Iggy Frankovic 

@iggy_frankovic@infosec.exchange
84 Followers
44 Following
177 Posts
Making things better by breaking them first at AWS. Former VP of Content Development at Offsec. BJJ black belt. Random rambling is mine.
It is actually amazing to observe Instagram trying to radicalize me in real time wrt to pro-Serbian vs pro-Croatian content. It’s not even subtle. Just firing up ideas from the late 80s, early 90s that contributed to our civil war. Trying to see what sticks. Literally alternating between sides on a weekly basis. Smh
When I was young, we used to call this “malware”.
@realDannyDorko it’s that time of the year again!! How do you REALLY feel about Cris Collinsworth?
After helping my HS senior daughter with her math homework numerous times this year, I’m convinced more than ever that the US education system is completely failing these kids. The archaic methods and over complication they force these kids to learn are an absolute disservice to their future critical thinking. Let alone getting them excited about learning. Things that can be broken down in 3 or 4 simple equations that make sense, are forced into one massive clusterfsck of numbers and units of measure that require a much larger cognitive load than necessary. All while these kids are frustrated because hardly anything makes sense. And rightfully so.
@realDannyDorko f it, I’ll say it. Davis is a garbage player. He has no heart. For as seldom as he truly contributes, I don’t think he’s worth having on a roster
How Do Machines ‘Grok’ Data?

By apparently overtraining them, researchers have seen neural networks discover novel solutions to problems.

Quanta Magazine
Rust, the language also known as “Who Hurt You?”.

[ Edit: I expanded this and turned it into an article at https://lcamtuf.substack.com/p/product-security-barking-up-the-wrong ]

The basics of infosec - such as meaningful asset inventories, privilege reduction and separation, or solid access control - are *not* actually basics. They're not something you start with and then are done with. They're unsolved problems in computer security. Companies mess this up not because they're careless and incompetent, but because we don't know how to do these things right.

Yes, it's easy on my Linux laptop. It's not easy when you have 10,000 employees. It only takes one person who, for the sake of expediency, puts a bootleg AWS instance on a corporate credit card and does some "prototyping" there. It only takes one person who does something creative with SSH tunnels to be able to "work from home". It only takes one person who installs a sketchy browser extension, or outright goes rogue.

At a scale, stuff like that happens *every day*, and even if your world-class tooling and education efforts get you to 95%, there's still that 5% that every organization is bound to miss. And 5% is enough. Heck, 1% is enough.

Yep, you try to lower that number, but it only gets you so far. The most successful security programs I've seen are not built around having perfect defenses. They're built around the assumption that you're gonna get compromised - and you need to detect it, respond to it, and contain it faster than the attackers can achieve their goals.

Product security: barking up the wrong tree

AppSec is fine. We're not paying enough attention to corporate infrastructure risks.

lcamtuf’s thing
Only one of these spent the summer in an Arizona garage
$10B feels like the most expensive acqui-hire ever