The Xz supply chain attack taught us that even trusted, longstanding open source projects can be compromised. Security vigilance must apply to every piece of code, no matter its history and the developer. We had a huge near-miss.

I hear hack back as a solution to intrusions, and disagree. Compromised machines in friendly/ neutral countries will be targeted, risking harm to innocents. The diplomatic implications are already severe. Hack back is inherently a governmental function. Cyber doesn’t stop cyber.

Shockingly accurate video of many enterprise security products.

Serious question. Can anyone tell me how we are safer / better for the cookie warning clicking I have to do on the internet? Advertisers still own your browsing habits and the world expends a collective bazillion hours a week on a needless friction.

It’s been quite a year… Expect anything that is internet facing to be probed, tested and then exploited if insecure. Restrict management interfaces for appliances - never directly expose them. Log and inspect with rigor!

We are all in this together. Government, industry, and academia need to collaborate in an environment where attackers have the advantage. Sometimes, however, each side can be a bit aggressive in its messaging.

Check snopes.com before you share something.

No, copying to your timeline on Facebook does nothing. That web site is run by a malign actor. That screenshot is not actually from a real article. I could go on. Use your brains before clicking please!

Yes- I’m looking at you!

I’m at the point that I don’t need / want backpacks, notebooks, pens, lights, t-shirts and all of the other conference items. Despite that, it’s still a huge part of the conference experience. Anyone have a good estimate of what percent of giveaway swag is actually used?

Would you know if you hired a North Korean as a remote working employee?

Didn’t have that on my cybersecurity bingo card for 2024!

You should be challenging your defenses regularly with red teams. Also use different external teams over time to ensure you get new techniques and tradecraft thrown at you. Finally, test variants of successful exploitation technique to ensure they are remediated.

techradar.com/pro/volt-typho…

theregister.com/2024/10/15/chi…

I’ll gladly chime in and note that China’s pushback is utterly ridiculous. Thankfully there’s plenty of evidence and independent voices showing the PRC malicious activity into our critical infrastructure

China gets caught: cyber campaign with victims, major industry players & multiple governments compromising its operations. Rebuttal? Fake news, covert action and a conspiracy. Sorry-the US can’t keep a secret that big anymore. Distraction fail (but press do better covering this)

Claims of Chinese researchers breaking "military grade encryption" with a quantum computer are totally overblown. They attacked a trivial 22 bit key and used a quantum annealing architecture. Still not cryptographically relevant and not a quantum computer. Still not breaking RSA!

https://www.scmp.com/news/china/science/article/3282051/chinese-scientists-hack-military-grade-encryption-quantum-computer-paper

https://x.com/twistedhardware/status/1845968772215328896

Choose wisely. Sometimes there is a need for baselining expectations, knowledge and policies. You can also quickly go overboard and loose your audience…

My time at NSA made me think differently about cybersecurity. Working in both the foreign intelligence SIGINT mission & the defensive activities expands your view of what is effective defense and what gives attackers advantage. You think differently after being on both sides.

We talked about the risks you were taking. It wasn’t until Kaspersky unilaterally uninstalled their product and installed another (at the kernel level) that the lightbulb finally went on about the level of trust & access actually granted. Couple that with Russia national actions-