Apple vs Google
(only real answers)

✅ Apple phones are more Secure than Google Phones
✅ Google Computers are more Secure than Apple Computers, Apple are more usable (with any O/S running on them)
✅ " " " are the same Privacy as " " " the only difference is how you are taught to think (they both harvest your data, sell it for Ads, they have App controls that you are expected to understand and accept so Apps can harvest your data directly), the differences are so slight any of you likely have only 1 or 2 insignificantly tiny examples of differences
✅ Google Security Team/s are more Capable than Apple's who prefer to have brain washing and banning media do the work of keeping bad press away for them to stay out of headlines
✅ Google is more trust-worthy (focus on worthy, i.e. transparent) than Apple who prefer closed source, empty security patches, offensive treatment of researchers, lawsuits to prevent research and kill products that conduct said research which aims to enhance the Apple experience in ways Apple disagree with

macOS Sequoia is coming

It will further "secure" the platform

Security Vendors who should know better (like Palo Alto Networks) who rely on users to avoid macOS Gatekeeper (click to allow non-notarized binaries) will be completely locked out (like they are for customers who already prevent users on SOE's from accepting the prompts to run insecure programs)

If companies like PAN can't get this right, what hope are there for smaller apps?

Maybe that's a good thing for Apple?

When you buy the hardware you're barely renting it, you are more like an Apple employee, they manage your usage and monitor every micro activity you do, now they are controlling everything you plan to run on the device too - which makes the devices 100% in their control, the circle is now closed.

The only difference between consumers and employee's is the Apple employee doesn't pay (that is the next thing they will announce, employees to pay Apple seems to be the future plan at this rate)

VulnCheck are doing great work for us during the #NVD crisis

But what is next for us all in #infosec? Will the #CVE crisis of the last 20 years of #cybersecurity continue?

Patrick Garrity has been showing the best visualizations of this - but most of us know that CVE is barely a bucket of sand on a beach size scale of known #vulnerabilities

What "sources" should we as an industry trust? CISA? NVD? Private entities like VulnCheck who improve on the weaknesses of CISA and NVD?

What if I told you again that even these aren't really "sources" and are best described as metadata?

First of all NVD isn't even a source, it's clearly metadata on top of Mitre at best, and not even that lately. CISA vulnrichment will still NOT be a source once in full swing - it's also nothing more than metadata on top of Mitre

OSV is a database that aggregates sources of vuln data, it's the closest "source" that exists, CSA's GSD may come a close second, but not NVD or CISA which have no actual authoritative source, they just consumes Mitre sources, validate them, and add some extra properties

OSV is exponentially larger than NVD+CISA

NVD is like a grain of sand
OSV is a bucket of sand - on the beach of known vulnerabilities

In terms of "source" of what that beach is, such a source doesn't exist today

Known vulnerabilities are turned into a CVE less than 1 in 1M known vulns

You read that right, a CVE is less than 1 in 1M

The OSV shows that a CVE is maybe 1 in 100 of recorded vuln
The 1M comes from all the repos that create git commit saying they have fixed a security bug, that happens 10s of thousands of times a day in GitHub alone.
Then there are things that are exploitable which are not in GitHub or even source code at all; firmware, hardware, cloud, proprietary. - these are all known vuns too, because they are found in reports that are never "reported" to CVE

So I ask again, what source do we use? Who will try to build the first ever source of "known vulns"? Many have tried..

Early adopters needed for Vulnetix!

https://github.com/apps/vulnetix

Please install our GitHub App whether or not you intend to give feedback or contribute to features, just installing with an empty repor or fork can help us reach others better.

Bonus: If you install now, you will forever gain access to Vulnetix for free - this is by design for all GitHub Apps that add a paid plan later.

Vulnetix - Early adopters needed!

https://github.com/0x73746F66/vulnetix

Please install our GitHub App whether or not you intend to give feedback or contribute to features, just installing with an empty repor or fork can help us reach others better.

https://github.com/apps/vulnetix

Bonus: If you install now, you will forever gain access to Vulnetix for free - this is by design for all GitHub Apps that add a paid plan later.

This is a preview, under active development, so you will encounter bugs while we complete the features.

I'm just going to call it #SCA is dead. Any vendor selling SCA as a primary feature will not last long.

Most of the world is on GitHub, and get Dependabot for SCA

Most, if not all, package managers have now standardised on SCA via an audit command

If you are building an SCA today, using the OSV (Google's project which is long since been OSS) which is the vuln database collection for all known vuln databases - which gives you SCA discovery (without needing to build the app like Snyk) that only needs a lock file or SBOM.

If you relied on reporting from the SCA tool, then It's a vendor lockin situation where it's best to just get out now and instead report against something like SBOM+VEX so you never need to change reporting even when you change vendors.

Want SCA findings to leave you alone? Try Vulnetix

https://github.com/apps/vulnetix

Tired of sifting through false positives in Kali xortool and wish you had an Natural Language processing (NLP) filter?

Look no further!

https://github.com/chrisdlangton/xornlpcrack

You're welcome

(how does one get tools I to Kali anyway?)

Things that I learned building a Custom #GPT from @OpenAI

• It's similar to the custom instructions feature in terms of barrier to entry for users

• the GPT description field holding instructions isn't shown to users

• Using the builder prompt overwrites the model description, subtitle, and the example prompts.. so save your text externally so it's not lost

• Icon uploading doesn't work on mobile we version

• DALL-E generation happens once only, you can remove and regeneration pulls the same image as before

• Files added are used in 2 ways, can be explored during builder prompts OR explored after the GPT is live using normal prompts

• Sharing the GPT shares the attachments too, it's trivial to extract them

• You are limited to 10 attachments

Final thoughts

Soon our GPT will be searchable in a marketplace, they have a blog describing how creators will monetise their GPT

Hope this helps everyone

Check out my public #ChatGPT
Avalanche - Reverse Engineering & #CTF Assistant

https://chat.openai.com/g/g-I8Xgay7RS-avalanche-reverse-engineering-ctf-assistant

Feedback appreciated

Anyone over at OpenAI seeing this
Make some official OpenAI docs please

The bloggers are doing a terrible job
They all just screenshot and hype the feature

No one seems to know anything about the above limitations or even how it actually works and can be used

I mean it's like they want the keywords but it is all just noise!

You need real people who actually build things and care talking about this to other builders who care

Not the stupid marketing and hype, they does not appeal to builder's!