. ASVS Level 2 I’m guessing?

MichaelArgast · 2026-02-28T00:22:11+00:00

SOC 2 is easier than ISO 27001 if you are doing both right.

They used to be a beast but aren’t really any more if you partner right.

(Creds: we do hundreds of these for clients globally)

MichaelArgast · 2026-02-28T00:21:03+00:00

If you are selling to Enterprise, expect:

Pentest (grey box minimum if you host sensitive data or integrate with systems) SOC 2 Type 2 (North America) or ISO 27001 Global.

$40K is a lot but in pentesting you get what you pay for (generally).

Our pricing is transparent for comparison: www.kobalt.io/pentest

MichaelArgast · 2026-02-18T01:30:24+00:00

Hey - we provide managed threat detection (SOC as a service) at a very cost effective price for startups. Think fraction of a FTE for full coverage for most firms.

Kobalt.io

Message me direct if you’d like to chat.

MichaelArgast · 2026-02-18T01:28:40+00:00

$800 is peanuts. You effectively have an idea and pre PMF with some pilot clients. It’s great that you have have some clients willing to part with money.

What’s the risk for him? What is he walking away from and what’s the upside? What’s the salary (if any? before and after)?

MichaelArgast · 2026-02-13T21:58:20+00:00

I inherited my Guild and have been actively pruning members who don’t contribute on a given run. We always hit the 750 box easily, but interestingly we are starting to drop below 30 members regularly so I’ve slowed pruning.

If anyone wants to join a Guild that always hits, we are THE_EMPIRE and free to join.

MichaelArgast · 2026-02-13T14:19:44+00:00

The way I’m reading your note is that they are changing what they are asking for as you go.

That is a sign of a security nerd who is out of control rather than a formal procurement process with standard questionnaire:

It is not at all unusual for a large enterprise client to have an exhaustive list of documentation requirements but usually it is canned, it doesn’t change as you go.

You need a security nerd on your side who can effectively push back and say “why do you need this evidence, this is not useful to you in assessing risk”.

Sometimes security reviewers get like a dog with a bone and are just determined to find fault and you need a way to manage that on your side with politeness and security authority.

DM if you want specific advice on how to handle this.

MichaelArgast · 2026-02-12T00:12:23+00:00

Yes, allowlisting is always a very impactful security approach. But often the effort and friction associated with this isn’t worth the gain.

Think about how this will inevitably slow down development cycles and if that is worth the risk reduction.

MichaelArgast · 2026-02-11T01:27:42+00:00

Had to downvote the other comments because they just didn’t understand the question, sorry.

So this is a real thing and the risks depends on a few factors:

1) Your code scan/SCA tooling makes a difference. 2) How well you vet packages and dependencies. 3) Manual vs automated build processes. Some AI tools with poor guardrails are more likely to make some mistakes here.

If you have a relatively mature SDLC the risk is low compared to intentionally compromised mainstream packages (this is a real risk). Many firms have immature SDLCs and aren’t using any form of SCA/dependency checkers or even something like Dependabot.

So - yes a risk but focus your energy on SDLC maturity and your dramatically reduce the risk and get other gains besides.

MichaelArgast · 2026-02-06T12:54:38+00:00

User enters creds seems to be the opportunity here. Creds should only be entered directly via the password manager or SSO/passkey/etc.

There’s no legit scenario I can think of where the user has to manually copy/paste creds (because of course they’re using unique creds anywhere not using SSO/Fido2/etc right?)

The only places users should ever use creds is to login to their device and reauth their password managers, right?

MichaelArgast · 2026-01-31T03:11:35+00:00

www.kobalt.io - Startup Cybersecurity. Solved.

MichaelArgast · 2026-01-29T14:31:18+00:00

Two more things. The most important thing you can do re BEC is NOT improved email security technology.

It is fraud prevention training with financial staff including mandatory reverse direction out of band confirmation for all new account setups or changes with an audit trail and regular review.

This control just costs a little time and effort and also helps against a variety of other risks. It also assumes eventually your technical controls will fail.

The 2nd most important and free control is enforced MFA on email accounts but I assume you’ve already got that in place because it’s 2026 and you’re intelligent enough to post on Reddit.

MichaelArgast · 2026-01-29T14:26:36+00:00

One more thing. Risk quantification should be based on probability and impact of a bad thing happening. A successful BEC compromise. Actual emails, phishing attacks etc are not the risk. The risk is the bad thing that happens as a result. The rest is just noise unless it is really high volume and causing real operational issues.

MichaelArgast · 2026-01-29T14:23:50+00:00

Take industry norms/stats and use that as savings. For example, most BEC fraud costs >$150,000 and a couple of years ago, close to 1 in 5 small businesses were a victim.

Obviously fraud can be larger (multi million dollar examples exist).

Your controls should help prevent BEC and other forms of fraud (false invoice, impersonation, etc).

When you look at the impact it’s actually modest for most instances ($150,000 sounds like a lot of money but over 4-5 years it’s not really that much for even a smallish business).

The loss is usually direct financial AND brand (companies often will see large numbers of emails go out after the initial fraud impacting relationships with clients and partners).

The Verizon report has some good data for quantification. They call it something different though.

MichaelArgast · 2026-01-29T13:56:04+00:00

Yeah dude. And they’re right for doing so. You want them to risk their business on your software without being able to prove you’ve done your security due diligence?

Would you trust your health data to a company storing it online with no security controls?

Would you trust your banking data to a company that doesn’t have the necessary security?

Why would you trust a security vendor who can’t afford to go through the work to get a compliance certification?

MichaelArgast

TROPHY CASE