collin

@tqbf + pass them on to your children

I stand by this as my best dotfile advice.

@ZackKorman @IceSolst Enjoyable writeup. I feel the same way about the paperwork theater of compliance stuff. I felt slightly better when I accepted that security != compliance and just think of it as a different thing collingreene.com/compliance.html

Here’s a thread about how I approached getting ISO27001 certified at Pistachio, written for people who hate these things as much as I do. As @IceSolst says, ACAB includes auditors.

An excellent writeup of what makes data "sensitive" and what that means for security and privacy strategicsec.substack.com/p/the-factors-…

@intoverflow Extremely cool. I've long harbored a dream of a coffee table hacking tales book with the benefit of full knowledge + hindsight of 10 interesting breaches or events or something. If this project is that, I want to read it even more!

Working on a new history project. A preview: In 1988, a Cornell grad student releases his secret project — a worm — and quickly realizes he fucked up So he asks his friend, US Olympic rower Andrew Sudduth, to anonymously send this note From: foo@bar To: TCP/IP mailing list

The differences between performing privacy and security work in a big company for my fellow computer security people. collingreene.com/security_and_p… I'm still newer to privacy work so this is my "most likely to be wrong" writeup, feedback welcome

Compliance is different from security: collingreene.com/compliance.html

@philvenables Agree with you. A thing I haven't sorted yet, what is the optimal amount of compliance effort to spend, your post made me finish a post about that: collingreene.com/compliance.html

Regulatory Harmonization - Let’s Get Real Most cybersecurity controls are already relatively aligned. The calls for action on harmonization are really problems induced by obligations from other technology risk domains or broader. In many cases, focusing on reducing compliance toil is the right approach. philvenables.com/post/regulator…

@jeffvanderstoep Good writeup. Agree that vuln prevention > discovery > response. Curious about 1. How is "old" vs "new" code designated? 2. How is a specific vuln connected to only old or new code? Or am I misunderstanding 3. No counterfactual here right? ex to find/fix vulns in the old code

I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why. security.googleblog.com/2024/09/elimin…

@_noid_ I’ve perfected coffee for myself. Foamed fairlife milk + coconut milk + maple syrup x 3 shots expresso

Alright folks, I'm having a shitty day. Tell me something good you've got going on in your world right now. Let me hear about your wins and hopefully that turns my day around.

@dinodaizovi I like this so much. This fundamental uncomfortable truth then has weird side effects 1. Buy more snake oil products, because it can't hurt! 2. Use this compliance framework, to at least CYA 3. Build cool stuff, because its fun and pseudo-justifiable.

The number one reason why good security is hard is that the feedback loop on decisions is long and the signal is low fidelity. It's not clear how many incidents were prevented or mitigated from which foundational decisions years prior. This wrecks the incentives to be proactive.

@sirus The frozen yogurt is also cursed youtube.com/watch?v=XlcFTb…

Upside: In the morning I get to take a ride in this brand new Rolls Royce Phantom Extended II! Downside: It's to a surgery center. Upside: It's to get a new face! Downside: It's going to take ~7 hours. Upside: Finally being myself. bbiab.

@swagitda_ Walking 1:1s when weather cooperates and under desk treadmill in this wfh world are both very pleasant

given all the documented benefits of walking on creativity and brainstorming, has anyone tried like… walking offsites? not power walking but the ideal three mile per hour stroll

@dnathe4th @wolfejosh en.wikipedia.org/wiki/Nominativ… - what a delightful concept! TIL

Today in nominative determinism // @wolfejosh

@IAmMandatory 'write a short story about a hacker in iambic pentameter' Was a top 5 prompt for me today in messing around

ChatGPT is coming for both STEM and the arts, this shit is impressive as hell.

@caseyjohnellis @ryanaraine @msuiche Ironically I don't understand twitter privacy so can't see this tweet but feel free to DM me if I can help

@ryanaraine @msuiche @libber yeh @libber will be the fastest if he’s on here atm. @msuiche hmu if you don’t get in touch

Thoughts on how to maximize success as an infosec team that needs to roll out changes people may not like - collingreene.com/communicating_…

Shift left in 60 seconds - libber.org/shift_left_in_… I've had success with shift left as a central strategy of infosec teams for the last n years and attempted a tl;dr of it without marketing fluff

@philvenables I think marketing has made it seem vague, imo its concretely about more security for less effort, earlier (thus less realized risk) and feedback loops to have all stages improve: libber.org/shift_left_in_…

Often a better way to think about the vague concept of "shift left" is for the goal to be to move more security from run time to build time.

@theharmonyguy I’ve listened to hours of the same song in because it’s what Apple Music plays when I plug my phone into the car. Amusing little routine of modern life

Me in the car: *plugs in iPhone, listens to music while driving* Me 20 minutes later, getting back in the car: *plugs in iPhone to pick up playlist where I left off* Apple Music: “Ah you clearly now want to hear random songs in your library you haven’t played since college!”

@ryanaraine Yeah, it might look a bit random but our Red Team X does security research on a bunch of things we might consider using. This turns into CVEs in software, firmware, hardware, consumer devices etc.

Why's the Facebook offensive security research team breaking into Schneider Electric PLC boxes? Or Airspan 4G access points? Such odd target choices. engineering.fb.com/2022/07/20/sec…