Ken Thompson's original Unix backdoor of "Reflections on Trusting Trust" fame was apparently never published. 40 years (!) later, here it is: 99 lines of code plus a 20-line shell script. That's it.

Nicely annotated and explained by Russ Cox:

https://research.swtch.com/nih

Recharging from DefCon, but already getting excited to see y'all at CactusCon next year on Feb 16-17!

Follow along here, on LinkedIn, @cactuscon on Twitter (?), @cactuscon_az on insta/threads, or just sign up for our mailing list https://cactuscon.com/mail to stay informed.

The people trying to spin Twitter making SMS MFA pay-to-play as a good security move are causing me actual, physical pain. —Why are you doing this?— Why are you trying to make another silly Twitter business decision sound like it was one for noble and considered reasons and not more haphazard cost cutting, like layoffs and missed rent?

I have a immediate relative (and a few pals) who cannot afford or use a smartphone that runs modern apps, like an Authenticator. I just barely got a few close family members to understand how to copy numbers out of a text message, and what that means, after years of work.

You are letting perfect security be the enemy of slightly good good security, again. Some MFA is massively better than nothing, and all those folks are just shutting it off.

A lot of good folks I otherwise respect are doing this and I’m baffled and a little concerned.

Should we work towards an eventual migration away from SMS multifactor to authenticator apps and tokens across the board? Hell yeah! Can that be spearheaded by shutting it off at Twitter to save a few bucks? Hell no, it's only going to make their users less secure.

Q: "I want to get into a #cybersecurity #career. How should I start."
A: "Go to school and get a degree in cybersecurity or computer science"

Q: "I spent 4 years and $60,000 to get a degree but companies won't hire me. How can I get a job in cybersecurity?"
A: "Degrees don't mean anything, half of us don't have degrees. You should get a cert."

Q: "I have my degree and spent 6 months and $8,000 to get a certification but companies still won't hire me. How can I get a job in cybersecurity?"
A. "Certs only prove you passed a test. You need to get some experience. You should build a home lab and do independent learning."

Q: "I have my degree, a certification and just spent 6 months and a few thousand dollars building out and learning technology in my home lab but companies still won't hire me. How can I get a job in cybersecurity?"
A: "Well you need on the job experience, you should find an internship. It'll probably pay very little but you gotta pay your dues."

Q: "Are you f'ing kidding me?"

This is literally what we put people through when they want to join our industry. Now do you wonder why they aren't showing that "passion" you expect? Why perhaps they're skeptical of the next thing you tell them they need to do to get a job? Stop telling the job seekers they're the problem. Start looking at how you hire and see that hiring practices and workforce management are the problem.