jan-karel.com

Essays

Long-form pieces that knock the security industry's sacred cows over. Meant to change your perspective.

20 posts

Essays

9 min read

"We get pentested so we're secure"

Why the annual pentest is a snapshot with no predictive value, how the industry puts junior testers on template reports, and what a good pentest actually is.

pentestsecurityessay
9 min read

Zero-day as a marketing term (and why almost everything is an n-day)

How the term "zero-day" was hijacked by marketing, why most "zero-day attacks" are actually n-day attacks, and who profits from the confusion.

zero-daymarketingvulnerabilities
10 min read

Security theatre and the airport

Why TSA screening and security awareness training are the same problem, how decades of ritual have failed to stop the core attack, and what we learn from that.

security-theateranalogyessay
11 min read

MOVEit and the door already open

How Cl0p in 2023 emptied thousands of organisations over one weekend via a file-transfer tool nobody had ever inspected — and why supply chain attacks aren't going away.

moveitsupply-chainclop
11 min read

The patch you can't apply

On legacy systems, industrial controllers that never reboot, vendors who went bankrupt five years ago, and what to do when 'just patch it' isn't an option.

legacypatchingisolation
11 min read

"We use AWS so we're secure"

How 100 million Capital One customers were looted by an ex-AWS employee with an SSRF exploit, why the cloud isn't security, and what your people don't want to hear.

cloudawscapital-one
11 min read

Security awareness theatre: why training your people doesn't work

On the annual mandatory training everybody clicks through, the gotcha simulations that shame colleagues, and why the research says you're not training people to become defenders.

awarenesstrainingphishing
11 min read

The insider nobody saw coming (and mostly doesn't exist)

Why Hollywood gives you the wrong picture of insider threats, why the real threat is almost always boring and sloppy, and what offboarding has to do with security.

insider-threatoffboardingessay
9 min read

The logs nobody reads, and why you still need them

On the absurdity of terabytes of logs that nobody ever looks at, the shock of discovering they aren't there, and how to build a logging strategy people will actually use.

loggingmonitoringessay
8 min read

MFA fatigue and the teenager from Argentina

How an 18-year-old in September 2022 brought down the entire Uber empire in 24 hours by calling an employee until they pressed approve.

ubermfasocial-engineering
9 min read

The cyber insurance fairy tale

What cyber insurance does and doesn't do, why it keeps getting more expensive and harder to get, and the painful question of whether you should even want it.

cyber-insuranceriskessay
9 min read

Snowflake and the door you left open yourself

How in the spring of 2024 a hundred large companies were emptied via a service they used every day — and why the vendor could technically claim it wasn't their fault.

snowflakebreachshared-responsibility
9 min read

The questionnaire that proves nothing but takes three weeks

How an industry of 200-question forms created an illusion of control, and what to do instead if you actually want to know whether your vendor is any good.

vendor-risksupply-chainessay
8 min read

The CrowdStrike weekend and what it taught you about trust

On Friday 19 July 2024, 8.5 million Windows machines collapsed simultaneously. It wasn't an attack. It was an update. And it's exactly what modern IT rests on.

crowdstrikesupply-chainessay
8 min read

NIS2: the reality check your consultant didn't charge for

What NIS2 actually requires, what consultants are selling you, and the difference between those two — explained without a single PowerPoint.

nis2complianceessay
8 min read

LastPass and the lie of the vault

How a password manager with 33 million customers lost everything its name is literally about — and what that says about your trust in vendors.

lastpassbreachvendor-trust
6 min read

Your backup is a lie your vendor sold you

Half of organisations don't know whether their backups work — and most find out on the day it matters.

backupransomwareessay
7 min read

The mediocre hacker and your unremarkable business

Why you don't need to worry about Russian APT groups and very much should worry about the 14-year-old with a phishing kit he bought on Discord.

threat-modelingransomwareessay
7 min read

Compliance theatre: fifty documents, zero defence

How an organisation can pass ISO 27001, sign NIS2, and still be flattened six weeks later by a teenager with a phishing kit.

complianceiso27001essay
7 min read

The password is dead and nobody has the decency to tell you

Password rotation is a fifteen-year-old superstition. Here's why it survives, why it never worked, and what to do this afternoon.

passwordpasskeyssecurity