Lesley Carhart 
Just a (really can’t wait an entire year…) daily reminder that JD1 is a horrible infosec charlatan and human being who often responds to even the most gentle and fair criticism of his ostentatious claims with malice and pile ons. I recommend you do not follow him, or trust his judgement. It’s not drama, he’s legitimately harmful to our industry credibility.
Name_Too_Long
- 114 Followers
- 260 Following
- 246 Posts
With all the promising talk around LK99, I'm just waiting for the other shoe to drop.
"Yes, it's a room temperature and pressure superconductor, but it gives everyone in a 10 meter radius testicular cancer... even the people who don't have testicles"
I've never done appsec stuff but, since that seems to be what everyone's looking for, I figured I probably aught to learn a bit about it.
This has exposed me to the horrors of "modern build systems" and... holy shit, are the devs alright? I thought my scripts were convoluted and overly complex. No wonder everything's hopelessly insecure, you've built systems that make even the most rudimentary integrity checks all but impossible.
I'm sure there are reasons for all of this, possibly even good ones, but I haven't been able to learn enough to start seeing them because my brain keeps trying to eat itself!
Dave WeinsteinWhen companies say things like "if you are not in the office three days a week we will penalize you at performance review time" they are inherently contradicting their own claims that remote work results in reduced productivity.
If remote work were bad, you wouldn't need to add an artificial penalty for working remotely, it would show up IN the performance data.
If you have to threaten people with artificially lowered performance scores for not coming into the office, you are admitting that performance has nothing to do with RTO.
I'm hesitant to say Apple's foray into AR is going to flop; because that's what I thought about their forays into MP3 players and smartphones.
Other companies had been in those markets for years and were, arguably, doing them better than Apple's attempts but remained niche products. Then Apple launched their thing that did the-same-thing-but-worse and somehow managed to not only squeeze out the genuine innovators but make the category mainstream.
$3,500 is a big hurdle, but then, so were only working with Macs and carrier exclusivity.
Wendy NatherSomeone’s gender is none of your business unless 1) you want to have sex with them, or 2) you want to ask them to lend you a tampon. #transgenderrights
Jeremi M Gosney 
Happy #WorldPasswordDay!
I've cracked billions of #passwords from tens of thousands of #data #breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
How can you keep your accounts safe?
- Use a #PasswordManager! I recommend @bitwarden and @1password
- Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
- Enable MFA for important online accounts, including cloud-based password managers!
- Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
- Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
- Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
- Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
- #Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
Julia Evansthis is awesome: See this page fetch itself, byte by byte, over TLS https://subtls.pages.dev/
Anyone have recommendations for a printer that won't give me an irresistible urge to harm myself or others?
Only requirements are:
- No bullshit app requirements
- No egregiously anti-consumer "features"
- Laser (because I don't print often enough to keep inkjets from drying out and dying)
- Available new
Something is amiss with the fundamental laws of the universe.
FedEx just delivered a day early.