Brian in Pittsburgh

@[email protected]
232 Followers
174 Following
189 Posts

Just some guy. I do some IT and information security stuff. And have a law degree I'm not professionally using at the moment.

I sometimes like to think I know some stuff about various things in the areas of information technology, cybersecurity, law, policymaking, national security, business, economics, psychology, history, and a few other subjects.

Twitter:twitter.com/arekfurt
Brian in PittsburghJul 15, 2025
The ironic thing about cybersecurity policy is that government could achieve far more in terms of motivating improvements for societal good than it currently does with exactly zero additional direct coercion by leveraging its own purchasing power but capture of politicians by large tech/sec vendors who wish to avoid that prospect while also continuing to succeed in engaging in rent seeking for themselves makes that almost as difficult as actually using the governmental power to regulate.
Brian in PittsburghMay 20, 2025

I finally cracked software liability reform.

(Said tongue -in-cheek.)
A bit.🙂)

IMHO, It's all about the right balance of voluntary action vs state enforcement of promises + imposition of regulatory requirements. And the integrated, smart use of different types of policy tools.

https://x.com/arekfurt/status/1924870643759116341?t=axBOnaY0yrn2tLBMQ5JAAg&s=19

(More details to come....

I suppose the good news, if you want to look at things that way, is that in the U.S. we've got at least a few years of time to think, discuss, and argue about things, refine ideas, and formulate proposals before the chances for reform open up again.)

Brian in Pittsburgh (@arekfurt) on X

I finally cracked software liability reform. (Said tongue -in-cheek.) A bit.🙂) IMHO, It's all about the right balance of voluntary action vs state enforcement of promises + imposition of regulatory requirements. And the integrated, smart use of different types of policy tools.

X (formerly Twitter)
Brian in PittsburghApr 10, 2025
Taking away the security clearance of a high-profile former government employee and now private sector security consultant due to political grudges is wrong, ridiculous, and unAmerican. (And arguably unconstitutional.) But going further in petty vengeance by attacking the ability of that person's major security firm employer to serve federal gov, defense industry, etc. customers presents a threat to the entire security industry.
Brian in PittsburghApr 10, 2025
Kevin BeaumontApr 9, 2025

The White House are going after Chris Krebs and his employer, Sentinel One.

They’re also going after CISA.

They call Chris a “significant bad-faith actor”.

Shocking stuff by the USG here.

https://www.whitehouse.gov/fact-sheets/2025/04/fact-sheet-president-donald-j-trump-addresses-risks-from-chris-krebs-and-government-censorship/

Fact Sheet: President Donald J. Trump Addresses Risks from Chris Krebs and Government Censorship

RESTORING TRUST IN GOVERNMENT: Today, President Donald J. Trump signed a Presidential Memorandum revoking any active security clearance held by Chris

The White House
Brian in PittsburghApr 2, 2025

Remember that the swiss cheese model of safety/security failure doesn't apply well to cybersecurity. At least in terms of its current general state.

Things are much, much worse in cybersecurity.

In the swiss cheese model, defense-in-depth exists to some degree. But there are just too many holes in each layer, too few layers, or some combination of both for protection to be robust enough to avoid catastrophe with extremely high reliability.

Meanwhile, in typical failures of cybersecurity in its current general state you might say, with little exaggeration, that there are more holes than cheese.

Brian in PittsburghApr 2, 2025

"AI" things are indeed probably going to improve code security.

The irony is that, if so, they'll do it by increasing the amount of barely working, security-flaw ridden junk that gets put in use so drastically the problem finally becomes unignorable at a societal/policy level.

Brian in PittsburghFeb 28, 2025

We need liability and/or regulatory reform to start pressuring software & device makers to actually use reasonable efforts to prevent critical, easy-to-exploit flaws in new products.

And sooner is better. Because things can well stay in use for so long.

[Just note how many heavily expolited vulns discussed here are years or even a decade+ old.]

https://www.greynoise.io/blog/2025-mass-internet-exploitation-report

GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready?

Our latest report breaks down which CVEs were exploited most in 2024, how ransomware groups are leveraging mass exploitation, and why real-time intelligence is critical.

Brian in PittsburghFeb 20, 2025
"The... iPhone SE has attracted a niche of people who liked the device for its relatively low cost and smaller size that fits more comfortably in some people’s hands. Apple changed both of those selling points with the new model unveiled Wednesday."
🤦‍♂️
https://www.washingtonpost.com/technology/2025/02/19/apple-iphone-16e-launch-se-4/
Apple’s cheapest phone just got more expensive with the iPhone 16e

The relatively affordable $429 iPhone SE has been remodeled into the $599 iPhone 16e.

The Washington Post
Brian in PittsburghFeb 18, 2025

Device code flow phishing is a great example of an attack that (generally) isn't that worrisome if you're implementing network-based security in addition to main identity system-layer security but is quite worrisome if you just let attackers from anywhere on the Net attempt it.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows

Authentication flows as a condition in Conditional Access policy - Microsoft Entra ID

Learn how authentication flows provide a seamless experience across all application and device types

Brian in PittsburghFeb 17, 2025

Cross-posted RT from the former bird site:

A Russian threat actor is using device code flow phishing to be able to register devices to orgs' Entra/AAD setups. Which can enable them to get around use of the security measure of requiring user devices to be Entra/AAD joined to access things.

Not great.

https://x.com/ItsReallyNick/status/1890551910471499976

Nick Carr (@ItsReallyNick) on X

🆕🎟️ February 14, 2025 update: “Within the past 24 hours, Microsoft has observed Storm-2372 shifting to using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow. Using this client ID enables Storm-2372 to receive a refresh token that can

X (formerly Twitter)