I see Zero Trust Architecture (ZTA) differently than just lip service. If the company actually commits to it (and its associated cost, which is usually somewhat significant), it is a totally valid defense strategy. With traditional "primarily relying on perimeter defense", companies are effectively setting up a single point of failure for their everything. I have seen so many companies who relied mostly on perimeter defense, with services not requiring auth, or they used long lived API keys (often hardcoded in source :|). Or fully open network because "the central firewalls will take care of it". In these situations, if an attacker were to breach the perimeter, the blast radius is huge as far as their lateral movement in the org and data exfil possibilities. Those were always the fun ones because pen tests are easy with tons of findings coming with little effort needed on my end.

ZTA is all about "Keeping control of the infrastructure, supply chain due diligence, and maintaining and understanding the perimeter". The real mind shift is the perimeter shifts from some centrally managed thing to the perimeter around a service. ZTA in my experience has mostly been things like:

- all service -> service comms are encrypted (usually trivial with HTTPS or mTLS). (you can get service -> service mTLS "for free" in k8s with stuff like istio, and HTTPS is well established for decades at this point)
- all service -> service comms use limited scoped auth with limited time windows (usually pretty easy with JWTs and some platform level key mgmt)
- services are only allowed to the other services they need to via network ACLs (usually pretty easy with IaC for the svc)
- services are not allowed to talk to the public internet by default, with exceptions OK when it is technically necessary (usually pretty easy with IaC for the svc)

I like to explain ZTA to normies like this: cyber security is best thought of as layered (like the concept of defense-in-depth). Imagine each layer is a piece of swiss cheese. Yes this layer may have holes in it. But if you stack a bunch of layers in just the right way, there are no holes which make it all the way through. Relying primarily on perimeter defense is like having only 1 or 2 layers. ZTA is like having dozens of layers.

I just got done implementing a 100% on-prem ZTA for a company, but after seeing the cost materialized after a few months, they not only reverted back to their old ways, they fired most of their security staff. The problem with a lot of this is not only does it require a mind shift from management, it requires a mind shift from software engineers who are notoriously lazy as fuck (and/or overworked and choose to not do security b/c mgmt doesn't care about it) when it comes to cyber sec implementation and/or estimation.

I really feel ZTA has lots of moral benefits, but the business incentives for it have not yet aligned, so most people aren't doing it.

I am all in favor of offline backups, can't argue against that. All these agents running as root can't be great for sure. I am curious how you are performing backups without root though? Are they not complete backups of the system (e.g. they don't include files which are only readable by root)?

It may interest you to look at the recent Phoronix benchmarks of the new Epyc Genoa based AWS EC2 instances here: https://www.phoronix.com/revie... These AMD chips are super fast.

I think it makes more sense when looking at a "US territory evolution over time" map like this for context: https://en.wikipedia.org/wiki/... Up until about 1803, Ohio was part of the "Northwest Territory". I assume as the USA expanded further westward after 1803 and places like the "Pacific northwest" region arose in the nomenclature, the Ohio area being called the "mid-west" was a natural evolution.

The data is collected, warehoused, and probably indexed for later search-ability. The data can be used both to sell shit, but also to drive a case for incrimination. It is silly to believe it would not be used in such a way, especially when there is amble evidence to the contrary, e.g. TFA

I agree no individual attacker would likely look through huge volumes of footage. That would be a silly use of human time IMO. Far better to automate this. I'm thinking running the video through image classification jobs trained on nudity. The attacker could then use identified nude videos of people for blackmail.

I should be paying all of you for my virtual words I'm typing now.

I fail to see any results relating to a mole of sodium chloride, in grams.

I have to disagree with you on a few points. My brother is USMC and finished 2 tours in Iraq before going to Afghanistan. His M.O.S. is MP, and he got assigned to do convoy security, probably the worst job out there because of all the IEDs. First off, in Iraq he was not 'on' 24/7 and definitely never had periods of long boredom. He would pull 20 - 48 hour shifts driving from 1 end of the desert to the other. Then he would sleep for approximately 6 hours a night and continue. He rarely had any downtime but when he did he would use his own computer to access the Internet off-base in somewhere in Rhamadi, apparently one of the few places you can get Internet access. Occasionally he would be given Internet access on-base, but this was rare. When he came back, before going to Afghanistan, he told me that talking with friends online was one of the only things that kept his sanity in such a crazy place. Also some of you reading this may not like the war or why we're there, but just remember that there are people over there pulling insane shifts doing unimaginable things for next to nothing. Semper Fi.

Brings up a good point. Just how are you supposed to link to a book? I can see it now, There's an xkcd for that (page 30).

I for one welcome our new RIAA overlords

Don't like to nitpick, but did anyone else notice that the winning bid was $6101? Woops