Interesting to see @haveibeenpwned / @troyhunt having decided to start offering "Threat Intelligence".
While I understand the thinking, the quote from the article
But even when you get the full dump of the data from the shadiest providers*, it's just been a waste of time.
Sure, there is some value in informing people about problems. But it's important to provide actionable information.
A better approach might be to provide this information to the breached sites to allow them to 1. validate the information. 2. inform the users. 3. force changes.
That approach has it's own problems**, but seems like it more effectively attacks the core of the problem instead of the symptom.
And if that is not possible, then maybe something proactive like identity-protection services which you pay to take actions on your behalf of any data.
Maybe this isn't something Troy wants to do, which is fine. But I felt like I needed to write down my thoughts on why I don't think it's the right approach.
Footnotes:
=> More informations about this toot | View the thread
Rate my #homeassistant - dashboard
It's getting there, slowly. Running on my old trusty iPad2. Getting that to work took a bit of trickery as the HS dashboard required modern JS, but #novnc to the rescue. I'll write it up soon.
=> More informations about this toot | View the thread
Oh fantastic to hear @riskybusiness and @metlstorm say it out loud.
Securityscorecard and similar scoring services are a very coarse proxy for the state of security at a company.
I recently spent many emails and meetings trying to explain to a customer why our low score due to mostly a few services missing accepting older tls and missing security http headers is not a sign we don't take security seriously. And that the outdated version of software A (which we have many of and was a big contributor to the low score) , while not optimal is not a priority because of how we use it and the mitigations we have in place.
In the end it was easier to remove the version from the header than to get them to accept that the security scoring service was wrong in this case.
Also the whole business of how they force you to get a proper view of why your score is bad does not seem like an ethical business practice either.
https://overcast.fm/+AAIt0hlU9MU/24:49
=> More informations about this toot | View the thread
Random thought which hit me some day ago
A strong driver of complexity is that it hides incompetence.
It's probably not a novel idea but I feel it explains so much of what is happening in this field.
It's probably something @ludicity wrote which my subconscious has been processing.
=> More informations about this toot | View the thread
https://securitycryptographywhatever.com/ is the most approachable cryptography podcast I know. Here is my favourite episodes
Whats wrong with JWT and what to use instead with @titanous https://overcast.fm/+AAxz8XW2b7M
The non marketing take on Zero Trust with @konklone
https://overcast.fm/+AAxz8X8qQgQ
Software Safety with @kevinriggle https://overcast.fm/+AAxz8VogJiY
SOC2 with @worldwise001 https://overcast.fm/+AAxz8Vrq84s
=> More informations about this toot | View the thread
A key part of me keeping my social media usage healthy and enjoyable is a chronological timeline which remembers where I left off.
Instead of scrolling down towards infinity I scroll up towards now. I also find that makes it much easier to follow the development of news and discussions.
Also no notifications, or if you must, make them go into the summary.
And unfollow/mute aggressively, unless you're getting joy from social media, why do you do it?
[#]mastodon #mentalhealth #life
=> More informations about this toot | View the thread
Ugh, the #chrome #extension ecosystem is exactly as bad as I'd expect.
And the fact extension is still up claiming not to collect any data even if it has been called out in one of the biggest security newsletters shows how much Google care about this (not much). The only thing they care about is pretending to ship AI features to detect malicious extensions. Because that's how you get promoted.
I mean is it even possible to report a suspicious or bad extension? I don't see anywhere
Great research by @WPalant and @c0m4r
And @campuscodi for putting the spotlight on it.
=> View attached media | View attached media
=> More informations about this toot | View the thread
The #mitre #engenuity attack evaluation project is super interesting and well done
I'm looking at Linux EDR solutions, and there seems to be is very little info out there about how they perform. But this is a great source of info after you figure out how it works and it really shows how the tools work.
For example, take a look here, a comparison of fortinet, crowdstrike and palo alto, to help you understand what you are looking at and keep the focus on Linux for now, start with unchecking all the steps before 9.7 (which will limit it to Linux).
Now in the summary, you will see a lot of purple. Purple means the EDR saw the activity.
This is somewhat interesting, most are quite good at finding things, but what I find to be really interesting is when you scroll down, you can see screenshots of the activity as it shows up in the EDR console. I find this the real value, as it gives a rare glimpse into how different solutions present the information. Because I think this is a key part of how useful software is. A EDR will by definition collect much more info than it needs, and then the important part becomes presenting the information in a usable way that allows the end user (threat hunter) to quickly figure out if something is malicious or not.
Blocking or alerting on it is of course the other important thing, and that is not tested in this Scenario (more on that in a moment). But I think the screenshots give an idea for most of the products if it would have been an alert.
For example this one is interesting to look at
(Linux) cron executes a reverse shell to 176.59.15.33:8081
For FortiNet, they are only showing the Threat Hunting view so hard to tell if FortiEDR has generated an alert or not and what severity.
[#]linux #edr #mitre #engenuity
=> More informations about this toot | View the thread
I was really hopeful when I saw the news about this. But after reading the list of restrictions on a "Teen" account I couldn't stop thinking about the likeness to the tobacco companies campaigns with "Light" and "Low-Nicotine".
=> More informations about this toot | View the thread
Facebook/Meta introduces ~Camel Light~ Instagram Teen, it's the healthy choice that doctors recommend.
https://about.fb.com/news/2024/09/instagram-teen-accounts/
[#]instagram #totallynottobacco
=> More informations about this toot | View the thread
@things is apples cloud-syncing really so much worse than doing it yourself?
I like everything about your app, but the fact that you have your own syncing is a killer for me. I just don't see how a small company like yours would be able to assign enough resources to protect the data, and even if the risk is small there are 100 other todo apps out there which does not have this risk so I'll just have to pass for now.
Seems like outsourcing that part to Apple would be a win-win and allow you to focus on the app not the servers.
=> More informations about this toot | View the thread
=> This profile without reblog | Go to gnyman@infosec.exchange account This content has been proxied by September (ba2dc).Proxy Information
text/gemini