CISO at @sardineai. Treasurer of @OWASP Board of Directors. (he/him) qatta' mIghtaHghach.

Phoenix, AZ
Joined July 2009
Modern newspaper industry: go to read a story (in this case at @ConMonitorNews), get redirected to a fake news site peddling weight loss pills, try again a second time, now asked to subscribe before reading content. I wonder why subscriptions are down?
Bil Corry retweeted
Missed this yesterday, but Microsoft said it discovered "an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor." microsoft.com/security/blog/… Fun!
23
3
34
A little Sunday humor, enjoy Fred Allen's 1932 letter as read by Jude Law. (the entire video is great if you have time) youtube.com/k0ZoacVdnho?t=240
Bil Corry retweeted
This manual has a very boring name, but it is the best guide to locking down your Apple devices, especially for survivors of domestic abuse: manuals.info.apple.com/MANUA…
13
444
26
788
Do you get those annoying vehicle warranty robocalls? They’re now sending mail!
Me now, when I get an alert to update my software
GIF
Uhhh, interesting choice for a coupon code from Uber Eats.
1
Interesting reading about breach notification obligations, how bug bounty factors into it, and Twitter’s performance (or lack thereof).
The EDPB's first binding decision on the basis of Art. 65 GDPR regarding the draft decision by the Irish SA @DPCIreland on Twitter International Company, as well as the final decision taken by the Irish SA are now available here: europa.eu/!Gn83qC
All that said, if someone is using Zoom to schedule calls and wants tight integration, then sure, maybe this level of access makes sense. But for my very occasional one-off Zoom meeting, it's a huge overreach and Zoom should provide the custom URL method as an option.
1
I'm baffled why they would want to have that access? If they have a breach, it just got a million times worse if an attacker can erase millions of calendars of their customers.
1
Giving Zoom total access to every calendar I have access to is a gross overstep on their part in order for them to add a single event to my calendar. Even if they are not collecting my calendar data, using the pretense of adding a meeting to gain total access is suspicious.
1
For comparison, here's how other meeting providers do it, via a custom URL that requires no special access.
1
1
Every time I go to add a Zoom meeting to my calendar, I wonder why @zoom_us insists on having total access? All the other providers use the custom URL method to add calendar events, no access required. Over-collecting data when not required is likely a GDPR violation.
1
1
2
Miriam Rodríguez tiene todo mi respeto. 🇲🇽✊ nytimes.com/2020/12/13/world…
1
2
I think everyone could use a lighthearted/happy story right now so here goes: At the beginning of the pandemic I went through some painful personal stuff and would often go out at night for long walks because no one was around and I couldn’t sleep anyway. One night I was walking
7,742
86,568
46,547
372,128
US military also buys app location data. That’s why vendor contracts are increasingly demanding single country data access and storage, to prevent leaking of military/government personnel data.
Today's digital advertising based on selling user data to the highest bidder has been called the 'largest data breach ever', and yes: Two firms who sell targeted+mass surveillance to governments are hoovering phone location data from the ad/rtb bidstream: forbes.com/sites/thomasbrews…
Brexit impact on .eu domains (spoiler: you cannot have .eu domains if no EU presence) eurid.eu/en/news/brexit-eu-d…
1
2
Bil Corry retweeted
Cross-Origin Isolation is foundational to security against side-channel attacks (Spectre, et al). Camille Lamy has lead its implementation in Chromium, and will help you understand how to enable it for your sites in ~13 minutes (20:40 CET, 11:40 Pacific): youtube.com/watch?v=NkIi7h8N…
1
7
1
38
Here's how hackers are now hiding malicious payment card skimming code inside CSS files on the compromised e-commerce sites. #tech #infosec #cybersecurity #100DaysOfCode #programming #DEVCommunity
After finding skimmers in SVG files last week, we now discovered a #magecart skimmer in perfectly valid CSS. It is parsed and executed during checkout. Malware loaded from cloud-iq[.]net (faking @cloudIQApps)
1
165
2
92