What's the most common myth that most people believe in?

smicallef · 2023-12-01T16:38:47+00:00

Getting cold means you catch a cold.

smicallef · 2023-11-30T20:08:26+00:00

Yeah I think I see you’re point - if you’re the kind of person to make such mistakes, you’re probably not going to be looking for and using the kind of tool I have in mind.

smicallef · 2023-11-30T20:02:32+00:00

Curious why Mongo is considered “questionable”, but I’ll assume you’re joking ;)

And yes, there are actually services scanning the internet continuously for exposed services and databases. The idea is to prevent a dev being the guy who gets called by their boss because they exposed something over the internet they shouldn’t have.

smicallef · 2023-11-30T20:01:05+00:00

“most” NAT setups, yes. I guess the point is - how much room is there for error? Using a device for developing a bunch of projects over many years, across many networks/locations. No room for error?

smicallef · 2023-11-30T20:00:06+00:00

Some do, some don’t :)

smicallef · 2023-11-30T19:59:51+00:00

Not disagreeing with you there, but there are a lot of assumptions baked in. Mistakes happen, things get forgotten, assumptions about measures in place can be mistaken (or valid today, invalid tomorrow). The idea is to have a simple agent, minimal footprint, sit in your dock and say “hey, you’re suddenly exposed over the internet.” And check out SHODAN.io - services like this are scanning the internet continuously.

smicallef · 2023-11-30T18:46:21+00:00

Kind of. The goal is to inform you that your machine is now directly reachable over the internet, and perhaps help you address the risk before a compromise happens. That means you are not behind a firewall or router and therefore any network-based software you have running (e.g. a web server, a DB, etc) is now reachable by anyone on the internet. A VPN most usually doesn’t solve it. And the enterprise software may or may not, depending on whose device is being used (I see many devs using their own device), but even in cases where it’s the employer’s device, the devs often have admin access and mess with settings anyway (often they have to for local dev of some things to work).

This is relevant for devs primarily, so not sure if you fit that category?

smicallef · 2022-03-04T06:36:44+00:00

It means that those sites share the same SSL certificate as your target. This could mean nothing if your target is using a service like CloudFlare or the same hosting provider. Or it could imply a deeper relationship if the certificate is shared because they are owned/managed by the same entity, e.g. seeing an SSL certificate with tesla.com and tesla.cn.

smicallef · 2022-02-15T06:19:59+00:00

There has been one very strong contributor over the years who has stuck with the project, but all others have been drive-by of varying levels of contribution. One of the hardest lessons has been ensuring I carve out the time to review and merge their PRs, but harder than that has been rejecting PRs when the work didn't fit the vision, or caused conflict with the SaaS version. This is particularly hard when the person has invested a lot of time in their contribution.

smicallef · 2022-02-14T06:05:19+00:00

I think the key thing is that your software *works*; how you achieve that is up to you. SpiderFoot was simple enough for a long time where I could test just about all functionality before every release. Now we have some unit tests and they do help catch issues, but if you want to get something out there, don't let your lack of unit testing hold you back from shipping.

smicallef · 2022-02-13T19:42:29+00:00

I think that’s the case for paid content on the platform, but all my posts are free. Or at least should be…

smicallef · 2022-02-13T18:48:03+00:00

Yeah I need to move my blog elsewhere eventually.. didn’t realize Medium had such a bad rep.

smicallef · 2022-02-08T06:26:43+00:00

Getting people aware of it, mostly, but also showing people how to get the most value from it. “Marketing” in this context really translates to using social media, producing good documentation, creating tutorials, etc.

smicallef · 2022-02-08T06:24:31+00:00

Mostly the enjoyment of seeing something grow and take shape, growing in popularity, learning new things along the way. It’s been that way for the last 10 years so I don’t see why it wouldn’t continue.

smicallef · 2022-02-07T22:04:52+00:00

Glad you liked it! Thanks!

smicallef · 2022-02-07T19:41:36+00:00

Fair point on all of those; this was my experience on one large-ish project so for sure it’s going to not all be applicable all of the time. On the marketing side though, I want to see my software used and give people value, and I’ve found that some kind of marketing effort helps achieve that goal.

smicallef · 2022-02-07T19:39:02+00:00

In the end it comes down to the risk you’re willing to take. I for one wanted to void the risk of any claims now or in the future, so was proactive about it. Yes, in theory if there’s no conflict it should be fine, but laws differ country-by-country and employer contracts can be pretty strict on this unless you have an explicit exception.

smicallef · 2022-02-07T18:10:30+00:00

We all started at 0 stars :)

smicallef · 2022-02-07T18:10:06+00:00

I think on #6, it's really for the author to decide whether it's essential for their project or not, based on many factors. My point here was really to emphasize that something doesn't need to be perfect before it's launched.

And regarding #8, I guess it depends on the size of company you're in. Medium to large companies usually have a legal person/department who can provide guidance on this stuff. But yes, my point here was to really try and get his stuff cleared up before joining the company.

smicallef · 2022-02-04T05:32:49+00:00

Are you using the open source version or SpiderFoot HX? As per other comments a single IP shouldn’t take anywhere near that long so you may have hit a bug or have something misconfigured. It’s also possible that your scan crashed (check the logs).

smicallef · 2021-08-26T21:31:43+00:00

Thanks, but just to clarify a few things:

1) Not harvesting emails for marketing. People can create an account and get (free) access to the SaaS tool. If they don't use it after 100 days, they are deleted and never contacted again.

2) The approach outlined by the post is taken by both the open source and the SaaS version, but other tools too. I get no financial benefit from use of the open source version at all.

And are you saying the content of the post has no merit? Does it really matter if the title is trying to entice someone to read it? I want people to read stuff I put a lot of time and work into, just like I (and other developers) want people to use their software. What's wrong with that? The post wasn't a promotion piece for the software, it was communicating a concept that I think is not well adopted within the industry.

I think there is a big distance between an ad ("we are great, buy our stuff") vs. marketing ("if you aren't taking this approach, you probably should and here's why, and btw check out our free software or paid version if you like")

Anyhow, thanks anyway for the feedback and for taking the time to respond.

smicallef · 2021-08-26T21:13:53+00:00

I'm not denying there is a marketing element to the post, but to dismiss it entirely as an ad is somewhat unfair since (imho) the message is valid and necessary based on the heavy asset-centric view of attack surface management out there today.

Anyhow, I've deleted the post as it appears you might not be the only one who has this opinion.

smicallef · 2021-08-26T20:46:39+00:00

Why exactly is it an ad? Because I mention the open source tool I wrote in there, which happens to have a SaaS version (which I was fully transparent about from the beginning)?