Unfortunately, security properties address one piece of the overall goal, and are sometimes conflicting. So you have to first identify what _your_ goal is, in terms of security, and implement measures that apply to the properties that are important to that goal.
Security isn’t binary. We need to somehow teach people to think in terms of simple threat models.
Us: Use MFA for security
Everyone: OK, secure!
Us: Well, only if you’re not being phished, and no one can subvert the delivery mechanism, and …
Everyone: 🙄
We (security people) have done a really bad job communicating what security properties are (and aren’t).
Us: Use Signal for security
Everyone: OK, using Signal, now I’m **secure**!
Us: Well, only if the ends aren’t compromised, and you can trust the other parties, and …
Everyone: 🙄
+1
So Soft, so ICEy
Really looking forward to the inaugural RE//verse conference this week! See y’all in Orlando!!
re-verse.io
I’m getting excited for RE//verse!
We're pleased to announce Natalie Silvanovich @natashenka.bsky.social as the keynote speaker for the inaugural RE//verse. She might have started out hacking Tamagotchis, but she certainly didn't stop there!
Wow, that’s high praise. Ordering
num
Glad to see you’ve gotten on board the Binja train 🚂 😋
Oh, I never posted my gotofail story on here.
Early 2014, someone came to me about a catastrophic vulnerability in Apple's TLS implementation.
I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.
Boom! 💥
Windows Hello fingerprint authentication bypassed on top three devices:
- Dell Inspiron
- Lenovo ThinkPad
- Microsoft Surface Pro
Still waiting for recordings from our BlueHat talk to drop, but here's our writeup: blackwinghq.com/blog/posts/a...
#infosec #security #vulnresearch
Boom! 💥
Windows Hello fingerprint authentication bypassed on top three devices:
- Dell Inspiron
- Lenovo ThinkPad
- Microsoft Surface Pro
Still waiting for recordings from our BlueHat talk to drop, but here's our writeup: blackwinghq.com/blog/posts/a...
#infosec #security #vulnresearch
There are some legacy security professionals that wear “I don’t code” as a badge of honor, but they’re dying out. Just like traditional system administration was replaced by devops.
how to software, any day.
Although my background is in vulnerability research, this is not only applicable to finding vulns, appsec, etc. Security operations, network security, etc. automation is the future (current in mature orgs).
…
Advice to juniors or those looking to get into #cybersecurity:
Learn to code
Software is at every level of the stack. Strong software engineering skills will serve you well throughout your career. I would rather teach a strong software engineer security over teaching a traditional security person …
👋 blue sky