Email or username:

Password:

Forgot your password?
22 posts total
SwiftOnSecurity

Twitter is a sign-in identity provider too... And revoking access at Twitter or deleting your account does not necessarily break that delegation token...
I trust their security team made this happen. But it's not intrinsic.

If you've ever "Logged in" to a website or app with Twitter, you created an account with a secret Twitter holds on its servers. You don't sign in with your Twitter account. You sign in with an OAUTH token Twitter owns.

SwiftOnSecurity

One of the greatest values you can provide to an employer is saying No. To have experience to know what's important. If we don't log this thing we will have more retention of what matters MORE, longer. The real world has costs, and those have to be paid.

SwiftOnSecurity

As a security principal I am in fact the one saying No, we are going to turn that Off. It costs too much. Often, that cost is retention of what matters. Or business impact. There is no limit to the amount of data you can generate about the operations of a machine. And it will cost you everything.

nepi

@SwiftOnSecurity I wish more managers understood that creeping the scope of a project is possibly the most expensive thing you can do.

SwiftOnSecurity

In my hands is my first iPod. Steve Jobs is smiling at me. Everybody at the Apple Store is smiling.

I take off my Apple Vision. I am back in the retirement home. Nobody has visited me for 12 years. I put it back on.

I hold my iPod. Everybody in the Apple Store is smiling.

SwiftOnSecurity

PUBLIC SERVICE ANNOUNCEMENT:

There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.

The attacker uses other channels (like people search websites) to enumerate and guess the phone number attached to an online account and then checks against the telco they have control over.

The insider only briefly temporarily forwards the victim number to a 3rd party then switches it back to normal once they’re in. This is how they stay quiet since most victims will not have leverage or telemetry to understand how they got hacked.

It was their cell phone provider.

Make it so account recovery systems require multiple factors and remove telephony-based recovery for VIP accounts entirely.
Go check your systems now. Go try to access all your stuff like you forgot your password.

I am very serious. This is based on private knowledge but is compelled by the compromise of the SEC. This is common now.

PUBLIC SERVICE ANNOUNCEMENT:

There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.

Show previous comments
lucas

@SwiftOnSecurity The downside of paying someone fuck all is it only takes a little bit more than fuck all to buy them off.

In other words: raising wages in the states would be a net benefit to (national|personal|business) security.

pasta la vida

@SwiftOnSecurity you ever wish you worked for Okta and could just... turn on false SMS verification for all users... just to catch this behavior? (as a massive network telescope)

"sure, SMS is on, want to try it?"

and it might actually text the user a real code, but emails them / alerts their SOC going "uh... remember when you turned on 'fake 2fa'? someone's swapped your number"

Show previous comments
The Shinxposter

@SwiftOnSecurity @w I use it on the daily, my discord bot uses it on the daily. 100% would recommend.

Memetic Stramash

@SwiftOnSecurity @w I'm getting some YT videos that don't download. Just a 0KB empty container. So the Goog Death Star might be onto it. It's hit and miss.

SwiftOnSecurity

Periodic reminder just leaving shit unplugged for hours does fix things. Fucking capacitors/resettable fuses are everywhere and you have to defeat them with waiting it out with ALL POWER REMOVED. Even your USB devices and screens with their own power. No power in contact with anything that’s connected.

Fixed a washing machine like this. Just fixed my motherboard despite me hitting the reset to defaults button AND removing the battery.

Sometimes you got to just give things a time-out in a corner to think about what they did.

Periodic reminder just leaving shit unplugged for hours does fix things. Fucking capacitors/resettable fuses are everywhere and you have to defeat them with waiting it out with ALL POWER REMOVED. Even your USB devices and screens with their own power. No power in contact with anything that’s connected.

Show previous comments
Simon Jaeger

@SwiftOnSecurity @Selena I always just assumed this was the tech fairy. She's got a lot of things to fix so if you don't leave it unplugged long enough, she won't get to it.

Frank Skornia

@SwiftOnSecurity Ever since I built my current computer I would have an issue where the onboard Bluetooth adapter would just "disappear" sometimes in the middle of me using it.
The only solution I found was to turn off the computer, pull the plug from the PSU and wait 20-30 minutes.
This solution makes a lot more sense now. Thanks.

Luna Saphira Dragofelis
@SwiftOnSecurity unfortunately many modern devices don't allow the user to remove the battery anymore
SwiftOnSecurity

A lot of today’s UX designers never made a WinAmp skin and it shows.

SwiftOnSecurity

UX designers who eliminated the filesystem from user consciousness in name of simplicity ruined the world and are morally culpable for shriveling minds of children who are unable to tackle the challenges of today thanks to a choice sold as advocacy for the user but was ultimately motivated by control of a disempowered customer.

Show previous comments
Layla Low

@SwiftOnSecurity Could say the same about machine language and hex

Molytov

@SwiftOnSecurity I was once in a high school programming course where a student couldn't understand what it meant to press the Windows and U keys to look at page source...

Alex Markley :mbetv:

@SwiftOnSecurity some people forgot the blood that was shed over interoperable document formats.

SwiftOnSecurity

In my hands is a signed launch-day Xbox 360. Looking up, Bill Gates is smiling at me. Everybody in Best Buy is smiling.

I take off my Apple Vision. I am back in the retirement home. Nobody has visited me for 16 years. I put the Apple Vision back on.

I hold the Xbox 360. Everybody in Best Buy is smiling

Show previous comments
Nicole Parsons

@SwiftOnSecurity

The saying "Go touch grass" grows more poignant day by day.

The tech industry is being funded by OPEC+ and #KochNetwork to create a fake virtual world so people will ignore a real world frying and growing increasingly uninhabitable.

UncannyKyle

@SwiftOnSecurity “Oooh baby do you know what that’s worth/ooh Heaven is a place on earth”

SwiftOnSecurity

When ChatGPT tells me my request isn't nice or inclusive enough

Don't lecture me you fucking can opener
SwiftOnSecurity

Interesting: In flight if a circuit breaker trips, pilots are only supposed to reset if it is important for safety, and then only supposed to do it once. Do not try to bring a suspect compromised subsystem back online while in the air.

SwiftOnSecurity

Error: Your password must contain at least two characters who talk to each other about something other than a man.

Show previous comments
Tathar is dragons! ΘΔ

@SwiftOnSecurity

I feel like I won't understand anything from this thread until I try to write a Verilog module for it.

Abhishek Sansanwal

@SwiftOnSecurity
Having worked a bit with encoding/decoding I think ffmpeg is probably the best open source software project out there.
There are so many edge cases in codecs yet ffmpeg has never failed me. It's a miracle it works at all, but actually works so well.

Josh

@SwiftOnSecurity ironic I'm reading this while writing ingest code.

SwiftOnSecurity

My problem with Mastodon is it always feels like shitposts are not allowed here.
But shitposts are important ecosystem barometers for banter; an early warning guidepost to approaching the maximal allowed discourse.
Without shitposts, you have no constantly governed North Star in your community because you have no measure of its distance – only shallow and stricting fear of nonconformity. Like fish that choke without oxygen from water burbling over brooks, without shitposts your dreams of a blooming dialogue will dry into a wasteland.

My problem with Mastodon is it always feels like shitposts are not allowed here.
But shitposts are important ecosystem barometers for banter; an early warning guidepost to approaching the maximal allowed discourse.
Without shitposts, you have no constantly governed North Star in your community because you have no measure of its distance – only shallow and stricting fear of nonconformity. Like fish that choke without oxygen from water burbling over brooks, without shitposts your dreams of a blooming...

Katharsisdrill

@SwiftOnSecurity - Some here think that everything is NOT allowed and should be hidden and sealed behind blurred curtains... Which is pretty stupid as microblogging is terrible at any serious business. Porn, jokes, smalltalk, memes, everything Trump thinks - those are the stuff microblogging is made from.

Go Up