|
Close down Infosec, we've got 5 Dimensional Crypto now https://twitter.com/veorq/status/1159559785068429312 And their extremely good site - https://timeai.io/ And their awesome science complete with album cover at the bottom - https://arxiv.org/ftp/arxiv/papers/1903/1903.08570.pdf Also featured: actual cryptographers dunking on them in real time and on twitter.
|
# ¿ Aug 9, 2019 05:40 |
|
|
# ¿ May 8, 2024 14:24 |
|
Really sad someone has https://www.amicybersafe.org right now.
|
# ¿ Aug 9, 2019 05:49 |
|
CommieGIR posted:Apparently they practically booed them off the stage, it was that lovely and fake Not only booed them off the stage, got debunked live in person with a finisher of someone taking the mic to just yell at them, lol
|
# ¿ Aug 9, 2019 17:05 |
|
Bloodborne posted:How do you nerds who work in sec track your personal/team goals and performance etc. We're moving to the "OKR" model which is apparently the intel/google/linkedin/insert startup tech company here model. Depends on the size of your team and your charter. We moved to a similar model over the summer as a software security team. For example, we've got one with targets for automatically generated bug fix rates. Basically a quality check on our static analysis rules, fuzzing rig, et cetera.
|
# ¿ Nov 2, 2019 17:19 |
|
BangersInMyKnickers posted:Open communication and honesty with the userbase is probably the biggest lesson we haven't learned yet. We made decisions in secret (sometimes even internally between teams in security) and do not solicit feedback for initiatives that will impact the entire org. Our relationship with other departments is often hostile and they more often than not fight us or withhold important information as a result. Not exactly productive in the context of security if your userbase is trying to undermine you every step of the way. One of the things I started doing is meeting with product teams when there isn’t an incident or ask; I need a word other than “peacetime” for it. If the only time we interact with the teams we support is when we broke them or we are asking them to do work, it’s hard to have a non-hostile relationship. For my tools team, we’re starting to require ourselves (and have metrics we are accountable for) in the realm of noise in security bugs, improving user workflows alongside work to make security tooling and not just throwing up new roadblocks, that sorta thing. I spend a lot of time talking to peers in performance/accessibility; they have some of the same problems we do w/r/t asks to other teams, but without the “you have to do this because security” hammer. Lessons to learn from them.
|
# ¿ Dec 19, 2019 19:43 |
|
Klyith posted:Uhhhh, welcome to 2017? I'm continually amused by the idea of grandma's Life Alert being used to sell her reverse mortgages
|
# ¿ Mar 8, 2020 18:35 |
|
Martytoof posted:This is going to be a *chef kiss* of an RCA I am ridiculously excited to find out more about this because the TTM is so high and the mitigation so far is so bizarre. Verified accounts can't tweet?? This is either going to be a story of heroics on a very weird exploit chain or an interview question on how Not To Do Things and I don't see a middle ground.
|
# ¿ Jul 15, 2020 23:52 |
|
One of my favorite examples when talking about usable security is nursing station computers. Styrofoam cups over proximity sensors, anti-idle scripts, the works. A little more fun than the same slide of tire tracks/footprints going around a gate, anyway.
|
# ¿ Jan 9, 2021 18:39 |
|
Defenestrategy posted:I was confused about what he was talking about, thought he was talking about an NFC or other some such tap to log on/enter thing, not a REX/keep alive thingy. TBH I wish my job had more off the wall poo poo like this instead of getting people to upgrade OSS and getting people to remove creds from code/configuration files, so I don't blame you
|
# ¿ Jan 10, 2021 00:28 |
|
CommieGIR posted:Security people like this piss me off and makes it really hard to work in the field. The next evolution is when IT security starts throwing stuff over the wall... To product security teams. Watching the egos clash is entertaining, but hard to to get blood off the walls afterwards
|
# ¿ Dec 6, 2023 04:03 |
|
CommieGIR posted:Gonna highlight this - I NEVER ever claimed I was too clever to be at risk. Please give me some credit here at least. Please don't just go assuming things about me because I made a joke (although I am the Red Team lead). That is a massive assumption on your part, and frankly is incredibly insulting. To paraphrase Plato - "I know that I know nothing" and that applies to any security person. You are never too smart to be risk free, and you are never to experienced to get yourself into trouble. Of course there's risk involved with having a corporate image on my laptop. Plenty of it. You forgot the most important reason to keep your own poo poo locked down; making sure blue doesn’t know what the Meme Theme of the next engagement presentation is
|
# ¿ Dec 7, 2023 02:27 |
|
CommieGIR posted:No matter how many times we try 'Open the meeting with a joke', it never carries well with the executive team. That really sucks. Our execs have been totally fine with us memeing in our readouts, and we're a pretty big, serious place most of the time. The last one was Shrek themed. I gave a talk on LLM security and how it challenges our fundamental assumptions about security testing and the theme was around LLMs being like a creepy little kid: Ellipson fucked around with this message at 20:11 on Dec 7, 2023 |
# ¿ Dec 7, 2023 20:09 |
|
|
# ¿ May 8, 2024 14:24 |
|
Potato Salad posted:cissp is a huge door opener, who is ragging on it that hard Do what I did instead and get a PhD, which simultaneously closes doors and sucks up prime career advancement years (and you will still get screened on certs)
|
# ¿ Apr 27, 2024 03:50 |