Peter Dowley

@philvenables In a similar vein of books about the creation of technology products, I quite enjoyed Showstopper - an origin story about the ex-DEC team behind Windows NT. Interesting perspectives on how this project came up internally at MS against OS/2

@philvenables The Soul of a New Machine had a major influence on me when it came out. And it was only when I got to uni 6 years later and saw all of the VAX computers that I realised the sucker punch of the book ... after all of the team's hard work, the VAX had smashed them in the market.

Security Leaders’ Reading List Not many security books. Security leader challenges are mostly, well, leadership along with a healthy dose of program mgmt, culture, attention to detail, risk mgmt and more. philvenables.com/post/leadershi…

@chompie1337 Great talk too, thanks very much

Releasing the slides from my BSides Canberra Keynote - The Exploit Development Lifecycle: From Concept To Compromise drive.google.com/file/d/1jHnVdj…

I'm sure you know about ASIO moving to AGD in the latest MOG, @ISpiedpodcast ... But this article theguardian.com/australia-news… highlights that only operational responsibilities have moved. Surprisingly policy is still with Home Affairs.

@mediafishy @SecurityVoices @jack_daniel Thanks very much @mediafishy and @jack_daniel, it was an excellent series. Having worked within clients and service providers for most of my career, I found the podcasts really useful to better understand security vendors & startups. And all sorts of other stuff! Best wishes guys

And it's a wrap! Last episode of @SecurityVoices just released. @jack_daniel & I recapping 5 years of the pod. The site will live with all of the existing content (but no updates). Thanks to all who listened and joined us on the show! securityvoices.org/episode/finale…

@tomatospy Hope you're having a good holiday. For some light listening during your break I think you'll enjoy a podcast series by @MilesMJohnson from FT - Hot Money series 2, The New Narcos. Encrypted crime phones do feature...

@TheShovel Surely that's the Nintendo model isn't it?

TECH NEWS: Nokia has released its response to Apple’s VisionPro AR headset

@Jeremy_Kirk In that case the court found that the company failed to have adequate cybersecurity measures in place, and exposed clients to an unacceptable level of risk - and that these related to obligations under the Corporations Act, so applicable for all companies in AU.

@Jeremy_Kirk I'd suggest that substantial fines (even after the fact) do shift the needle. One other significant change in AU this year was the court case of ASIC v RI Advice (see kwm.com/au/en/insights… for example) which results in potential personal liability for board/execs of companies

Parliament revised Australia's Privacy Act after the recent breaches. But a thought: A $50M fine satisfies the desire for punishment, but fines occur *after* a breach. We should incentivise better cyber security practices to prevent irreversible losses of data. #auspol #infosec

@awpiii @wadebaker Order of magnitude feels about right for infosec proportions in normal business (and government) in developed Western countries. I bet ratios are very different in some other countries (e.g. Russia and Nigeria!)

@wadebaker Anecdotally - I think offensive roles tend to be more vocal about what is happening, while the defensive role folks are just there in the background doing their jobs. I would suspect it is an order of magnitude in favor of defensive roles IRL. Blue or Purple - doesn't matter.

Does anyone have any data or informed intuition on the ratio of offensive vs defensive roles in cybersecurity? I’ve always assumed the latter was far more numerous but sometimes infosec Twitter (may she live long and prosper) gives me the opposite impression.

@Jeremy_Kirk @medibank This means that they can often provide nuanced advice about the reliability of specific attackers in following through on what they say, after getting paid.

@Jeremy_Kirk @medibank Another good thread, thanks. In a bad security incident orgs usually engage breach advisors to help with exec/board decisions (as well as technical incident responders to help IT teams). Breach advisors have been involved in past negotiations & know about specific threat groups.

@TimYowie I saw the one in Goulburn last month - I hope it's higher in your list.

I’ve just arrived at my 4th favourite NSW courthouse. Can you guess where it is? Clue: I’ve taken the photo from a boat …

@riskybusiness @campuscodi Good thinking. I enjoy @campuscodi's news podcasts but should free up some time for even better content

@29devine @Jeremy_Kirk Telcos and ISPs are currently required to keep the identity data (plus LOTS of other data) for lifetime of the account plus 2 years. This is detailed in some public guidance from Home Affairs department from around 2014.

@Jeremy_Kirk No clue on the technology, but once 100 points are verified, why is any organisation allowed to keep the data on file?

Here are some technical observations related to the Optus breach. This gets into the technical weeds, but it’s important for understanding how this breach may have happened. I’ll try to make it as comprehensible as possible. #optushack #auspol #infosec

@Jeremy_Kirk I can't help but think that the problem API (which seems to have been for Customer Identity details) is one that was only intended for access by law enforcement - i.e. not on the internet. I can't think of cases where it makes sense for this data to be accessed by other parties.

@Jeremy_Kirk Thanks for the additional detail. The top-level API URL likely exposed a range of API services that were accessible - some of which may make sense to be internet accessible (e.g. for mobile apps), though with authentication & authorisation.

@riskybusiness The Home Affairs doc provides detailed regulations beyond the law itself, which is quite common to see. And of course it doesn't require that the info is then deleted.

@riskybusiness Good coverage of the Optus drama. On the data retention side I read an article in The Conversation theconversation.com/what-does-the-… which has a link to Home Affairs guidance for telcos/ISPs (circa 2014). Interestingly the identity data also needs to be retained for accnt lifetime + 2 yrs

@TerribleMaps When driving into a Hezbollah part of Lebanon it can seem like Hezbollah is a country too ... so perhaps Lebanon should be green in the legend as a partial fit

Countries with an AK-47 on their flag