Marcin

5.7K posts

Marcin

@marcinw

because tweeting and blogging is a full time job

New York, NY 参加日 Temmuz 2008

325 フォロー中1.6K フォロワー

Marcin がリツイート

Kyle Vogt@kvogt·25 Nis

Well folks, we did it. I have been waiting for this day for almost 10 years. I am proud to announce @Cruise is now running 24/7 across all of San Francisco! This is a pivotal moment for our business. Let me tell you why 👇(1/6)

English

166

375

3.3K

1.3M

Marcin がリツイート

Chris Wysopal@WeldPond·21 Mar

You'd be hard pressed to find someone in the hacker community that you could have deep tech conversations with & also turn everything they touch into fun. @aloria is a legend that I am privileged to call a friend. We will remember! Photo from 15th anniversary of "Hackers" party.

Gabriella "Biella" Coleman@BiellaColeman

When speaking with @aloria my spirits would lift. Her wit and brilliance were stuff of legend and she would often make me smile and think at the same time. You will be missed and this is how I will remember you:

English

10.3K

Marcin がリツイート

Ryan Hurst@rmhrisk·6 Tem

“Code signing” as sold by CAs is a Microsoft only offering. It doesn’t really belong in CA/Browser Forum at all. Doing so just shunts Microsoft’s responsibility to evolve its own code signing practices to commercial CAs. This is problematic for several reasons.

DigiCert@digicert

The Code Signing Working Group recently improved requirements for code signing. Effective Nov. 15, 2022, key protection requirements for OV code signing certificates are harmonized to be the same as EV code signing certificates. digicert.com/blog/improved-…

English

Marcin@marcinw·16 Kas

@0xdabbad00 blog.gdssecurity.com/labs/2010/2/12… port scanning internal Azure infrastructure since 2010.

English

Scott Piper@0xdabbad00·12 Kas

My general guidance for AWS has been to trust AWS is securing their side of the shared responsibility model (ex. don't spend much time worrying about the possibility of guest-to-host-escapes, CPU side channels, etc from other customers). That is not my belief for Azure. 🧵

English

329

Marcin がリツイート

Dino A. Dai Zovi@dinodaizovi·14 Kas

Where else in our lives do we actively create and promote the infrastructure that allows malicious actors scalable and frictionless destruction? Why run AD, which enables scalable ransomware? So that we can automatically deploy EDR to maybe detect (but not stop) that ransomware?

English

Marcin@marcinw·15 Eki

@drraid Clear violation of the site ToS.

English

Brandon Edwards@drraid·15 Eki

Is there an IDA plugin for decoding HTML? I’m having a hard time keeping up with all these hacking techniques

English

Marcin@marcinw·1 Eyl

@mattifestation @j3ffr3y1974 How does behave when you have an expired (but not revoked) signing certificate with a valid RFC3161 timestamp?

English

Marcin がリツイート

Dan Guido@dguido·10 Ağu

My scooter was stolen last week. Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. Here’s how it all went down:

English

227

2.6K

12.3K

Marcin@marcinw·20 Tem

@halvarflake @chrisrohlf @drraid All of the above would breed the most competition amongst everyone.

English

Halvar Flake@halvarflake·20 Tem

@chrisrohlf @drraid Open it to users via sth like bpftrace, too.

English

Brandon Edwards@drraid·20 Tem

This. This all day long. Between iOS and IntelME it’s as if vendors spite us with the lack of visibility. I’ll always favor a system with visibility and the purported “less security” over an opaque box claiming to be a fortress

Halvar Flake@halvarflake

People may disagree with me on this, but allowing users to dtrace-log the hell out of their phones would at least help at-risk users collect better forensic evidence... iOS still has all the dtrace infra, android has all the eBPF infra. Allow users to add o11y to their phones.

English

Marcin がリツイート

Dino A. Dai Zovi@dinodaizovi·18 Nis

There's a focus that comes with protecting cryptocurrency. Security theater doesn't play at all, there are real direct consequences for breaches, and you can't keep them a secret. There is real useful innovation happening and the rest of infosec ignores it to their own detriment.

Dominic White 👾@singe

For years I’ve avoided anything to do with cryptocoins. Initially it was because people assumed being in security meant I knew about it & kept pestering me. Later it was because I saw the greed derail a couple of good hackers careers. Then it was some of the unpleasant community.

English

Marcin がリツイート

Tyler Winklevoss@tyler·15 Nis

Big congratulations to @brian_armstrong, @FEhrsam and the entire @coinbase team on a monster debut today! Huge moment for crypto. To the moon! 👍🏻🚀🍾🥂🥳🎉🎈🎊

English

211

3.4K

Marcin@marcinw·20 Şub

I wrote a smart card token driver for MacOS to interface with identities backed by Secure Enclave github.com/mwielgoszewski…

English

Marcin がリツイート

Cem Paya@randomoracle·12 Oca

Windows crypto API makes it easy to use keys on hardware eg HSMs Example: ADFS with SAML signing key on AWS CloudHSM v2 (Marvel Nitrox née Cavium) Sometimes showing the key is on an HSM is the hard part 🤷‍♂️ Key container → CSP → certificate → ADFS settings

English

Marcin@marcinw·31 Ara

@dinodaizovi @mtrumpbour @collinrm @0xcharlie @nudehaberdasher There was a time, we all SummerCon’d together.

English

Dino A. Dai Zovi@dinodaizovi·30 Ara

@mtrumpbour @collinrm @0xcharlie @nudehaberdasher This one time, at SummerC0n, @nudehaberdasher mistook me for a urinal.

English

Collin Mulliner@collinrm·30 Ara

I once had lunch with @dinodaizovi in Manhattan way before I lived in the US and @0xcharlie set it up

Anders Fogh@anders_fogh

I once had dinner with @JacobTorrey in Amsterdam

English

Marcin がリツイート

Cem Paya@randomoracle·19 Ara

Common pattern in infosec: 1. Fail at threat modeling (In this case: conflate risks of non-constant time comparison of HMACs vs password hashes) 2. Attempt at "fix" for said "problem" 3. Introduce a more serious & real vulnerability 🤦‍♂️

English

Marcin がリツイート

Cem Paya@randomoracle·14 Ara

Alternative view: given that enterprise IT is a market for lemons, it is the buyer responsibility to manage that risk by making sure untrusted vendor code (read: all except a handful such as MSFT/Google/AWS…) is properly sandboxed & contained assuming it *will* fail

English

Marcin がリツイート

Dino A. Dai Zovi@dinodaizovi·11 Ara

My take: if you have the team on-staff to invent ALTS, use that. Otherwise, use mTLS for your service-to-service communication. You should still use other authn/authz mechanisms that are closer to end-to-end, though.

English

Marcin がリツイート

Thomas H. Ptacek@tqbf·18 Eki

If you know me you already know what I think about this but on the off chance you don’t: NCC Cryptography is legit.

@[email protected]@gerald_doussot

Join an amazing team and work on interesting cryptography projects and research at the forefront of information security and privacy! linkedin.com/jobs/view/2181…

English

Marcin がリツイート

Jesse D'Aguanno@0x30n·20 Tem

I grew up on software exploitation, but always thought crypto was beyond me. In the ~5 yrs since finding Cryptopals, I’ve found & exploited critical crypto bugs in products like secure messengers, and helped design secure protocols. Thanks @tqbf @spdevlin @marcinw @iamalexalright

Jesse D'Aguanno@0x30n

Periodic reminder that you should check out cryptopals.com if you’re involved in making or breaking software that uses cryptography

English

Marcin がリツイート

Cem Paya@randomoracle·18 Tem

This is why using credentials bound to hardware— smart-cards, USB tokens, TPMs— is crucial You can not paste them into Slack or share with another colleague even if you wanted to 🤷‍♂️ 1/2

English

ディスカバー

@cruise @aloria @0xdabbad00 @drraid @mattifestation @halvarflake @chrisrohlf @brian_armstrong