Any clever ways to connect to the Internet safely to update drivers, security, etc? I'd only want to connect to Intel, AMD, Microsoft, etc, and then would physically disconnect the lan card. I know, dangerous, but I'm trying a piecemeal approach with a flash drive and getting mixed results. I tried to update to Service Pack 2, and it bricked the computer on restart, back to flashing Vista.

Sorry if this isn't the best place to ask. IT and cybersecurity-focused communities over on Reddit aren't exactly the most welcoming places for such questions, and reading the r/ITCareerQuestions wiki has made me seriously question if I'm being sold false promises of working in a sector that actually has a low demand for workers. Then again, that wiki page seems more geared towards the US job market.

Two weeks ago, I responded to an Instagram ad advertising cybersecurity courses, because the job market is horrible here in the UK right now, and after some setbacks with my ACCA studies, I am seriously considering just giving up on trying to get into chartered accountancy because that path is closing many more doors for me. A course advisor rang me asking about the reasons I showed interest in the ad, then we had a long discussion about any questions I had, what the sector is apparently like, etc.

Some of the claims seem too good to be true, i.e. that it's an industry where you can afford to be picky, jobs outnumber people by almost 3 to 1, most jobs are remote, the provider boasts a 90%+ employment rate, I don't need programming experience, the most complex thing I'd be doing is running command prompt/powershell commands and scripts.

The firm itself seems legitimate. They offer CompTIA, Microsoft, Cisco, AWS and EC-Council certifications, have good review scores on Trustpilot, are a registered training provider and limited company in the UK, and are supposedly an assured service provider with the National Cyber Security Centre (NCSC.) The courses they mentioned to me in their syllabus supposedly come to £4k and would take about six months.

1. Am I right to be wary about what this training provider are offering?
2. Do you require extensive programming knowledge or a computer science background to work in cybersecurity in any capacity? A friend with an IT background has told me that Python is useful in his field.
3. Is the reality of IT and cybersecurity jobs in the UK (or in the West) far different from what has been painted to me?

I have changed my email more than once, just as part of customizing my online identity and all that.

and that obviously required me to login into any accounts I had and updating the email associated with them.

the most common workflow I have found is
login -> navigate to settings page -> edit the email field to the new email -> go to the inbox for the new email -> click confirm on confirmation email

then you can go to that website and do the forgot password, provide your email and change the password and get complete control.

I have always found that workflow weird cause it's the most prevalent one I have come across and seems so susceptible to tampering.

if someone leaves their laptop unattended for 3-4 minutes in public while visiting a bathroom (which happened often in the library of my university), there was nothing preventing me from going to their Facebook or whatever account they had open on their computer, changing the email to my own email and then clicking confirm on my inbox once I am back at my desk.

and most people don't have 2FA so that would effectively give me control of their account.
Hell, my university once had a potential data breach and they were 99.999% sure the data was not actually accessed by a malicious actor but still sent a mass email saying that they were advising everyone to change their passwords. a classmate of mine in the software systems program's attitude was basically "oh well, who cares?" and I just facepalmed internally.

there are maybe 3 websites I have come across that instead first send a confirmation email to your current inbox and after you confirm on that, then you get a confirmation email on the new email inbox. which isn't perfect but I feel like it's a bit more sensical and the best you can do without involving 2FA.

even then, that's also susceptible to the situation I described above if the user is always logged into their email.

I find it odd that websites don't prompt for a password as part of the email update process (or better yet 2FA with an app as even prompting for a password isn't a guarantee if the user has the password manager as an extension in their browser and they recently unlocked it before leaving their session unattended) to ensure that email changes are always done by the account owner.

A letter to CVE board members posted to bluesky a few hours ago reveals that MITRE funding for the Common Vulnerabilities and Exposures (CVE) program is about to expire. Haven't found any good articles that cover this news story yet, but it's spreading like wildfire over on bluesky.

Of course this doesn't mean that the CVE program will immediately cease to exist, but at the moment MITRE funding is absolutely essential for its longterm survival.

In a nutshell CVEs are a way to centrally organize, rate, and track software vulnerabilities. Basically any publicly known vulnerability out there can be referred to via their CVE number. The system is an essential tool for organizations worldwide to keep track of and manage vulnerabilities and implement appropriate defensive measures. Its collapse would be devestating for the security of information systems worldwide.

How can one guy in a position of power destroy so much in such a short amount of time..? I hope the EU will get their shit together and fund independent alternatives for all of these systems being butchered at the moment...

Edit/Update 20250415 21:10 UTC:
It appears Journalist David DiMolfetta confirmed the legitimacy of the letter with a source a bit over an hour ago and published a corresponding article on nextgov 28 minutes ago.

Edit/Update 20250415 21:25 UTC:
Brian Krebs also talked to MITRE to confirm this news. On infosec.exchange he writes:

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.
MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Edit/Update 20250415 21:37 UTC:
Abovementioned post has been supplemented by Brian Krebs 5 Minutes ago with this comment:

Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.

Edit/Update 20250416 08:40 UTC:
First off here's one more article regarding the situation by Brian Krebs - the guy I cited above, as well as a YouTube video by John Hammond.

In more positive news: first attempts to save the project seem to emerge. Tib3rius posted on Bluesky about half an hour ago, that a rogue group of CVE board members has Launched a CVE foundation to secure the project's future. It's by no means a final solution, but it's at least a first step to give some structure to the chaos that has emerged, and a means to manage funding from potential alternative sources that will hopefully step up to at least temporarily carry the project.

Edit/Update 20250416 15:20 UTC:
It appears the public uproar got to them. According to a nextgov article by David DiMolfetta the contract has been extended by 11 months on short notice just hours before it expired...

Imo the events of the past 24 hours will leave their mark. It has become very clear that relying on the US government for such critical infrastructure is not a sustainable approach. I'm certain (or at least I hope) that other governments (i.e. EU) will draw appropriate consequences and build their own infrastructure to take over if needed. The US is really giving up their influence on the world at large at an impressive pace.

My thoughts are that apps can have end-to-end encryption, but if the app on the end is still connected to someone's servers, there's nothing stopping them from pulling the contents of the chat after it's been decrypted on the other end. What options do we have for messaging that don't have this issue? I understand that anything that I can see can still get taken by the OS, etc., but I'm curious about that first step.

Hi Tilderinos,

I head up a small startup and we're looking to get some support for our data security. Up until now we've worked with small mom and pops that didn't have any requirements, but a few of our new clients have full data security teams and our infrastructure and policies/protocols aren't up to snuff. We reached out to a few consulting firms and they quotes us between $80-100k to get things set up and run us through a full SOC2 review. As a small company we don't really have that type of budget, more like $40-50k. I stumbled upon Vanta and Drata as alternatives and had meetings with their sales folks last week. Both of their offerings from setting up our protocols to monitoring and getting us through a SOC2 were only $16k.

Are platform based companies like Vanta or Drata enough to get us off the ground while we're still getting set up? Has anyone worked with them before and have any feelings one way or the other? Should we be signing on with a security consulting company - be it at a lower rate if we can negotiate it?
This is all quite new to me and any insight folks here can provide would be incredible useful.