CISO at @sardineai. Treasurer of @OWASP Board of Directors. (he/him) qatta' mIghtaHghach.
Phoenix, AZ
Joined July 2009
- Tweets 8,305
- Following 139
- Followers 776
- Likes 17,402
Pro-tip: start every to-do list with “Make a to-do list” and cross it off. Easy way to feel productive!
3
We took our US minivan with us to Europe. It’s was the same size as their delivery vans, and in some cases larger. Going to Ikea was fun because everyone else was carefully tying a tower of boxes on their roof. We opened the back of the van, tossed it all in and left.
2
I have never received a message after following someone, nor have I sent a message after someone followed me. Starting to think I’m doing Twitter wrong.
1
1
Always wanted to go. They broke off from Defcon because they eschew modern technology, but still hack barns, buck boards, and butter churners.
1
8
Thank you for clarifying. It’s interesting that the privacy violation occurs when the employer requires location, but not when the employee freely offers it.
1
1
An employer has an obligation to keep their employees safe. Sending employees to an unknown location heightens risk and seems reckless.
Here’s advice from NIOSH:
“Always let your employer know your location and when to expect you to report back.”
cdc.gov/niosh/docs/2012-118/…
1
Amazing how prescient 1999 was! Rio 500 MP3 player, free long distance calls, preview the new James Bond movie, MP3 music, and free online storage at idrive.com.
(this is an old mp3.com CD mailer I found in a box)
1
1
1
Many thanks to the fine folks at @rapid7 for showing me their new Boston office, it is amazing!
In hindsight, I should have taken photos, but I did get a picture of their inclusive restrooms.
3
My trick is to turn the shower on high heat, hang everything I want to dewrinkle in the bathroom, turn off the shower and close the door. It’s not as good as ironing, but it’s good enough.
2
My security brain wonders what happens if the care giver goes missing? There isn’t a known location to begin a search and recording the location violates the patient’s privacy. Seems to be a safety issue?
1
Curious how the patient’s address, which is collected (presumably) to facilitate the actual care, is viewed? Or is the difference that one is consented to, and the other is not?
1
If backdoors in encryption are secure and never abused, why doesn’t the government put them into all of its encrypted systems? They could do it today and show private industry how it’s done.
Spoiler: it’s bullshit.
Trump Administration is launching a new push to address “going dark” and encryption. Enlisting international and state/local partners to address it while engaging with tech industry, according to u.s. nat sec official. Barr addressing “Going Dark” in speech at Fordham Law 1/x
1
Or put another way, if the researcher wants to publish immediately despite the potential harm to the company, would they accept a payment under the same terms, ie publicly disclosed payment instructions, with the first person to follow them getting the payment?
1
What’s the impetus of the researcher to disclose right away? Why can’t they wait until the vuln is fixed?
1
For those in InfoSec, enabling the business means finding ways to support the tech stack. Great deck, hopefully the talk will be available at some point...
Here are the slides from my talk “Security Delusions” today at #QConNYC, outlining the often ridic fears infosec has about modern tech (cloud, microservices) & some cheat codes for how DevOps can manage them: swagitda.com/speaking/Securi…
Thanks to everyone who attended! 💖💜💙
1
3
Secrecy until fixed, or secrecy forever? I’m talking secrecy until fixed, then can full disclose (that’s how I ran it at PayPal). Secrecy forever is bullshit.
1
I wonder what the strong argument is for paying anything on full disclosure? Just to get the report of a bug?
With full disclosure, you get it for free, unless you believe the reporter wouldn’t disclose at all?
1