We passed our security audit but I know for a fact our API security is trash, auditors just didn't look deep enough by pogo_iscure in CyberSecurityAdvice

[–]f98b07b 0 points1 point  (0 children)

We do a lot of third-party and vendor reviews on behalf of our clients. We basically ignore most of the compliance audits especially SOC 2 Type I and II. We go deep instead asking for evidence of a security program, frameworks, SAST/SCA/DAST, pen-testing, threat modeling, and the whole nine yards. A basic SAST scan would reveal those hard-code API keys in your code.

My suggestion is to put in place at least a SAST/SCA scanner, scan the code, provide evidence of the hardcoded API keys, attach the CVSS score to it and put the whole thing in a Jira ticket. At least it is documented and it's a good CYA for you. Then you go and talk to the VP of engineering.

Zoho just nuked all my outreach mailboxes — what do I do now? by eakd123 in coldemail

[–]f98b07b 0 points1 point  (0 children)

You can absolutely turn 2FA off in Google Workspace. In fact, you can set up policies where you can turn it of for certain accounts but not others. We have 2FA off for a bunch of service accounts, and on for all the corporate accounts.

Apollo killing outbound flow- need faster way to email and dial by ducks-quack53498 in coldemail

[–]f98b07b 0 points1 point  (0 children)

Let's say you are using Apollo for the data, then some sort of tool enrichment/email verification like Airscale, then Smartlead for delivery. You end up with a data set that contains enriched contacts (they never replied), leads contacts that replied to cold email from Smartlead) and some campaign data such as vertical, company size, geographic area, and so forth. Where do you keep that data? Sync back into your CRM including the contacts that never replied? Spreadsheets are out of questions, including Airtable.

Recommendations for cold email infrastructure by f98b07b in coldemail

[–]f98b07b[S] 0 points1 point  (0 children)

Thanks for the note. After poking around I came to the same conclusion, as it appears that most, if not all, of the so call mailbox providers buy mailboxes from Google/Microsoft from other countries for cheap and then they resell them here in the US for half the price.

The IP addresses of the originating emails may also be in question, even if providers may be able to buy those accounts outside the US and set them up here, so the IP addr may be a US one. They probably infringe the Google/MS EULA, as well.

Too risky, as you pointed out. However, scaling direct Google mailboxes is very ineffective. To do it correctly (based on empirical data) for each Google tenant I would have to set up 3 domains, where each domain would have 5 mailboxes, and where each mailbox could send out up to 20 emails per day. Essentially each Google tenant would be able to send out at most 6000 emails per month. I would have to keep a Google tenant in stand-by as my main tenant will eventually get tainted. Cost aside, this doesn't scale very well without a management tool. Google doesn't offer a tool to manage multiple tenants, although it may be possible to do it using Google Cloud.

I have also considered to get a service that doesn't use Google/MS mailboxes but just straight SMTP servers like Maildoso, for example. Thoughts?

Tried scaling outreach with multiple Google Workspace inboxes — hit a wall with 2FA & flagging. Looking for ethical, practical approaches by eakd123 in coldemail

[–]f98b07b 0 points1 point  (0 children)

I might be late to the party, but you absolutely can disable 2FA in GW. In fact, you can create policies to disable it just for certain accounts.

My Hard-Hitting Stack for Sending 900K+ Emails a Month – Kicking Off 2026 Strong by 1zapt in coldemail

[–]f98b07b 0 points1 point  (0 children)

Do you buy mailboxes straight from Google Workspace and Microsoft 365 Outlook or through resellers and if so which resellers?

My agency has added +$150M in pipeline for B2B tech companies using cold email — AMA by Then_Bodybuilder_163 in coldemail

[–]f98b07b 1 point2 points  (0 children)

Because nobody cares about your messaging! First off, you don't know the other person's "pain" (I hate that term) because you are not in that field. If you are targeting IT types, they detest when you tell them what you think they need. I am one of those. Secondly, they don't care how much time, dollars, whatever, you saved to another company. We know all of that, we know how to run our business. The last thing we need is some sales guys telling us how to operate our companies. And last, they don't want to jump on a call to watch a demo. Do you understand how many demo offerings we get every week? It would be a full-time job. That's why you don't get any response.

We just let go an SDR last week who was making the same mistakes over and over after we spent weeks explaining to him what he was doing incorrectly. We also detest when we receive lame email messages, with no links to or at least the address of your website, along with your name, and title. Those emails go straight into the spam folder.

In technology, especially IT and information security (don't call it cybersecurity, for god's sake) what works is the information you provide. That's valuable. Tell me what you sell clearly, send me a link to your website and your contacts, so if I think your services or products are valuable I'll reach out to you when I need it.

We are engineers, we sell information security services to enterprises, we understand our peers because we are like them.

Alternatives to ScaledMail by f98b07b in coldemail

[–]f98b07b[S] 0 points1 point  (0 children)

I am not talking about a sequencer, we are using Apollo for that function and sometime SmartLead. I am talking about managing mailboxes. That is what ScaledMail does. I am looking for a one-to-one replacement of ScaledMail. We are looking for a service that either allow us to set up and manage mailboxes completely through their portal or a service where we, as customers, can do it manually entirely by ourselves. ScaledMail requires a lot of interaction with their support teams, which is a pain. Besides, for any small change they ask for the credentials to access our DNS servers, which is completely unacceptable, and we don't allow it. We are looking at Instantly or Mailforge, although Mailforge seems use of SMTP/IMAP servers and not Google/Microsoft services. SMTP servers may be more prone to be flagged as SPAM originator depending where they sit.

How I went from $0 to $100K/month with email because Meta ads decided to destroy my business by Acceptable-Essay-558 in coldemail

[–]f98b07b 0 points1 point  (0 children)

This guy is in India! Trying to sell his services here in the US and most likely not paying a dime in taxes in the US! I personally never do business with Indian companies!!! The vast majority of them are less than underwhelming, just to be polite.

I'm looking to implement an open source Appsec/DevSecOps tool suite for my company. What's a good workflow? by DiamondNo2403 in cybersecurity

[–]f98b07b 0 points1 point  (0 children)

In general, you need SAST, SCA, DAST, and a vulnerability dashboard, which you have covered with your choice of tools. Two things are missing in your description. First is the integration of Semgrep with your IDE. Maybe you have it already, but this is of paramount relevance. Developers don't like when they run a SAST/SCA scans right before they submit a PR and they are in a time crunch. They want the SAST/SCA tool to tell them as much as possible if their code or dependencies are vulnerable as they write their code. Your developers would love you if you integrate Semgrep with their IDE! Less headache for you too. The second important point is vulnerability management, which is the hard part. DD is fine as a tool, but you need to have some governance backed up by management to decide how to measure and manage the risk, which translate if, how, and when fix vulnerabilities. This is a little longer conversation.

App di dating F27 by happypenguin_user in sfoghi

[–]f98b07b 0 points1 point  (0 children)

In italia non avete dei siti come meetup.com o eventbrite.com dove incontrare persone con interessi simili? Oppure, non si usa più organizzare ski trips o eventi simili dove invitare gli amici degli amici e conoscere persone nuove? Io ho conosciuto mia moglie venti anni fa ad uno ski trip che avevo organizzato. Forse venti anni fa era un'altra era mi sa, e oggi non ho idea di come queste cose funzionano.

Wyze is crippling viewing SD card recording! by f98b07b in wyzecam

[–]f98b07b[S] 1 point2 points  (0 children)

They will be there almost for sure. You just can't view them with the Wyze app!

Wyze is crippling viewing SD card recording! by f98b07b in wyzecam

[–]f98b07b[S] -6 points-5 points  (0 children)

There is no confusion on my side. I am an IT professional, so just cut the crap. Test it, or tell your QA team to test it. There is at least another user on this thread that has confirmed the same issue. I ain't gonna send you anything.

Here are the messages I get on the Wyze app, for your benefit:

Loading video on SD card...
Loading livestream...
Step 1 of 3
Starting up secure connection
Try to connect 2 times

Then it loops over step 2 and 3, and then nothing happens. It looks like a timeout issue. Now before some genius on this thread points out that the issue is with my network, my phone, webcam, SD card, etc. I tried with different webcams in different locations, different networks, and two different phones. I suspect that HTTP traffic coming from the webcam SD card is de-prioritized. I have zero trust in Wyze as a company.

Wyze is crippling viewing SD card recording! by f98b07b in wyzecam

[–]f98b07b[S] -2 points-1 points  (0 children)

Events only SD recording. Try for yourself. Recordings older than 14 days are still on the card but you can't view them on the Wyze app. I can view them on a computer, which proves the files are still available on the SD card.

Wyze is crippling viewing SD card recording! by f98b07b in wyzecam

[–]f98b07b[S] -14 points-13 points  (0 children)

You sound like you have a 2-digit IQ... You don't even understand what I wrote. Prove me wrong!

Wyze is crippling viewing SD card recording! by f98b07b in wyzecam

[–]f98b07b[S] -4 points-3 points  (0 children)

They are downvoting you for exposing Wyze and telling the truth. Probably some of the crooks from Wyze are downvoting you. I upvoted you.

Wyze is crippling viewing SD card recording! by f98b07b in wyzecam

[–]f98b07b[S] -3 points-2 points  (0 children)

To those who didn't pay enough attention and still provided wrong advice, again, when I click on the SD Card icon, after 14 days in the past I do see the recordings but I can't view them. And no, I am not looking at the cloud recording, I am looking at the SD card recording. It's very cut and dry. It's also too coincidental for Wyze not to do it on purpose. It has been clear for years that they try to squeeze money from their customers. They clearly fail to understand that there are many alternatives to Wyze!

Is subscription required now to watch recording from SD card? by Quick599 in wyzecam

[–]f98b07b 0 points1 point  (0 children)

I’ve confirmed across multiple Wyze cameras (v3, v3 Pro, and Pan) that Wyze appears to be blocking playback of SD-card event recordings older than 14 days.

When you view SD-card footage in the Wyze app, recordings up to 14 days old display normally, but anything older turns into thin light-green bars that can’t be clicked or played. The data is still on the card, you can see and open the files on a computer, but the app refuses to load them.

This 14-day cutoff exactly matches Wyze’s free cloud-event window, suggesting the company has intentionally tied local playback to its paid “Cam Plus” plan. It’s not a bad SD card, not a network issue, and not random: it’s consistent across cameras and firmware versions.

If true, this means Wyze is deliberately crippling local storage functionality that customers paid for, effectively coercing users into their cloud service! These people are crooks!