collin

@frgx Totally agree. Have you ever done a big program scale “go delete surface area” stuff? I’ve only done it adhoc typically as the result of a point audit or cluster of vulns

@libber But, IMO, under appreciated in most places (I know not you; but a lot of written stuff misses this) is how "prevent" is the biggest leverage. Have _fewer_ dependenices; those you do, have very few with attack surface (e.g., move to a sandbox or don't let them listen on internet)

Golden opportunity to convert this vulnpocalypse hype into properly funding vuln mgmt (the least exciting, often most lacking part of a security program) This is our chance as an industry!

@frgx A flight with no internet + this pleasant nerdsnipe = this long answer: collingreene.com/vuln_mgmt.html I'm organizationally sheltered but in a big company the above is what I think ideal looks like

@libber whats a good vuln mgmnt program according to you?

@mhlakhani True. This organization wall is just begging to have vulns chucked over it

@libber But see @libber that would require me to actually do work instead of complaining “those devs don’t fix my vulns” and where’s the fun in that?!

@tqbf + pass them on to your children

I stand by this as my best dotfile advice.

@ZackKorman @IceSolst Enjoyable writeup. I feel the same way about the paperwork theater of compliance stuff. I felt slightly better when I accepted that security != compliance and just think of it as a different thing collingreene.com/compliance.html

Here’s a thread about how I approached getting ISO27001 certified at Pistachio, written for people who hate these things as much as I do. As @IceSolst says, ACAB includes auditors.

An excellent writeup of what makes data "sensitive" and what that means for security and privacy strategicsec.substack.com/p/the-factors-…

@intoverflow Extremely cool. I've long harbored a dream of a coffee table hacking tales book with the benefit of full knowledge + hindsight of 10 interesting breaches or events or something. If this project is that, I want to read it even more!

Working on a new history project. A preview: In 1988, a Cornell grad student releases his secret project — a worm — and quickly realizes he fucked up So he asks his friend, US Olympic rower Andrew Sudduth, to anonymously send this note From: foo@bar To: TCP/IP mailing list

The differences between performing privacy and security work in a big company for my fellow computer security people. collingreene.com/security_and_p… I'm still newer to privacy work so this is my "most likely to be wrong" writeup, feedback welcome

Compliance is different from security: collingreene.com/compliance.html

@philvenables Agree with you. A thing I haven't sorted yet, what is the optimal amount of compliance effort to spend, your post made me finish a post about that: collingreene.com/compliance.html

Regulatory Harmonization - Let’s Get Real Most cybersecurity controls are already relatively aligned. The calls for action on harmonization are really problems induced by obligations from other technology risk domains or broader. In many cases, focusing on reducing compliance toil is the right approach. philvenables.com/post/regulator…

@jeffvanderstoep Good writeup. Agree that vuln prevention > discovery > response. Curious about 1. How is "old" vs "new" code designated? 2. How is a specific vuln connected to only old or new code? Or am I misunderstanding 3. No counterfactual here right? ex to find/fix vulns in the old code

I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why. security.googleblog.com/2024/09/elimin…

@_noid_ I’ve perfected coffee for myself. Foamed fairlife milk + coconut milk + maple syrup x 3 shots expresso

Alright folks, I'm having a shitty day. Tell me something good you've got going on in your world right now. Let me hear about your wins and hopefully that turns my day around.

@dinodaizovi I like this so much. This fundamental uncomfortable truth then has weird side effects 1. Buy more snake oil products, because it can't hurt! 2. Use this compliance framework, to at least CYA 3. Build cool stuff, because its fun and pseudo-justifiable.

The number one reason why good security is hard is that the feedback loop on decisions is long and the signal is low fidelity. It's not clear how many incidents were prevented or mitigated from which foundational decisions years prior. This wrecks the incentives to be proactive.

@sirus The frozen yogurt is also cursed youtube.com/watch?v=XlcFTb…

Upside: In the morning I get to take a ride in this brand new Rolls Royce Phantom Extended II! Downside: It's to a surgery center. Upside: It's to get a new face! Downside: It's going to take ~7 hours. Upside: Finally being myself. bbiab.

@swagitda_ Walking 1:1s when weather cooperates and under desk treadmill in this wfh world are both very pleasant

given all the documented benefits of walking on creativity and brainstorming, has anyone tried like… walking offsites? not power walking but the ideal three mile per hour stroll

@dnathe4th @wolfejosh en.wikipedia.org/wiki/Nominativ… - what a delightful concept! TIL

Today in nominative determinism // @wolfejosh

@IAmMandatory 'write a short story about a hacker in iambic pentameter' Was a top 5 prompt for me today in messing around

ChatGPT is coming for both STEM and the arts, this shit is impressive as hell.

@caseyjohnellis @ryanaraine @msuiche Ironically I don't understand twitter privacy so can't see this tweet but feel free to DM me if I can help

@ryanaraine @msuiche @libber yeh @libber will be the fastest if he’s on here atm. @msuiche hmu if you don’t get in touch

Thoughts on how to maximize success as an infosec team that needs to roll out changes people may not like - collingreene.com/communicating_…