Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
, 10 tweets, 2 min read Read on Twitter
1/ This comment by Kim and Josh is extremely bad, reflecting the authoritarian nature of today's infosec. The vast majority of WinXP systems have RDP disabled and thus don't need to be patched, for example.
2/ There are many ways of mitigating bugs like this RDP vuln, through microsegmentation of the network, firewalling, hardening the system, disabling features, adding features, and so on. As others have pointed out, this RDP vuln can be mitigated with a simple configuration change
3/ Only a vanishingly tiny percentage of vulns are "wormable" like this RDP vuln. We are talking a couple vulns a year out of the tens of thousands that are assigned CVE identifiers.
4/ In other words, the better health care analogy is how you people don't diet and exercise, not that you refuse vaccines.
5/ I mention this because infosec is full of people who do not themselves maintain systems in operation/production, but instead is full of buttinskies telling people who do maintain these systems how to do their jobs, totally ignorant of the real problems involved.
6/ Infosec isn't even good at doing it's own job. They don't really understand what happened with Heartbleed. They don't understand what really happened with worms like Mirai and notPetya.
7/ The biggest factor in the notPetya spread was the reuse of Windows credentials to spread to other machines, and getting domain admin credentials in particular. A network of 10,000 computers may have only one unpatched system, but be taken down by credential reuse.
8/ But after notPetya, infosec isn't warning people about how Windows credentials spread ransomware, but how the Eternalblue exploited unpatched systems. They ignore the real threats in favor of the political thing of protecting public health by keeping patches up-to-date.
9/ Infosec, when done properly, isn't about avoiding risks, it's about risk management, quantifying risks. Different vulns/patches have different risks. This WinXP/Win7 RDP bug has a critically high risk profile. Other vulns/patches have a lot less risk.
10/ Josh's original comment ignores this, pretending the those resisting patches for small threats would likewise resist patches to protect against critical threats.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
One of these days I'm going to do a presentation "Island of Misfit Packets" about the junk that gets sent back when masscanning the Internet. One example is this machine that transmits a flood of FIN packets in response, ignoring my RST packets.
Is it sending a FIN for every one of my RSTs? Or is it just flooding me with FIN packets regardless of what I do? Also, why does it have varying ACK numbers in the FIN packets?
Is this intentional? or is it some accidental thing in a broken TCP stack somewhere?
Read 4 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
Legacy compatibility is hard to kill. It's interesting that Microsoft is taking this radical approach to kill it.
It's not enough that Windows 10 fixes all the old SMBv1 problems, it's that the existing SMBv1 implementations in WinXP and Win7 need to be removed from the Internet, so both Samba and Win10 disable compatibility by default.
It's very irritating that even on a Raspberry Pi using the latest "apt install cifs-utils" I have to put "mount -t cifs .... -o vers=1.0" in order to get it to work with old test servers in my environment.
Read 3 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
Drafting people with cyber skills is not a rational alternative. While I can imagine they'd ask a commission to consider it, I can't imagine a commission would seriously recommend it.
What I mean is that I don't think the commission is going to end up actually recommending cybersecurity professionals. There's no point in getting angry at stupid government people, because they haven't done anything so stupid yet.
The reason government struggles to get IT/cyber skills is
(a) they are unwilling to pay market rates for such skills
(b) the managers of skilled workers are the typical incompetent government employee that could never get a job outside government
Read 3 tweets

Related threads

Profile picture
Eric JN Ellason
@SlickRockWeb
So finally got to the newest #Hamilton68 wordclouds. A few interesting things to note. First up the subset of #hamilton68 twitter troll accounts focused on US politics. This is 62k tweets from between Feb 27th through Mar 2nd. #infosec #disinfo #osint #psyops
These #Hamilton68 accounts were promoting #cpac2019, not surprisingly the controversy surrounding #IlhanOmar and a couple interesting smaller new hashtags #the200 and #themighty200 that I will discuss later in the thread. Also of note is the minimal attention to Tulsi Gabbard.
Looking at the #Hamilton68 subset of accounts focused on Russian geopolitics the conflict in Venezuela (#HandsOffVenezuela) was featured and new was the conflict between India and Pakistan. The #integrityinitiative continued to be a focus and again Tulsi was not that prominent
Read 16 tweets
Profile picture
Victoria Brownworth
@VABVOX
Today was an awful day.
I am so tired of being #disabled, sick and poor.
It's freaking exhausting.
And everything is worse under this administration.
Before I was paralyzed, when I was upset I would stand in a hot shower and cry.
I miss that.
I miss my other life.
Sigh.
Lack of control is hard.
Pain is hard.
Isolation is hard.
No clear distinction between work & play--you're always in the same place.
There are so many Americans in this same situation--chronically ill with #cancer or something that limits their lives in ways they never expected.
I think about that a lot--how many people are struggling.
Read 3 tweets
Profile picture
Victoria Brownworth
@VABVOX
I was paralyzed on Aug 26, 2016.
It changed my life forever.
Fortunately I was able to access a community of #disabled writers, artists, musicians and more on here.
It helped me survive.
I met the fantastic Alice Wong who does @DisVisibility from whom I have learned so much.
1/
I already knew @nicolaz who is a terrific writer friend and disability rights activist. She introduced me to more people.
One night I met @MortuaryReport on here. Then @Keah_Maria. Then @Tinu. And my dear friend @PKhakpour.
And everyone's best activist pal, @morethanmySLE.
2/
I watched @Mattbc do extraordinary work pro bono for people. @Nataliew1020 models every day what it is to love your severely #disabled child with all your heart.
And so many others dealing with chronic illness and #disability and mental illness--all helping others to navigate.
3/
Read 9 tweets
Profile picture
No "boo" is scarier than the 53%
@NoTotally
"Why are they still trying to push Kavanaugh through?" I mean, at least part of it is that the GOP, as a party, is addicted to the pain of anyone below their line of demarcation between "human" and "subhuman."
Like, I think I've given too many people the benefit of the doubt for too long; I've spent a lot of time and energy believing that there are misunderstandings at play, and that eventually we can convince them of our humanity. I don't think that's the case.
Here's a thing: the dialogue- such as it is- from that side can be broken down into two broad categories: defining people as subhuman, and rejoicing in those people's pain.
Read 15 tweets
Profile picture
Victoria Brownworth
@VABVOX
#DyingIs
Being sick in America.
Being poor in America.
Having your healthcare stolen in America.
#GrahamCassidy
1/
#DyingIs
Having the Speaker of the House lie to America repeatedly & no one hold him accountable.

2/
#DyingIs
Knowing if I were screaming "Help me! I’m dying!" SOMEONE would try to save my life, but people will let #GrahamCassidy pass. 3/
Read 51 tweets

Trending hashtags

#infosec #Amazon #SecurityExperts #the200 #GOP #Hamilton68 #disability #InfoSec #icssecurity #DisabledTwitter #cybersecurity #baseline #LSD #PTSD #HappyNewYear #disabled #GrahamCassidy #SinglePayer #HiddenCurriculum #womenintech #IndivisibleTimes #trans #ThursdayThoughts #cpac2019 #survivor
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!