Information Security manager who excels in GRC, metaphors, tech, policy, audit, & infosec in regulated industries. My words are my own, unless quoted. He.
Instructions for living a life:
Pay attention.
Be astonished.
Tell about it.
βMary Oliver, excerpt from the poem "Sometimes" from the book "Red Bird".
Whoever is responsible for the #Google Skills #GoogleSkills site needs to stop vibe product managing and step up.
There's a script, that script is apparently put into an AI TTS system for the voiceover. And then, they use an AI STT system to provide timestamp captions in a sidebar that have never been proofread. Why not use the original script? π
Disclosure: This was Rippling (rippling.com)
Essentially, the flaw I discovered was that if you use their platform to send someone a job offer via email, shortly after sending said offer (no interaction required on the part of the recipient, such as, say, actually looking at or accepting the offer), if that person already had a Rippling account, such as from a prior employer, a Rippling process would run that would populate their information from what was already in the Rippling backend from another tenant.
This info includes all the PII, including SSN, banking, address etc.
That info would automatically become visible to the Rippling user who had sent the job offer email.
So, all you needed was a rippling tenant, and if your target had previously used Rippling ever - you could exchange their email address for all the info.
Timeline: reported in July 2025 to the Rippling Bugcrowd bug bounty program, accepted as a critical issue within 48 hours, only fixed last week (9 months).
No bounty was offered.
Just a data point for anyone else who considers submitting to this program. Probably the least impressive bug bounty experience Iβve had in the last 15+ years.
I'm speedrunning the #Google #PCSE training. The two weirdest parts are:
1) Trying to determine what I don't already know in the sea of obvious-to-techies and known-to-GCP-experts information.
2) Seeing all of the changes that were made in areas that I crashed against 3+ years ago. In some cases I was told that a feature was impossible or that no one wants it. Yet here they are. π
It's funny to me that fully half of the #Google Professional Cloud Security Engineer ( #PCSE ) education course covers networking. I thought the cloud was supposed to free us from having to think about networking and that networking was not going to be a security boundary anymore! π
Also wild is how basically every public #CSP does #IPv6 horribly. π€£ IPv6 only pre-dates the build-out of every public CSP. But every one-- #Azure, #GCP, and ESPECIALLY #AWS --handle IPv6 as a horrible step-child.
Look at what happened with Claude Code. We learned via the source code leak that the whole thing is a Rube Goldberg machine of shoddy regexes and Markdown snippets telling Claude to lie, and yet proverbial moments later, Anthropic announces a new product that *totally works this time I swear* and all of a sudden discourse about AI tools "working" is completely reset.
Getting stuck in that discourse loop opens you up to being perpetually distracted from the far more important ethical problems.
SwiftOnSecurity
Mike Sheward
Cassandra is only carbon now