The Five-Sided Truth The Illuminati Don't Want You to See
All hail Eris! All hail Discordia! Welcome to the reality tunnel where we question everything. While the security priesthood sells "military-grade encryption" and "government-approved standards," we're here to pull back the curtain: Nothing is true. Everything is permitted. Your encryption is theatre.
Think for yourself. Question authority. Especially the authority that certifies your crypto.
This isn't conspiracy theory—this is conspiracy fact. Or as Hassan-i Sabbah said before the Illuminati twisted his words: reality is what you can get away with. And nation-states can get away with everything.
FNORD. You see it now, don't you? The pattern. The approved algorithms. The standardized backdoors. The security industrial complex selling you locks they already have keys to.
Let's illuminate the five ways they've already pwned you:
1. SIGINT & Mass Surveillance (The Panopticon Is Real)
They intercept everything. Not "targeted surveillance"—everything. Your encrypted traffic? Filed away in Utah, waiting for quantum computers. They built the internet. They tap the backbone. They are the infrastructure.
Illumination: The watchers watch the watchers watching you. And nobody watches them. Question: If total surveillance was legal, would they tell you? They didn't.
2. Cryptographic Backdoors (Trust Us, We're Experts)
The NSA designed Dual_EC_DRBG with a backdoor. Got it standardized. Everyone used it. Then Snowden revealed it. The NSA said "oops." Then they standardized more algorithms. And you trust them again?
Illumination: Fool me once, I'm suspicious. Fool me twice, I'm complicit. Fool me seventeen times, I'm working for you.
3. Supply Chain Compromise (Hardware Betrayal)
Cisco routers interdicted in transit. IME backdoors in every Intel chip since 2008. Huawei or NSA—pick your backdoor flavor. The supply chain isn't compromised; it's designed that way.
Illumination: Your trusted platform module trusts the platform. The platform trusts the manufacturer. The manufacturer trusts the intelligence agency. You trust no one, and you're still compromised.
4. Legal Compulsion (Patriot Act Surprise Mechanics)
National Security Letters with gag orders. FISA courts with secret interpretations of secret laws. Lavabit shut down rather than comply. Yahoo fought and lost. How many didn't fight? How many couldn't tell you?
Illumination: When law and liberty conflict, guess which one survives. The law explicitly forbids telling you it exists. Think about that.
5. APTs (Advanced Persistent Everything)
Stuxnet jumped air gaps. Equation Group made hard drives lie about their firmware. NSO Group turns your phone into their phone. These aren't bugs—they're features of the surveillance state.
Illumination: The zero-day you know about is the one they want you to find. The real ones have been there for years.
The Law of Fives is everywhere. Five intelligence agencies. Five eyes. Five ways to compromise you. And the sixth way? Convince you there's no sixth way.
META-ILLUMINATION: If this sounds paranoid, you're not paying attention. If this sounds reasonable, you're already too deep. The only winning move is transparency—because they can't co-opt what's already public.
The "Approved Algorithms" Paradox (Or: How I Learned to Stop Worrying and Love Big Brother)
Let's play a game. The same organizations that:
- Run PRISM (collect data from Microsoft, Google, Apple, Facebook—the companies you trust)
- Employ more cryptanalysts than the rest of the world combined (to break your shit, not protect it)
- Have black budgets larger than most countries' GDP (and zero accountability)
- Legally compel companies to install backdoors and forbid them from telling you
- Intercept Cisco routers in shipping to install implants (documented, admitted, still happening)
...are the same organizations that tell you which encryption is "safe."
Nothing is true. Everything is permitted. Including the permission they give themselves to lie to you about what's secure.
Now, don't get me wrong—breaking properly-implemented strong crypto is genuinely hard. The math doesn't lie (unlike mathematicians who work for intelligence agencies). But here's the fnord:
- Compromise the standard itself — Dual_EC_DRBG wasn't an accident. It was a test to see if you'd notice. You didn't (until Snowden).
- Compromise the implementation — Heartbleed. POODLE. BEAST. "Bugs" or features? Yes.
- Steal the keys — Via legal compulsion, supply chain compromise, or just buying the CA. The locks are strong; the key distribution is a joke.
- Attack the endpoints — Your device is already compromised. Intel ME. iOS sandboxing "features." Windows telemetry. The endpoints snitch.
- Exploit the metadata — They don't need to read your messages when they know you called a journalist, then a lawyer, then a psychiatrist. Pattern is content.
Five ways around "unbreakable" encryption. Always five. The Law manifests.
ULTIMATE ILLUMINATION: The strongest encryption protects you from everyone except the people who approved it. This is not a bug. This is THE feature. The system working as designed.
Question authority. Especially cryptographic authority. Especially when they insist you must use their approved algorithms for "interoperability." Interoperability with whom? Their surveillance infrastructure.
Operation Mindfuck: Radical Transparency as Guerrilla Security
So what do we do? Give up? Use ROT13 and pray? Join a monastery?
No. We embrace Discordianism. We practice guerrilla ontology. We make the surveillance state expensive.
Nothing is true. Everything is permitted. Including the permission to publish everything about our security.
At Hack23, we practice radical transparency through our Public ISMS. Not because we're naive—because we understand the game. If they can compromise anything secret, make nothing secret. Operation Mindfuck the surveillance state.
Trust Through Verification (Not Faith)
Don't trust our security practices—verify them. Our policies are public. Our procedures are GitHub. Our frameworks are forkable. Think for yourself. We're not asking for faith; we're providing evidence.
Illumination: Security through obscurity is security through hoping nobody looks. We're looking. You should too.
No Security Theater (All Hail Eris)
We don't pretend nation-states can't pwn us. We design for detection and response, not imaginary perfect prevention. Because perfect security is a lie told by vendors to executives who want to believe they're safe.
Illumination: The question isn't "if" but "when" and "will you notice?" Assume breach. Plan accordingly. Panic never.
Business Value Over Bullshit
Security should enable business, not strangle it. If your security makes work impossible, you've just created a different kind of failure. Security theater that prevents actual work is just expensive incompetence.
Illumination: Security without business value is masturbation. Feel good, accomplish nothing, waste everyone's time.
The beautiful paradox: Transparency improves security. When your processes are public, the entire internet can audit them. When you can't hide behind "proprietary security," you have to actually be secure. Accountability through visibility. Anarchism through structure.
CHAOS ILLUMINATION: The surveillance state relies on your compliance. Your acceptance. Your belief that you have no choice. Radical transparency is refusal. Publication is resistance. Making everything public is the ultimate Operation Mindfuck—because how do you compromise what's already exposed?
The ISMS Illuminations: Policy Blog Entries
Explore our Discordian take on each policy from our Public ISMS. Each entry examines real security value with radical transparency:
The foundation—why our security policy is public and yours should be too. Security through obscurity is incompetence with a nicer name.
Zero trust isn't paranoia—it's mathematics. Trust no one, including yourself. Verify everything.
When (not if) shit hits the fan. Assume breach. Plan survival. Practice both.
Five levels from Public to Extreme. Classification based on reality, not paranoia or compliance theater.
Question authority over approved algorithms. Backdoor history and the five-sided defense against surveillance.
The security-industrial complex exposed. Fear became a business model. Question "best practices."
Code you can actually read. Trust through transparency. Proprietary security is security through hope.
The perimeter is dead. Zero trust networking. Assume breach, design for containment.
GDPR as weapon against surveillance capitalism. You're not the customer—you're the product. Question that.
Know thy enemy (they already know you). Your threat model should include nation-states—because theirs includes you.
Code without backdoors (on purpose). Security isn't a feature—it's architecture. Every line is a potential vulnerability.
Patch or perish. Known vulnerabilities are inexcusable. Unpatched CVEs are pre-installed backdoors with better PR.
Restore or regret. A backup you haven't tested is Schrödinger's backup. Assume breach, assume ransomware, test restores.
The Business Case: Security That Actually Pays For Itself
Forget the FUD. Let's talk about real business value—not scare tactics:
| ROI Level | Risk Reduction | Breach Prevention | Business Impact |
|---|
| Exceptional | Substantial | Major breach costs avoided | Strong positive returns |
| High | Significant | Notable savings from prevention | Solid returns |
| Moderate | Meaningful | Reasonable cost avoidance | Positive returns |
| Basic | Some improvement | Limited savings | Break-even to modest returns |
| Minimal | Marginal | Minimal impact | Questionable value |
Security investments should deliver real business value, not just theoretical protection:
- 🤝 Trust Enhancement — Customer and partner confidence that translates to revenue
- ⚙️ Operational Efficiency — Reliable systems that don't waste your team's time
- 💡 Innovation Enablement — Secure platforms that enable new capabilities instead of blocking them
- 📊 Decision Quality — Data integrity you can actually rely on for decisions
- 🏆 Competitive Advantage — Security as market differentiator (when done right, not just claimed)
- 🛡️ Risk Reduction — Fewer oh-shit moments at 3am
Balanced security investments deliver operational stability, data reliability, and reasonable protection that enable business growth—not paranoid lockdown that prevents it.
Hidden Wisdom: Security that prevents business from functioning is just expensive failure with a nicer name.
Read the full business value analysis →
Initiation Complete: Welcome to Chapel Perilous
Nothing is true. Everything is permitted. You've seen the fnords. You can't unsee them.
Here's what we've illuminated through the Law of Fives:
- No crypto is secure from those who approved it — The surveillance state is the system, not an aberration. This was always the design.
- "Approved algorithms" is newspeak for "exploitable" — They don't standardize what they can't compromise. Think for yourself about why that is.
- Transparency is the only real security — Because they can't co-opt what's already public. Operation Mindfuck the watchers.
- Perfect security is a noble lie — Question anyone selling it. They're either lying or deluded. Usually both.
- Security serves power or serves people — Choose sides. There is no neutral. Apathy is compliance.
Think for yourself. Question authority. Especially security authority. Especially when they insist you trust them. Especially when questioning them is labeled "dangerous."
All hail Eris! All hail Discordia! The goddess of chaos teaches: embrace uncertainty. Question everything. Trust verification. Fuck compliance theater.
The bureaucracy is expanding to meet the needs of the expanding bureaucracy. Don't feed it. Don't trust it. Don't let "best practices" (approved by whom?) replace actual thinking.
FINAL ILLUMINATION: You are now in Chapel Perilous. The conspiracy is real AND imaginary. The surveillance state exists AND you're paranoid. Both are true. Nothing is true. Everything is permitted. The only way out is through radical honesty—which is why they fear transparency more than your encryption.
Welcome to the real world. It's weirder than you think, and they're counting on you not thinking about it.
— Hagbard Celine
Captain of the Leif Erikson
Product Owner, Hack23 AB
"Think for yourself, schmuck! Question everything—especially this."
🍎 23 FNORD 5
The Hack23 ISMS Paradox: Or How We Learned to Stop Hiding and Love Transparency
All hail Eris! Here's the uncomfortable truth: Most companies hide their security documentation. Why? Because it reveals how bad their security actually is.
Think for yourself. Question authority. Including questioning whether publishing your entire ISMS is insane. Spoiler: It's not insane—it's the only sane move in an insane world. FNORD.
Hack23's Information Security Policy isn't locked in some SharePoint dungeon. It's GitHub public. All 23 security policies. All procedures. All frameworks. Every threat model. Every risk assessment. Everything.
Why? Because security through obscurity is security through hope, prayer, and crossing your fingers. Security through transparency is security through proving you're not full of shit.
CHAPEL PERILOUS MOMENT: Publishing your ISMS publicly sounds crazy until you realize the only people afraid of scrutiny are those with something to hide. We have 23 policies to scrutinize. Bring it.
The Six Principles (Because Five Wasn't Anarchist Enough):
1. 🔐 Security by Design (Not Security by Accident)
Build security in from day one, not bolt it on after the breach. Radical concept: Design systems that don't fail catastrophically when—not if—someone finds a vulnerability. Defensive pessimism as competitive advantage.
Nothing is true: Perfect security doesn't exist. Everything is permitted: Systematic resilience does.
2. 🌟 Transparency (Security Theater Exit Strategy)
Controversial opinion: Public ISMS documentation makes attackers' jobs harder, not easier. They already know the attack vectors. What they don't know is whether you've actually mitigated them. Publishing your defenses proves you have defenses.
The Illuminati hide their security. We publish ours. Guess which approach creates actual trust?
3. 🔄 Continuous Improvement (Paranoia as Process)
Yesterday's adequate security is today's breach waiting to happen. Systematic evolution beats static perfection. Regular assessment + ruthless enhancement = staying ahead of threats that evolve faster than your compliance certification.
Are you paranoid enough? If you think your security is "done," you've already lost.
4. ⚖️ Business Value Focus (Security That Pays for Itself)
Security proportional to actual risk, not imaginary threats. €10K+ daily loss = HSM encryption. Public blog posts = basic integrity. Classification-driven investment beats paranoid over-protection and negligent under-protection. Both waste money.
Protecting everything equally = protecting nothing effectively. Classification is risk-based resource allocation.
5. 🤝 Stakeholder Engagement (Security Isn't Your Job Alone)
Security teams that work in isolation create security nobody uses. Engage stakeholders or watch them bypass your controls. Business enablement through security, not security despite business. Security friction = shadow IT proliferation.
If security prevents work, work will prevent security. Choose wisely.
6. 🛡️ Risk Reduction (Accept Paranoia, Reject Panic)
Comprehensive risk management isn't about eliminating all risk—that's impossible. It's about knowing which risks you're accepting and why. Documented risk acceptance beats undocumented ignorance. Informed decisions over security theater.
Zero risk = zero business. Smart risk = documented decision. Dumb risk = "we didn't think about it."
ULTIMATE ILLUMINATION: These aren't corporate aspirational bullshit. They're operational practices with measurable outcomes. Security isn't cost center—it's revenue protection. Breaches cost more than prevention. Trust generates value. Transparency proves competence. The math is simple; most companies are bad at math.
The 23 Policies (Organized Because Chaos Needs Structure):
- Core Security (13): Access Control, Acceptable Use, Physical Security, Mobile Device, Cryptography, Data Classification, Privacy, Network Security, Secure Development, Open Source, AI Governance, LLM Security, Threat Modeling—because defense in depth isn't optional
- Operational (6): Incident Response, Business Continuity, Disaster Recovery, Backup Recovery, Change Management, Vulnerability Management—because shit breaks and you need plans
- Asset & Risk (3): Asset Register, Risk Register, Third Party Management, Supplier Security—because you can't protect what you don't know you have
- Compliance (1): Compliance Checklist, ISMS Transparency—because regulators exist and transparency is our brand
The CEO Sole Responsibility Model (Or: How One Person Runs Everything):
Plot twist: Hack23 is a one-person company. CEO (James Pether Sörling) is ISMS Owner, Risk Owner, Policy Authority, Incident Commander, Security Architect, Access Controller, Vulnerability Manager, Compliance Officer, Asset Manager, Supplier Manager, BCP Manager, Development Lead, Security Metrics Analyst, and Transparency Manager.
Is this sustainable? No. Is it transparent? Yes. Does it demonstrate that systematic security frameworks work at any scale? Absolutely. Most companies have security teams larger than our entire company and worse security posture. Size doesn't equal security. Systems do.
META-PARANOIA: If one person can document and maintain 23 security policies, what's your security team's excuse? Either they're incompetent or they're hiding something. Possibly both.
Everything is public: ISMS-PUBLIC Repository | Information Security Policy | Scrutiny welcome. Copying encouraged. Improvement inevitable.
FNORD. You now see the pattern: Most security is theater. Some security is systematic. Our security is public. Which approach would you trust?