adamshostack

@adamshostack@infosec.exchange

Author, game designer, technologist, teacher.

Helped to create the CVE and many other things. Fixed autorun for XP. On Blackhat Review board.

Books include Threats: What Every Engineer Should Learn from Star Wars (2023), Threat Modeling: Designing for Security, and The New School of Information Security.

Following back if you have content.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

adamshostack, to random

I'm not old enough to have heard JFK say "We will pay any price, bear any burden to support the cause of liberty as long as the victim of aggression is spending 4% of GDP on defense and is current on their Marshall Plan repayments"

adamshostack, to random

I'm old enough to remember when Ronald Reagan stood before the Berlin Wall and said "Mr Gorbachev, tear down this wall and overrun West Berlin, they're deadbeats."

adamshostack, to random

If we can’t recover Voyager because of this, I will be even more upset.

https://fosstodon.org/@AkaSci/111887343173935372

adamshostack, to random

So I haven't looked in a while -- where do I go to get a realtime video deepfake system?

SteveBellovin, to random
@SteveBellovin@mastodon.lawprofs.org avatar

Not sure who needs to hear this, but US passport renewal times have gotten quite reasonable. I mailed mine off on January 12 and got it back today—22 days, end-to-end.

adamshostack,

@mattblaze @SteveBellovin It’s nice to have a thing without your address on it.

adamshostack,

@mattblaze @SteveBellovin You expose really strange ideas of what a government issued id means when you take out your state (university) issued id card.

adamshostack,

@SteveBellovin @mattblaze

adamshostack,

@mattblaze @SteveBellovin @20002ist I mean, it makes sense. Any member of the pre-revolutionay aristocracy is also a vampire, and you really don't want to invite them in!

briankrebs, to random

There's a huge disconnect for me rn in the IT space. Companies love to talk about an increasing deficit of smart, talented and skillful people available to help defend the cybers. Welp, a lot of those people are somehow now seeking gainful employment bc they've been laid off. Which is just nuts to me given the sheer scale, resources and effort our adversaries are throwing at everything now.

p.s. AI isn't going to fix anyone's security problems. If anything, it's going to compound them by orders of magnitude (at least in terms of data governance).

adamshostack,

@wendynather @krypt3ia @briankrebs The only way any industry has achieved rigor is public root cause analysis systems, not all run by the company or sympathetic. There's a mix of learning and blaming goals. (1/3)

adamshostack,

@wendynather @krypt3ia @briankrebs Once you have that, you can think about risk management, including who's able to make what sort of risk management business decisions. (As the AI businesses are showing us very clearly, companies can offload a lot of dangers onto the public while capturing a lot of the revenue and upside. (2/3)

adamshostack, to random

Is there a way to make every mac app STFU and not beep unless granted a specific permission? I've been through the system notification prefs, one by one like a barbarian, and transmission doesn't use that API.

Any true Scotsman would let me chmod /dev/sound and add my browser, zoom, and music to the 'beepbeep' group. 😇​

adamshostack,

@pauliehedron Thank you for the pointer. looks like exactly what I need. Flgaging for anyone else: there's a reboot step in here.

PogoWasRight, (edited ) to random

"The Wall Street Journal recently reported that #23andMe once had a market cap of $6 billion. That has dropped to $350 million. "

Here we go again: how do we figure out how much of 23andMe's woes is due to a #databreach and their pretty deplorable #incidentresponse that blamed their users, and how much is due to other financial issues involving their investments?

23andMe Destroyed by Hackers and Losses: https://247wallst.com/business/2024/02/01/23andme-destroyed-by-hackers-and-losses/

adamshostack,

@PogoWasRight Also, there's not much of a growth model in selling people DNA analysis. It's pretty much a one and done thing unless people care about specific new tests. It's a bit like instapots. Once everyone has one, what do you do?

23+me could have been a great business if they never raised investment funds.

adamshostack, to random

So the Chinese were “defending forward” and “preparing the battlefield”?

These doctrines have always been visibly escalation-prone https://journa.host/@dustinvolz/111851470399027416

adamshostack, to random

I learned today that David Kahn (The Codebreakers, Seizing the Enigma, and more) passed away last week.

I believe that much of what we know about the cryptanalysis of the Enigma is public because he did the work of bringing it to light, and that's not reflected on his wikipedia page. (I'm not certain of that history, people who are please be encouraged to make it easier to find.)

adamshostack,

@SteveBellovin I had a similar experience -- I think I met him while at Microsoft, and he really wanted very specific details about NSAKEY.

adamshostack, to random

Read this and ask, why don’t we get these in security? https://mastodon.social/@danluu/111840979417026211

briankrebs, to random

Over the past month or so I've received multiple requests from other journalists to talk on background about what can be done about the swatting problem.

My replies could fill several pages of toots here, but one area that I think is important to focus on involves getting some mandatory, uniform reporting federally when these violent crimes occur at the state and local level (which they almost always do).

The Uniform Crime Reporting Program is voluntary for most agencies, but it is mandatory for federal law enforcement entities. It has categories for violent crimes like murder, rape, and assault. But is there a category for swatting? Would that be helpful in getting a better gauge on the size of this problem? I think so.

Anyway, I got a response from the DOJ. Short answer, there is no category for it. Also, a newish FBI entity created specifically to track these incidents has seen over 550 swatting incidents reported since May 1, 2023. Here's their official statement:

"In response to the national call on swatting, the FBI initiated the Virtual Command Center (VCC) known as the National Common Operation Picture (NCOP). The NCOP-VCC is a collaborative effort between the FBI and law enforcement partners to track and create a real-time picture of swatting incidents. Established in May 2023, this initiative is open to any law enforcement agencies and fusion centers who wish to participate in tracking and sharing swatting information in respective jurisdictions. Since its inception, there have been over 550 swatting incidents reported to the FBI’s NCOP-VCC since May 1, 2023."

adamshostack,

@briankrebs I haven't dug deeply, but it seems to me that most swatting calls are to 911, which I think gets location data at a protocol level. Is there enough focus on if data and provenance (does it come from a phone or a tower) are available at higher levels of "the stack" (to the 911 operator, to the police?

adamshostack,

@briankrebs "This is a massive red flag and it's ignored too often." I think that's a very under-known fact, and enhances the importance of statistics because maybe the right answer is "You need to hang up and call 911, sir" and we need to make people ok saying that when it's a police emergency. That training exists in the medical world --- even a doctors office will tell you to call 911 in an emergency.

adamshostack,

@briankrebs If only one of us was a writer! 😂​

adamshostack, to random

This is fascinating: A Microsoft principal software eng lead going whistleblower over AI safety.

(Microsoft's principals are very senior engineers - equivalent to directors in level; from there you make "partner"; the "lead" part entails being a manager. I was a principal PM when I left.)

https://www.geekwire.com/2024/microsoft-ai-engineer-says-company-thwarted-attempt-expose-dall-e-3-safety-problem/

jerry, to Bloomscrolling

Here are a few more orchid pictures. I have been trying to figure out what a “good” orchid picture looks like, and the I feel like the internet is letting me down. Lots of orchid pictures, not many that I would say are “art” worthy.

#bloomscrolling

image/jpeg

adamshostack,

@jerry Those are overly saturated for my taste. https://www.flickr.com/photos/adamshostack/49566274676/

falcon, to random
@falcon@mastodon.falconk.rocks avatar

Each time I do this knowledge sharing exercise which requires me to cite sources related to foundational topics in infosec, I am pained by how awful we are at documenting the basic understandings of our field and the clean, standard, open ways to improve security.

Basically everything citeable as a credible source is bound up in paywalled ISO standards, backward-looking compliance frameworks, or recommendations to use yet another fad security product.

adamshostack,

@falcon Lmk if you want publisher intros

adamshostack, to random

How do you choose when to follow back? My current approach is to look at the persons most recent tweets and see if they seem to be likely to make a positive change to what I see, mostly if they’re saying something rather than a stream of RT. I don’t love this plan.

SteveBellovin, to random
@SteveBellovin@mastodon.lawprofs.org avatar

As best I can tell, NY law doesn't require them to sell my personal data. It's their choice…

adamshostack,

@dave_andersen @SteveBellovin I wonder if that’s evidence that the statement “we value your privacy” is deceptive, or if it’s unfair to residents of NY.

To (ahem) pick some adjectives at random.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • provamag3
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • JUstTest
  • All magazines
    •