Security leader and developer enabler
I spend more time as @hackthedigital.cloud on Bluesky (https://bsky.app/profile/hackthedigital.cloud)
New blog/whitepaper release:
Shostack + Associates is pleased to release our latest whitepaper, Understanding the Four Question Framework for Threat Modeling! It’s free as part of our Black Friday sale, and uhhh, because we like sharing knowledge it’ll remain free.
I wrote this paper because someone once called the questions “surprisingly nuanced,” which I thought was kind, and because I saw even collaborators varying the words. And as I write in the introduction:
People commonly make the mistake of rephrasing the questions. They don’t realize that there are reasons to use the specific framework questions. There’s nuance and intent in the questions, which are meant to be answerable in many ways. Rephrasings often lose nuance, flexibility, or both. Further, consistency in how we say things contributes to consistency in how we do them.
If this isn’t more fun than listening to your Uncle Jack expound on football on Thanksgiving, double your money back!
"On behalf of the WordPress security team, ..." and then many mentions of "fixing a security issue" without specifying what it is. (The patch is, presumably, public since the plugin is OSS and PHP?)
https://wordpress.org/news/2024/10/secure-custom-fields/
I don't have an opinion on the broader Wordpress situation, but seeing a security exception used to wield power in a broader controversy is extremely worrying.
Open source communities trust security teams with exceptional powers, and weakening that trust damages everyone.
Cars are increasingly surveillance systems on wheels. They spy relentlessly not just on the driver --why are people comfortable with this, or do they not know it's happening? -- but also on the surroundings. Tesla is the worst offender as it keeps trying, unsuccessfully, to do self-driving.
If you own one is these, you are helping make the surveillance state much more pervasive.
Congress and state lawmakers obviously are in favor of all this spying, because they do nothing to stop it.
Microsoft will try the data-scraping Windows Recall feature again in October
Initial Recall preview was lambasted for obvious privacy and security failures.
In a letter to the Federal Trade Commission (FTC) last week, Senators Ron Wyden and Edward Markey urged the FTC to investigate several car companies caught selling and sharing customer information without clear consent. Alongside details previously gathered from reporting by The New York Times, the...
A new report finds Boeing’s rockets are built with an unqualified work force
NASA declines to penalize Boeing for the deficiencies.
So, see, what this -looks- like they're saying is that they've got third parties in to review the code and process.
But those are two separate clauses.
They have two third-parties in to review the -sensor code-
-and-
They are conducting a review of process.
But they are not actually -saying- that the third parties are involved in the process review at all - only the code review.
Perhaps someone ought to ask them to clear that the fuck up.
It's that sticky "we" there, y'see?
"We" -could- be implied to mean the set of crowdstrike, vendor 1, and vendor 2.
But "we" can also refer to crowdstrike the company, or to the personnel of that company.
"We" is one of those words that has -very- tricky scope to it, and can be used to lie to you right to your face.
This whole technical details section is exec-pandering crap.
-this- little fucker is funny tho, 'cuz it implies that if you have an input that cannot be parsed with regular expressions, clownstrike can't handle it.
The next part appears to be an extract from some guy at MS's blog about this shit -
whiiiich pads out the last half of the document and since it isn't clownstrike's work, but just shit they lifted from someone else's blog, doesn't matter
So yeah, only the first six pages have any content on them; two of the findings are duplicates and are just there to pad for length; they -missed- a bunch of other findings; they are committed to a known-broken sensor operations regime and have no clear plans to fix the underlying architectural issues exposed -by- this; and they don't have anyone left in the place who can fucking write worth a damn.
Complete fucking clownshoes. If I were their customer I would be calling for their literal, heart-ripped-from-chest, blood for this.
Also:
Who the everliving fuck -audited- this pile of shit?
Who signed off that -this- was suitable for deployment to federal computers?
Who the fuck did their audit and why the fuck did they not catch -any- of this?
........y'all.
I -really- suspect that this document was an LLM summary of some collation of internal documents that got some light editing.
......who has a very uncomfortable looking smile on his blog profile, damn. That must hurt to make that expression.
......there's nothing on here about licensing; anyone know if MS lets you just, like, steal half a blogpost to crap into your document to fill out space?
.....yeah, looking back, that fixation on defining why "channel 291" was pertinent?
A person wouldn't keep referring to it by number, but would use a pronoun phrase. "the updated channel" or similar.
And then with that mishmash in that other para with the whole 20 vs 21 thing.....
Yeah, that's not how a person would write that at all. Certainly not someone who actually understood what was going on.
Yeah.
This is not a professional report in any sense.
None of this has been handled according to professional standards.
The level of negligent disrespect evinced by Crowdstrike utterly beggars belief, and I seriously question why they have the certifications they do, given the flagrant and obvious process violations this report makes evident.
And I seriously question who signed off on certifying them, because this goes well beyond the normal vagaries of corporate incompetence; even for an industry that assumes bad behavior, lack of compliance, and failure, this is a standout.
This goes into levels of negligence akin to civil war era profiteers, who similarly got paid wagonloads of cash for providing a shoddy - literally, that's what the word was coined to reference - defective product for government use.
this is even more fundamental than that.
This is at the level where "actually check your -whole- work" needs to be fixed first before we can get to such innovative concepts as discussing what an input is.
@munin I guess I interpret "input" to also mean the input to functions. Even in a single-developer project, to just assume that you definitely have never and will never make a mistake in your code seems arrogant, to say the least. And this definitely isn't a single dev, so they're assuming that *nobody* would ever make any mistakes and that technology always functions perfectly. (no verification of data downloaded of the internet?)
Thank you for the breakdown of this clusterfuck.
np. I was in the mood to tear into something today and that happened to be a fun chewtoy.
Saving this for later perusal, and for passing to people who really ought to know about it (including me).
Thank you.
Calling @Chartodon Spine ...
Your chart is ready, and can be found here:
https://www.solipsys.co.uk/Chartodon/112920897187312739.svg
Things may have changed since I started compiling that, and some things may have been inaccessible.
In particular, the very nature of the fediverse means some toots may never have made it to my instance, in which case I can't see them, and can't include them.
The chart will eventually be deleted, so if you'd like to keep it, make sure you download a copy.
and what's the heavily advertised and pushed in the 'writing' space tool that's being pushed as a way for people to collate and summarize large amounts of data for their personal comprehension?
@munin yeah fair, being funemployed for a bit means that we haven't really seen the LLM hype cycle take off "from the inside"
to us the thing that *really* sticks out the most is that there's a totally different and inconsistent "vibe" as you go through the sections, esp. since this is something we personally explicitly know to watch out for when compiling reports as a team
The more coherent ones read like they're written by a committee.
A lot of them read like they're being written by a -profoundly- traumatized and -acutely- stressed plural system that's gotten absolutely shattered.
Having been involved in supporting those situations in the past, it's a -deeply- upsetting vibe for me, and a lot of llm-generated stuff becomes really acutely stressful to read.
.......starting to have this creeping feeling that the standards I've held myself to in this area are way the fuck higher than ......standard.
Tinker ☀️
SwiftOnSecurity
Adam Shostack 
Filippo Valsorda 
Dan Gillmor
Ars Technica
BrianKrebs
Electronic Frontier Foundation
Fi 🏳️⚧️
StarkRG
Colin the Mathmo
Chartodon
R
abadidea
Graham Sutherland / Polynomial
Aris Adamantiadis 
💲Paid