Ulisses Albuquerque

Solid advice #SecDevOps

I've never felt this much behind as a programmer. The profession is being dramatically refactored as the bits contributed by the programmer are increasingly sparse and between. I have a sense that I could be 10X more powerful if I just properly string together what has become available over the last ~year and a failure to claim the boost feels decidedly like skill issue. There's a new programmable layer of abstraction to master (in addition to the usual layers below) involving agents, subagents, their prompts, contexts, memory, modes, permissions, tools, plugins, skills, hooks, MCP, LSP, slash commands, workflows, IDE integrations, and a need to build an all-encompassing mental model for strengths and pitfalls of fundamentally stochastic, fallible, unintelligible and changing entities suddenly intermingled with what used to be good old fashioned engineering. Clearly some powerful alien tool was handed around except it comes with no manual and everyone has to figure out how to hold it and operate it, while the resulting magnitude 9 earthquake is rocking the profession. Roll up your sleeves to not fall behind.

> we should start using jira

There is a question around how much of an engineer's day should be reading/understanding vs. writing new code. I think we've biased too far away from reading/understanding existing code to the point where many's only way of understanding a system is to write a completely new one.

When I hear arguments about why a particular site or service should be blocked because it can be used for exfil from Internet-connected workstations:

That's apex Tesla simping

One thing noobie scoobies don't seem to understand is that malware is literally just software. Understandably, that seems kind of obvious, it's in the name — 'malicious software'. But it seems less obvious to some that, in order to write malware, you apply the exact same principles, techniques, and structures that legitimate software uses. Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things. When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream. In it's most simple form, all malware techniques are things legitimate software may do. Ransomware? - Step 1. Enumerate files in a directory - Step 2. Lock and encrypt files Information Stealers? - Step 1. Enumerate files in a directory - Step 2. Upload files somewhere RATs? - Step 1. Make program run at start - Step 2. Execute commands (cmd, powershell, other programs) - Step 3. Upload files somewhere Loaders? - Step 1. Download file from somewhere - Step 2. Run file Everything the malware does is just an expansion of what is explained above. Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc. How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new. tl;dr learn to code, then learn weird stuff

The highest level of security engineering is proactively building systems that make insecure states unrepresentable, attack classes rendered extinct, vulnerabilities not exploitable, and attack paths not viable for attacker gain.

"The lack of teamwork is not something that the individuals bring to the workplace[;] that failure to work together is the result of how the organization has been setup."

Finally a reason to follow Elon

Maybe it's the algorithm, maybe it's my mind playing tricks on me, but I feel I'm being fed more and more right wing content via suggestions on this platform than ever before... #tinfoil

This guy won’t be buying his own beer for a while! Meanwhile the dickheads he’s schooling can’t order a drink without worrying it comes with extra spit. And quite rightfully from what I hear.

The cybersecurity industry shouldn’t exist. We built the internet wrong, and we can solve most of our cybersecurity problems at their root by rearchitecting technology platforms to be safe-by-default instead of buying security products.

"If cats could talk to cops they wouldn't" Sticker seen in St Imier, Switzerland

Pay for verification and make money off of others that follow you who you’ve convinced to pay for verification

Where @dotMudge makes an important point at @SummerC0n: real data on ATOs shows that SMS 2FA is fine for the vast majority of users. It prevented 100% of 3.3B automated password stuffing attacks, 96% of 12M bulk phishing, and even 76% of <10k targeted attacks seen over last year.

I never thought I'd still be in this cesspool social media platform after 15 years, or that it would be Musk's new plaything...

We are agile.

From a DM, just in case anyone else needs to hear this.