shortridge

shortridge, 4 months ago to Cybersecurity

#cybersecurity zealots often shame humans for writing down their passwords, but as someone who just had to excavate the digital remains of a loved one who died suddenly:

please write down your credentials somewhere a trusted human can find them, especially your phone passcode and any primary passwords (like for email accounts, password manager, etc.)

the humans who care about you will need that access for many reasons; a "badass" threat model will only add helplessness to their grief

shortridge, 4 months ago to Cybersecurity

I’m in a reflective mood this week and it’s kind of wild to me that I’m known as a “provocateur” in #cybersecurity for takes like:

💡 don’t shame victims

💡 UX matters, a lot

💡we should understand what we’re supposed to protect

💡 if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one

💡 the best things a security program can invest in aren’t in the RSAC vendor hall

💡 maybe we should start actually proving outcomes??????????

¯_(ツ)_/¯

shortridge, 5 months ago (edited 5 months ago) to webassembly

Wasm3 is sadly entering a minimal maintenance phase because the maintainer’s home was destroyed by Russian forces in the ongoing invasion of Ukraine.

But, Volodymyr will still be reviewing and accepting PRs, so this is a great opportunity to support him, the #wasm community, and the Ukrainian #OSS community by making contributions: https://github.com/wasm3/wasm3

shortridge, 17 days ago to security

went down to the hotel lobby to retrieve my dinner delivery in a yoga outfit + snuggly cardigan + face mask.

some men with #RSAC2024 lanyards exited the elevator as I re-entered; they turned back to look at me and one said (very loudly, very pointedly staring at me) to the other, “I was like, did you hire me a hooker?”

if you are a man attending #rsac, please shut that kind of shit down when your peers do it. let’s not let insecurity rule our #security industry.

shortridge, 3 months ago to random

in case there are other nerds out there who haven’t yet read this classic, behold “the case of the 500-mile email” https://www.ibiblio.org/harris/500milemail.html

I adore the “absurd computer-borne mysteries” genre and kindly ask for more content from the annals of y’all’s careers

shortridge, 7 months ago to Cybersecurity

hello fediverse, here's my new infographic comparing two dynamics we can nurture when doing #cybersecurity things: security theater vs. #resilience

it's meant as a handy reference to validate that your org's security efforts are nurturing resilience rather than fomenting theater (and I don't mean writing your design docs in iambic pentameter, that's fine)

imo security theater is one of the core pillars holding up the status quo of security-as-gatekeeper... so let's do resilience instead <3

shortridge, 5 months ago to random

I hate the gaslighting by modern e-commerce sites.

You triple confirm you don’t check the “sign me up for marketing emails” box.

Said emails inevitably arrive in your inbox.

When you click unsubscribe, “I never signed up” isn’t even a reason you can select. At best, it’s “I don’t recall signing up.”

The inability to say No feels like it’s trending towards ubiquity in tech and I am not here for it.

shortridge, 7 months ago to Cybersecurity

new post: the SUX Rule for safer code https://kellyshortridge.com/blog/posts/the-sux-rule-for-safer-code/

it’s short for Sandbox-free - Unsafe - eXogenous. If your code does all three of:

• running without a sandbox
• written in an unsafe language
• processing exogenous inputs

it’s certain your code SUX.

it’s basically me tweaking Chromium’s excellent Rule of Two because it conflicts with Star Wars lore (among other reasons I describe)

#cybersecurity #memorysafety

shortridge, 3 months ago to security

dear plausibly sentient citizens of the milky way,

I published a cliff notes / cheat sheet / tl;dr guide for you on what the hot topixxx of software #resilience and #security chaos engineering (SCE) mean: https://kellyshortridge.com/blog/posts/security-chaos-engineering-sustaining-software-systems-resilience-cliff-notes/

it’s basically the chapter summaries of my paywalled book repurposed as a public, bite-sized guide for you to devour, absorb, then change-make (or sound smart online, in meetings, at parties, to your cat, etc)

let’s keep trying to modernize #infosec together xx

shortridge, 6 months ago to random

🎶 I checked her out, it was a Friday night
I used dark mode to get the feelin’ right
We started coding C, and shared some memory
But then I tried concurrent reads

And that’s about the time she threw a fault at me
Nobody likes you when your memory’s free
and are still pointing to that address space
What the hell is SIGSEGV?
My friends say I should memory safe
What’s my page again?
What’s my page again? 🎶

#memorysafety

shortridge, 3 months ago to Cybersecurity

this Galentine’s / Palentine’s/ Valentine’s Day, do you want to learn the secret to everlasting love?

my secret is writing a book ✨ because a book or creative project will never let you down or cheat on you or leave you or get tired of you rambling about your special interests for hours and hours, in fact that is the whole point and if you create for yourself, you can be beautiful weirdos together, forever 💞

https://www.securitychaoseng.com/

#cybersecurity #resilience #writing

A video of me frolicking around NYC in Valentine's regalia with my beloved book. My first outfit is a hot pink skort suit that is kind of like if Barbie misunderstood what a business dress code meant, especially given I paired it with impossibly towering crystal emblazoned platform heels. My second outfit is a fluffy lilac turtleneck, as cozy and warm as it sounds, and my pants are a ludicrously bright shade of pink. There are many scenes, such as tossing the book in a park and hugging it with playful glee. Spinning with the book up in the air rom-com style on a cobblestone street. Caressing the book in front of a store festooned with floral garlands. Shopping with my book trying on something that can only be described as a minidress sequined with mermaid lore. Rambling to my book in a garden; it “nods” in agreement. More spinny on the street. A hot girl walk with ranunculi and the book. Doing yoga in my apartment wearing a Geek Squad shirt and NASA pajama pants, starting in star pose then descend into skandasana while keeping the book on my head, much to my own surprise. Even more spinny! Reposing in front of my fireplace in a silky black robe nuzzling my book as the flames flicker on my pale skin and its glossy cover. Finally stop spinny but now dizzy. For the final shot, I'm in Barbie's First Board Meeting outfit again in a romantic neighborhood bar reading my book fondly before giving it a final kiss and showing it off for the camera. You're welcome, femmes and thems.

shortridge, 9 months ago to random

We want actionable error messages. Passive voice erodes their usefulness.

For example, “Failures were made somewhere in your CI pipeline” — passive, confusing, vague.

Instead, replace it with “Jenkywenkins made a whoopsie!” — clear, direct, active.

shortridge, 5 months ago to Cybersecurity

hello fediverse, I bring you tidings of hot takes and shade

my new essay discusses why cybersecurity isn’t special (nor should it be): https://kellyshortridge.com/blog/posts/cybersecurity-isnt-special/

I debunk the myths around #cybersecurity having unique concerns, explain why there’s more in common with #SRE and #PlatformEngineering than we think, and describe 8 opportunities for us to make our software security programs constructive vs. constrictive.

tl;dr #resilience ye merry gentlemortals, let nothing you delay

shortridge, 4 months ago to random

love this very sober article scrutinizing quantum hype: https://spectrum.ieee.org/quantum-computing-skeptics

tl;dr the applications are much more limited than the zealots suggest; overhead is far too high; fault-tolerance remains a thorny problem

shortridge, 1 month ago to random

earthquake in nyc was not in my threat model… but I guess that’s the point of fault injection

(☞ ͡° ͜ʖ ͡°)☞

shortridge, 7 months ago to random

awesome paper by @dykstra & compatriots that audits three compliance standards (including PCI) to see if there are security gaps even if you’re 100% compliant.

The answer is yes, there are gaps even with perfect compliance — and they back it up with thorough evidence and analysis that is well worth reading: https://josiahdykstra.com/wp-content/uploads/2020/02/NDSS2020_Compliance_Cautions.pdf

#compliance #cybersecurity

shortridge, 3 months ago to security

in the spirit of transparency, here’s our response to CISA’s RFI on Secure by Design: https://kellyshortridge.com/papers/CISA-2023-0027-Shortridge-Sensemaking.pdf

SbD should not incentivize lip service or #security theater. It should not be at odds with business goals.

So, @rpetrich and I wrote what SbD should be and not be.

We hope mastonerds especially appreciate our recommendations in Section 1.2.1 for how #software teams can start investing in SbD while supporting velocity, dev productivity, & reliability.

blog: https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/

shortridge, 6 months ago to random

I’m still reeling from learning last week that floppy disks were literally floppy.

ppl in the 80s were really living in a magnetpunk world and acting like it’s nbd rather than actual fucking wizardry

shortridge, 4 months ago to Software

software engineers: what’s something you feel your security team is doing right in your org?

and security engineers: what’s something you feel your devs teams are doing right in your org?

#software #cybersecurity

shortridge, 4 months ago to llvm

an LLVM to Excel spreadsheet compiler, truly what dreams are made of: https://belkadan.com/blog/2023/12/CellLVM/

it also reminded me of my investment banking days when I would crash Excel with iterative calculations (“brøether clippë may I have the lööps”)

ty for this gift to the world @jrose and P.S. I want to see the CSV alignment chart 👀

#compilers #llvm #excel

shortridge, 7 months ago to random

wanting to learn some nerdy things tomorrow (Wednesday the 18th) at 11:05 ET / 08:05 PT?

I’m presenting “Watering the Roots of Resilience—Learning from Failure with Decision Trees" virtually as part of the O’Reilly Security Superstream https://www.oreilly.com/live-events/security-superstream-devsecops/0636920090132/0636920090131/

We’ll cover the Resilience Potion Recipe™, how humans are the mechanism for adaptation in software, mental models, resilience stress tests, and how to use decision trees to support all these #resilience things.

Hope to see you there 🖤

shortridge, 22 days ago to Cybersecurity

The 2024 Verizon Data Breach Investigations Report (#DBIR) is out this morning, and I make sense of it in my new post: https://kellyshortridge.com/blog/posts/shortridge-makes-sense-of-verizon-dbir-2024/

I focused on what felt like the most notable points, from #ransomware to MOVEit to web app pwnage to #GenAI and more.

I have insights, quibbles, and hot takes as always — but the fact remains it’s our best source of empirical data on cyberattack impacts. If you’re a #cybersecurity vendor, please consider contributing data to it.

shortridge, 2 months ago to random

some days it feels like if I read one more sentence putrefied by passive voice, my brain will implode.

they do not warn liberal arts majors of this hazard before entering the tech industry.