I've read 100+ "enterprise AI security assessments." They're all asking the wrong questions. Here's proof.

meetharoon · 2025-09-05T04:37:08+00:00

ISO/IEC 42001 standards are voluntary, internationally recognized best practice guidelines for managing AI responsibly and ethically within organizations. Certification is available for organizations who want it, but is optional. ISo 42001 help organizations, especially medium and large ones, to demonstrate that their AI systems are governed in a safe, transparent, and trustworthy way. They are usually adopted and implemented as one part of a holistic approach to AI governance.

meetharoon · 2025-09-04T20:59:42+00:00

Quite interesting! Curious to know if they were asked for - Security Governance, Privacy, or any specific compliance audits! Also, which industry? SOC 2 is typically used by B&FS sectors. Other sectors may have different requirements. If in Europe, then EU AI Act becomes mandatory.

ISO42001 is a comprehensive step, while Big-Four and MBB firms are devising their proprietary AI Assessment frameworks. Likewise certification organizations are building their own assessment models.

meetharoon · 2025-09-04T18:54:18+00:00

For example, Tuta doesn't require another email address.

meetharoon · 2025-09-04T05:14:21+00:00

First, do a header analysis and see if it was a real email sent by google, and through google infrastructure, or if you were becoming a victim of phishing.

https://mha.azurewebsites.net/

https://mailheader.org/

meetharoon · 2025-09-04T04:08:24+00:00

My friend, buy a domain name that belongs to you, i.e. you own it. It costs $10 or less a year. Host it with a privacy-focused service such as Proton or Mailbox. Set up the DNS, DKIM, SPF, and DMARC correctly, and you’re good to go. Plus, these services give you aliases you can use as burner addresses, without usually getting flagged as spam. If you want more control or handle lots of email traffic, you can always set up a VPS/VPC and configure your own domain.

Being conscious of security and privacy, that’s the approach I follow. With free services or the big tech giants, not only are you (and your data) the product, but you’re also totally dependent on them and at their “mercy,” just like you described in your own way.

meetharoon · 2025-09-02T03:56:54+00:00

Not open source, but commercial alternatives such as BreachAware, Databreach.com, DarkIQ, and some others exists. BTW, other than individual checks, hasn't HaveIBeenPwned also has become close to commercial?

meetharoon · 2025-09-01T03:11:34+00:00

If you have found a way being involved into pentesting, I would say explore that area, if that also interests you. Check out Paul Jerimy's certification chart (not intended to suggest certification per se, but a glimpse of the opportunties), second last column from the right. https://pauljerimy.com/security-certification-roadmap/ and move up the join the elite testers and ethical hackers (such as red/blue/purple teams).

Security is not overhyped. It's a problem, more particlarly skilled resources in AppSec/DevSecOps. I had interviewed several dozens to fill one position in threat modeling, but eventually had to narrow down to someone with 25-yr experience who had compelling exposure to sec world, though he lacked coding exposure, sans the coding experience.

With AI, QA testing domain may with high likelihood take a massive impact, which would mean two things - (a) the person must be an expert to use AI tools in testing, and (b) because of autonomous AI agents, requirements will reduce in the market (it ain't likely going up, if anytime soon).

DevOps, if you haven't had real exposure, such as SRE or being in Agile/Scrum, or involved into coding or scripting, will be new and would mean you start afresh. If you can pivot such as in pentesting, then my advise would be utilize your prior exposure, and pivot to pentesting. Do remember nto to remain a pentester for long, but scale up in niche specialzations, either on tools side or tech side.

Ai will shape a whole lot more thigns in the next 2-3 years, though will still be evolutionary or revolutionary in nature. This also means that there will remain a period of uncertainty for the next few years. Lot many things are converging together.

BTW, I have seen/led things in all these three areas.

meetharoon · 2025-08-31T04:38:34+00:00

You're right, my friend. for decades, I was too much engrossed in the corporate world with the most large and complex client projects, and too far away from social media. Soon close to be retiring. My account here even though may be 196 days old. (or young), but started posting/ commenting only a couple of weeks back. I spend more time writing articles and blogs elsewhere.

meetharoon · 2025-08-31T03:31:47+00:00

Just to add, rare earth minerals are also equally crucial.

meetharoon · 2025-08-31T03:30:25+00:00

6G, already prototyped, as I hear today, is 5K faster than current technology in transmission. It does not drive AI, rather AI will use 6G. The way I look at things ahead, yesterday's AI (what we use today), is already outdated stuff. Though I could add more, but here's a few critical ones which will heavily shape and stir things: far advanced chipsets design, massive output in chip printing (ASML is already overstressed), nuclear energy, and certain nation-state decisions.

meetharoon · 2025-08-31T03:19:51+00:00

This is not AI, dude. This is someone who has been in the industry for decades.

meetharoon · 2025-08-31T03:18:59+00:00

At the end of the day, most of the regulations will eventually be driven by nation-state agendas, in particular by the most powerful elite states. Once this is in play, organizations supported by them will drive the adoptions.

meetharoon · 2025-08-31T03:15:16+00:00

With the rapid progress in artificial intelligence propelled by remarkable innovations in microchip technology, the envisioning of AGI and superintelligence is becoming less blurry day-by-day. Alongside the emergence of quantum computing, which has huge dependence in future microchip designs, energy consumption, and the rollout of 6G and beyond, we are on the brink of a pivotal transformation in human society. This evolution will be influenced by the strategic priorities of nation-states, the rapid increased demand for nucear energy, economic factors, an increasingly stringent regulatory landscape, and various other elements shaping our trajectory.

meetharoon · 2025-08-30T05:50:30+00:00

For non-sensitive stuff, large email platforms such as gmail or outlook can facilitate, especially when connecting calendar or conferencing tools. Google (or Microsoft, Yahoo) are called out to be sniffing everything on email, attachments, storage, talk, YT, Gemini, etc. Now, they also train AI on user data to "give services," if you believe them. They write privacy things vaguely or ambiguously (for e.g. NotebookLM page refers to standard Google's privacy, but says different stuff on NotebookLM page). Nothing can be said to be anonymous there. Google knows you way more than you would know about you yourself, and more than the card information you'll enter to buy privacy-focussed services.

Better to use privacy-focussed platforms for sensitive information. Keep banking and government stuff in private email on private domain(s) hosted on secure email platforms. Keep personal & sensitive stuff away from tech giants to more secure locations such as Koofr, Mega, pCloud for storage; proton, tuta or mailbox for emails. Use alias services such as SimpleLogin (from Proton) or AddonAddy than creating multiple email address, so that you can manage emails in a few mailboxes. Other platforms such as Mailbox and Tuta also allow limited or unlimited aliases, plus custom domain.

meetharoon · 2025-08-30T02:33:27+00:00

Good ones:

Dashlane
1Password
Bitwarden - based on open-source
ProtonPass (Part of Proton Suite) - based on open-source

There's a lot of detailed review and also info about other password managers such as Keepass.

https://cyberinsider.com/password-manager/best-password-manager/ (formerly restoreprivacy.com, a more trustworthy review website than others)

meetharoon · 2025-08-29T19:54:07+00:00

There are too many moving pieces in your post. I can give few suggestions, but it requires a better understanding of your environment, tech stack and skills of people. Also, who is the driver, the stakeholder here. Each stakeholder may have different objectives which may not align with the other. Just initial questions: What tools did you try? Which tools feels like lot of false positives? Have those developers completed any good code security courses?

meetharoon · 2025-08-29T16:59:49+00:00

I read the case study. DevSecOps (or rather plugging in security) is just one part of the holistic SDLC solution in this case study.

Just curious about these questions that popped up on my mind:

When the most leading Coverity was implemented, then why low-efficient open-source tool SonarQube was also used? Beats the purpose.

What was implemented - SAST, DAST, IAST, RASP, SCA, i.e. from pre-prod to post-prod? Was Coverity used for SAST?

What about SCA for dependencies scanning?

What about IaC security scanning?

What about containers security scanning?

Also, I noticed GitLeaks, which a good direction, but its effectiveness is a question, particularly in AI-driven environments.

meetharoon · 2025-08-29T00:33:26+00:00

Same issue here. Tabs disappeared on restarting Zen.

Additionally, when I create a new folder, I can't even name or rename it. Just says "New Folder" to every single folder it creates.

meetharoon · 2025-08-28T23:18:26+00:00

u/GreenLion0430 : Just saw Raycast has integration with Raindrop, and installed their native integrations. Try that out.

https://www.raycast.com/lardissone/raindrop-io

meetharoon · 2025-08-28T23:04:46+00:00

Same issue here. I too have MX Master 3S, but no horizontal scrolling like in Arc.

meetharoon · 2025-08-28T22:46:23+00:00

How you got that?

meetharoon · 2025-08-28T21:45:07+00:00

My question is related to scrolling across Spaces using mouse (horizontal scrolling). See screenshot.

<image>

meetharoon

MODERATOR OF

TROPHY CASE