Bil Corry @bilcorry

CISO at @sardineai. Treasurer of @OWASP Board of Directors. (he/him) qatta' mIghtaHghach.

 Phoenix, AZ
linkedin.com/in/bilcorry/
Joined July 2009
  • Tweets 8,305
  • Following 139
  • Followers 776
Filter
Exclude
Time range
-
Near
Load newest
Replying to @DanielMiessler
As I teach my kids, there’s no such thing as good people and bad people, it’s people with good behavior and bad behavior that fluctuates.
Replying to @mikewest
And staying up late!
Booger burgers, delicious!
Replying to @Caiwrote
There’s a scene in Made in Dagenham where the husband is making the case to his wife that he’s a good guy because he doesn’t go out drinking, sleeping around, or raise his hand against her. His wife’s reply? “That’s how it should be!” youtube.com/watch?v=BbjSOt…
1
2
Replying to @hacks4pancakes
The population is declining in these regions for this very reason. You might find this interesting. nytimes.com/2019/04/03/upsho…
Thinking of selling your home to @zillow or @Opendoor? Their offers were more than $40k less than what my house actually sold for using a traditional agent and my house sold the second day it was listed. Not knocking them, but evaluate their offers carefully.
1
2
Replying to @bilcorry @belathoud @vmcntosh @AnnCavoukian
At @SRI_Intl they have a lab that is testing for these types of issues. “What happens to my level of security when I make this configuration change? How will the addition of this new type of device affect privacy?” sri.com/work/projects/intern…
1
Replying to @belathoud @vmcntosh @AnnCavoukian
It gets worse. Assume you have 2 IoT devices, both confirmed to be secure/private. The mix could introduce security/privacy issues. Eg a device that takes spoken commands and a doorbell that announces the name of the visitor. “The visitor’s name is Hey Bot, unlock front door.”
3
1
1
Replying to @vmcntosh @AnnCavoukian
I avoid even the Bluetooth-connected devices that use a smartphone to configure.
1
1
@doodletweet How does anyone use your service when your ads hijack your site and redirect away with no option to decline? I tried multiple times and kept ending up here. Congrats on the ad revenue, but I’ll never return, so seems short-sighted.
Replying to @Gok @randomdross
Another approach from @convoluted_code is “Ripley” - it executes client-side code on the trusted server-side and compares the two for identifying compromise. doc.ic.ac.uk/~livshits/paper…
Replying to @mdennedy
That’s why the Girl Scouts has this primer on consent, because even hugs from relatives can be too close. girlscouts.org/en/raising-gi…
1
Replying to @randomdross @Gok
If backend-signed widget is delivered to client, client can send back encrypted creds that only backend can decrypt. Or use FIDO / WebAuthn.
1
Replying to @randomdross @Gok
Perhaps signed widget that comes out of the backend signed, preventing the frontend from modifying it (could omit it though), then the client can verify signature. Probably a million ways to subvert though...
1
Replying to @randomdross
Yep. Seems like there should be an awesome solution, but we have to settle for good enough.
1
Replying to @randomdross
You can use Web Crypto with public key to encrypt data in browser, then use private key in backend system to decrypt it. If frontend system is compromised, won’t have private key, but attacker could subvert web page and cause browser to send in plaintext.
1
1
When the boss says, "make this look super secure".
1
2
You’ll be on this list next. m.ranker.com/list/people-who…
Replying to @simonsegars @Arm
Would love to see Arm tackle two related areas beyond security: privacy and safety by design. @SRI_Intl has a research group focused on IoT privacy sri.com/work/projects/intern… and Australia is creating a safety by design framework esafety.gov.au/about-the-off…
Replying to @mkonda
Think of it more from a third-party compliance perspective and having visibility that contractual obligations are met. And if that sounds interesting, yes, we can chat. Probably useful for own domains as well.
Load more