is there a site/account dedicated to aggregating all the bug bounty submissions / #security “research” that’s of the class:
“just discovered this WILD #vulnerability!!! if u steal the username, password, 2FA code, and have local access to the machine, you can M o D i F y F i L e S 🤯🤯🤯”
=> More informations about this toot | View the thread
so many #threat modeling workflows are uncivilized, creaky, positively antediluvian.
[#]threatmodeling should be modern, configured as code, a creative, collaborative romp to reify a defensive strategy that outmaneuvers attackers.
thus, this yule, my deciduous.app co-conspirator @rpetrich and I bear a gift: Deciduous-VS, a #VSCode extension to build and visualize decision trees within your IDE 🎄 (== local dev for classified/regulated envs, too)
learn more in my post: https://kellyshortridge.com/blog/posts/deciduous-for-vscode-local-decision-tree-editing/
=> More informations about this toot | View the thread
every time I have to solve this style of captcha, I assume this is what it feels like to take bath salts in public
=> More informations about this toot | View the thread
The #security community truly deserves better than the current status quo it gets from so many of its vendors.
Vendors shouldn’t narcissist’s prayer and gaslight you after they cause harm! They should respect their accountability rather than litigate against their victims.
I legit cannot wait until security practitioners realize how much better their lives could be, and the joy they will feel being free of jank tooling.
=> More informations about this toot | View the thread
I’ve always side eyed the phrase “simping” until I saw the obsequious praise security bros are lavishing on Crowdstrike for one of the worst “RCA” docs I’ve ever read, and now I get it
=> More informations about this toot | View the thread
in #lockdown mode on #iOS, they disable search in Messages. def makes sense not to allow search through docs & pics — but why don’t they fall back to text-only search?
is there an exploit pattern I’m missing?
=> More informations about this toot | View the thread
Link (one of my cats, very dumb, loves oil) was licking a plate of cookies and I said, “oh you’re stealing cookies now? Are you a script kitty?”
he was not amewsed
😸👅🍪😐🫳🙀😿🤪😾
=> More informations about this toot | View the thread
P.S. probably my primary goal with writing my book was to address both 1 & 2 above ^
reveal to platform engineers & SREs how very capable they already are to solve cybersecurity challenges
and to teach cyberpros how software works, a crash course in software delivery practices, all the opportunities they overlook while drooling over the RSAC vendor hall, etc.
shameless plug: https://securitychaoseng.com/
=> More informations about this toot | View the thread
I’ve long felt that if the software engineering world realized:
immense outrage would foment at large, and perhaps real change demanded
there’s a reason why infosec pros present the problems as arcane and inaccessible, why they protect their own and knit tight cliques…
=> More informations about this toot | View the thread
I’m especially tickled that cyberpro bros have always haaaated when I said outages are way worse in terms of business impact than the vast majority of cyberattacks
and that cybersecurity problems really aren’t as hard relative to other software concerns as they pretend they are…
(see also: https://kellyshortridge.com/blog/posts/cybersecurity-isnt-special/)
=> More informations about this toot | View the thread
it’s kind of funny seeing the dynamic I’ve lived when speaking at conferences the past ~5 years play out at scale now
cyberpro bros adamantly refuse to believe modern software practices can work
and platform engineers / SREs are dumbfounded upon learning how behind cybersecurity is as an industry
=> More informations about this toot | View the thread
tl;dr of the current crowdstrike incident discourse:
cyber bro in wrinkly chinos: “actually, modern software practices do not work, pls stop bullying the c-suite of an $80bn corporation”
trans furry platform dev: “bitch u live like this????? I don’t sandbend compilers for u losers to skip unit tests”
=> More informations about this toot | View the thread
okay people, stop with the 👉🥺👈 but crwd is just an itty babby don’t be meeean
they are a grown ass commercial software vendor who has known, for years, by design, that they effectively deliver a rootkit into enterprise systems and, often, critical infrastructure
again, if you have the energy to shame OSS contributors for their mistakes, but make excuses for large commercial vendors: maybe what you seek is punching down, not making the software ecosystem better https://hachyderm.io/@shortridge/112813022742284016
=> More informations about this toot | View the thread
so, how do we plan to zero trust the zero trust software?
and do we call this a cybersecurity attack? it is an attack by the cybersecurity industry on our nation’s infrastructure, after all…
#Crowdstrike
=> More informations about this toot | View the thread
^ In our RFIs, we note that commercial security software is often a boon for attackers given its deep access + poor quality
indeed, much of it resembles malware in functionality.
in the #Crowdstrike case now, it’s poorly written malware. “Skidiot” shit, as a friend would say…
For all the ballyhooing about open source, why don’t we take the security of commercial security software more seriously?
=> More informations about this toot | View the thread
this is why I’ve side eyed any federal document about software #security, quality, or #resilience that demonizes open source software while touting the virtues of commercial cybersecurity products
as if those products aren’t notorious for deep access + flimsy quality…
I’ve written about this concern in two separate RFIs to CISA et al (with co-conspirator @rpetrich)
#crowdstrike
=> More informations about this toot | View the thread
and this is why we need to stop absolving commercial cybersecurity vendors of software quality concerns.
there should be multiple checks preventing this type of broken content in an update.
how did they allow it to ship to so many machines all at once?
[#]crowdstrike
=> More informations about this toot | View the thread
stochasicity continues to be underrated as a defensive strategy against attackers
I unironically believe embracing more whimsy would help most security programs
(plz don’t do this for compliance requirements, I am not an auditor, this is not legal advice)
=> More informations about this toot | View the thread
the Pilates girlies keep saying how amazing CMOS gel is, I think they mean thermal paste?
going to try it in my breakfast smoothie to see if it helps me detoxify, will let y’all know how it goes ✨
=> More informations about this toot | View the thread
in my fever fugue, I’ve conceived a blog post so controversial, so shitposty, so rabidly irreverent yet stuffed with unassailable wisdom, that even I, creature of salt and smoke, do not have the courage to post it
=> More informations about this toot | View the thread
=> This profile with reblog | Go to shortridge@hachyderm.io account This content has been proxied by September (ba2dc).Proxy Information
text/gemini