The Question Nobody Thinks to Ask
A new computer is an opportunity to start clean. When I migrated to a new Mac earlier this year, I exported my bookmarks and opened the file before importing it. 947 URLs. Twenty-three years of saved links, carried forward through four computers and never once audited.
I had been working through Wireshark training that week — analyzing real packet captures, watching how HTTP traffic exposes session data in plain text. The connection was immediate: how many of these bookmarks are HTTP?
737 out of 947. Seventy-eight percent — unencrypted, many pointing to domains that may have changed hands since they were saved. Financial tools, job boards, professional communities that required login credentials when I bookmarked them years ago. Any of those domains could now be owned by someone else entirely.
Key observation: Bookmarks are a static record of implicit trust decisions made over years. The domains beneath them are not static. When a domain expires and is re-registered — a documented attack technique — the browser has no way to know. It loads whatever is there now.
Bookmarks
23 years · 4 computers
Found
many with login credentials
Domains
merges across migrations
Detected
homoglyph and signature checks
The question nobody thinks to ask about their bookmarks is the same question nobody thinks to ask about the other implicit trust relationships embedded in their daily workflow. That instinct — to examine what is being assumed rather than what is being stated — is the foundation of security analysis. It turns out it is also something I have been doing, in one form or another, for most of my career.
The Through-Line
Career transitions in cybersecurity are usually framed as pivots — a turn away from one thing toward something different. Looking at the actual sequence of events, that framing does not hold up.
The law enforcement examinations — FBI in 2005, police department in 2008 — were not mentioned on a resume or discussed professionally. They are worth noting now because they establish something the rest of the timeline confirms: the orientation toward investigation, pattern recognition, and threat identification was present long before cybersecurity became a stated career goal. The tools and vocabulary are new. The instinct is not.
Why UX Is Not a Detour
The first time I opened Wireshark, the interface presented as a blank grid. The immediate response — before any deliberate analysis — was to add display filters and color rules to make the traffic readable. That is not a security instinct. It is a UX instinct. The question it answers — where is this interface failing the analyst trying to use it? — is the same question asked about every enterprise application over the past fifteen years.
The bookmark audit produced the same pattern. A Python script would have been sufficient to count HTTP links. What emerged instead was a browser-based tool with an education panel explaining why HTTP is dangerous, a user consent flow for deletions, threat signature matching, Unicode homoglyph detection using character-by-character Unicode escape comparison, a dead link checker with intelligent handling of login-required domains, and an AI classification system that learns from user corrections.
The scope expanded because each layer revealed the next problem. That is how security analysis works when it is working correctly. It is also how UX works.
On homoglyph detection: Cyrillic and Latin character sets share visually identical glyphs — the Cyrillic "а" and Latin "a" are indistinguishable at normal reading size. Native Russian fluency — developed in a Soviet immigrant household — meant recognizing these characters by sight rather than by reference chart. Background is not separate from capability. It is part of it.
The CMMC Problem Is a UX Problem
Only 1% of defense contractors are currently audit-ready for CMMC — down from 8% in 2023, as mandatory enforcement deadlines approach. The compliance gap is not primarily a technical gap. The requirements are published. The tools to meet them exist. What is missing, in most cases, is a translation layer between the regulatory language and the operational reality of a small manufacturing subcontractor whose leadership has never thought about a threat vector.
Explaining complex compliance requirements to non-technical audiences in a way that produces action rather than confusion is a design problem. It requires the same skills that make a security training module legible to a machinist, or a CMMC gap assessment comprehensible to a company president who built his business on the shop floor. Those skills are not common in the security field. They are the primary contribution fifteen years in UX/UI design makes to it.
What the Data Shows
The bookmark audit — the observation that triggered this piece — is a small example of a broader security principle: the most consequential attack surfaces are often the ones no one is examining. Browser bookmarks do not appear on any security checklist. Penetration testers do not audit them. Security awareness training does not mention them. They accumulate silently for years, carrying implicit trust in domains that may no longer deserve it.
The same principle applies at scale. The defense contractors most vulnerable to CMMC enforcement action are not the ones who refused to comply — they are the ones who signed attestations in good faith, operated under years of unenforced voluntary standards, and now face mandatory third-party certification with a readiness rate of 1% and a pool of 600 certified assessors for 350,000 contractors requiring certification. The compliance gap was hiding in plain sight, in a process nobody was examining closely enough.
Pattern recognition across systems that are not being watched — that is the skill set. The bookmark file was a small instance of it. The CMMC supply chain is a large one. The instinct that connects them is the same.
This piece reflects the author's own professional history and analytical perspective. All security findings referenced are based on publicly available data or personal audit results.