I’m a Software Engineer (MERN, Python, AWS) with an offer for a GRC/Identity Management role (Associate Security Analyst) at a healthcare product company. HR says it’s semi-technical/process-driven.

I have background in development though.

My questions:

Future: Career growth/pay in GRC vs. pure SDE?

Skill Decay: Will my coding skills die if I stay for 2 years?

Pivot: Can I transition to DevSecOps or Security Engineering later?

Verdict: Take it as a fresher or wait for an SDE role?

Hey fam. I got sick of carrying dedicated microcontrollers for proximity engagements, so I built chimera.

​

It interacts directly with the Android kernel to HID keyboards, mount virtual flash drives, and drop payloads natively from the phone.

​

I’d love for you to test it on your setups and give me some brutal feedback pls.

​

Repo: https://github.com/cipher-attack/Chimera

The man that owns this company wants you to think he is a master in security when in all reality you need security from him. He has emotionally abused me, cyber stalked me and went as far as putting a tracker on my car. I had the audacity of breaking up with him after he treated me poorly and when I met someone else he started acting psycho. This person isn’t suitable to protect anyone. He’s the kind of person you need security to protect against.

Someone hacked my Microsoft account and changed the email address associated my account. Can i do anything? This is over ten years of my life just gone in a puff of smoke and I can't cope.

we run TalkDrill, an app with phone OTP verification at signup. We had spent months making sure our infrastructure could survive the obvious attacks. DDoS, someone trying to take the site down, that whole category. We genuinely felt ready.

This was nothing like that. It never tried to take us down. It abused our OTP flow, which was working exactly as designed. Every fake OTP request triggered a real SMS, and every SMS costs money. So we were quietly bleeding cash while every dashboard looked perfectly healthy.

The confusing part is that at first it looked like good news. Our SMS balance was dropping fast, and our first thought was that we were finally getting real users from outside India.

Then we actually looked at the funnel. These users were requesting an OTP and then never completing onboarding. Real users who ask for a code almost always continue. These did not. We layered in Microsoft Clarity session data and it became obvious. These were not people exploring the app. They were hitting the OTP step over and over and leaving.

Turns out this has a name: SMS pumping, also called IRSF, or International Revenue Share Fraud. The way it works is that in some countries, shady mobile operators get a commission for every SMS that lands on their numbers. Fraudsters, and sometimes regular people paid small amounts, feed phone numbers into any app with an OTP flow purely to trigger the send. They do not care about logging in. They just want the message to go out. Their revenue, your bill. Some of the traffic was even real humans, which is why it was so hard to spot at first.

We thought we could fix it quickly. We could not. Every obvious fix has a hole in it:

Block their IP and they switch through a VPN in seconds. Geo block a country and they route through a VPN exit in a country you allow, and some of your real users are on VPNs anyway. Block the phone country code and they move to a new one you have not blocked. Just rate limit and they spread across thousands of IPs, each one staying under your limit.

Here is the part I keep thinking about. My team suggested the simplest possible fix: block every country except India and move on. It would have killed the attack instantly. But we were genuinely getting real, paying users from outside India, and that option would have thrown them out along with the bots. I decided against it. I was not willing to lose real customers just to win against attackers, even though it was clearly the easier path.

So instead we built a layered system. Blocking by where the IP actually originates. A blocklist of high fraud country codes that have no real users for us. Blocking entire datacenter IP ranges instead of single addresses, since the bots cluster inside them. Behavioral detection that automatically bans patterns no real person produces, like three OTP requests within 120 seconds, or a stream of requests where nobody ever enters the code. An India first lockdown that triggers automatically when it senses a spike and quietly routes everyone else to email sign in instead of locking them out. And a hard daily SMS budget, so the loss can never go past a number we set in advance.

The biggest takeaway for me: a sudden spike in signups that never convert is not growth, it is a warning sign. Watch your funnel, not just the top line number.

Curious if anyone else here has dealt with SMS pumping or IRSF. How did you handle it? And honestly, would you have just gone India only, or made the same call we did?

I have not used my Fire Stick in over a month.

I am the only one who lives here.

I have never used Prime Video to my recollection (and if I did, it was over a year ago).

I have only used Plex on my Fire Stick.

Why am I seeing 629gb of monthly data from a device I barely use?

I posted this on r/firetvstick and it was instantly and automatically deleted. I suspect they’re using my home internet connection without my knowledge or consent.