For many years I’ve owned a pair of 1964 Lincoln Continental’s. Hawaii is unkind to classic cars and they fell into disrepair. So in mid-Feb I shipped them to San Diego to begin a complete 6mo restoration process. I'll update this thread periodically with pics of the process.
In the meantime, I of course needed something to drive. In the the most amazing bit of luck, at about the same time I found one of my bucket list cars — my unicorn after searching for 20+ years. A fully customized 1950 Mercury, black with flames. It’s like a real-life hotwheel.
The Lincoln’s successfully made the long journey to the restoration shop where they’re fully inspected.
Dissasembly begins!
Removed litterally hundreds of pieces of chrome and sent everything off to be redone — like new ($$$). The amount of rust on both cars is quite severe, but knew that going in, and it’ll take a massive amount of metal work to repair.
Body work on the previously purple lincoln nearly complete. It’s getting exciting now! A week or two away from the paint shop.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Over the last several years, tons of insurance carriers rushed into the cyber market to take advantage of corp demand. The market grew incredibly fast (still is!). Many carriers signed up clients with bad risk profiles and are now suffering the financial consequences of breaches.
Consequently from all the ransomware, etc… we should expect many cyber-insurance carriers to exit the market over the next couple years. Some carriers fared way better than others. It’s basically a shake out beteen those able to identify good risk vs bad.
And when this happens, the the market for cyber insurance policies will become just that much more demanding in terms of what security controls a company must have in order to get liability coverage, or coverage at the level they need.
When I first started training Brazilian Jiu-Jitsu, I'd get tapped 20 times a class. While it was still fun, let me tell you being tapped repeatedly every night for months sucked. I’m not going to lie, it was incredibly discouraging and I contemplated giving up many times. /1
I discussed this with my instructor, who gave me one of the greatest BJJ and life tips. He said instead of thinking of BJJ as getting a tap or being tapped, track progress by how many fewer times you get tapped each night, and the how long you survive between taps. So, I did. /2
Sure enough, 20 taps a night became 15, and then 10, then 5… and after a long while, I’d only tap once or twice. Eventually a few nights a week I wouldn’t get tapped at all! Just being able to survive, especially against a bigger and better opponent, is a tremendous win. /3
Right now we’re at the birth, or very very early stages, of an industry called “Attack Surface Management. (ASM)” I know what this feels like and looks like having also been present at the birth of the“Application Security” industry. /1
How the ASM market will evolve over time will be a fascinating experience as it’ll have an enormous impact on essentially every adjacent market of the Information Security industry — and the overall security posture of the Internet. Here’s how I think things will play out… /2
As things are today, very few organizations of any size know their attack surface. Said another way, organizations have limited visibility of their Internet-connected assets, what they do, what they’re running, who is responsible for them, what they’re worth, etc. /3
I remember when @BillGates published Trustworthy Computing Memo in 2002, changing Microsoft’s course. As the @WhiteHouse just posted "Executive Order on Improving the Nation’s Cybersecurity”, it feels like a similar moment and being taken seriously.
Remove barriers to threat intel sharing, mandatory breach reporting, develop standard DFIR playbook, use Zero Trust, use The-Cloud, do MFA, do EDR, do data encryption at-rest and in-transit...
@BillGates@WhiteHouse … require sotware security testing, establish a Cybersecurity Safety Review Board, and experiment with consumer product labeling.
Security vendors in certain market segments are going to win ENORMOUS contracts. But will any of this result in fewer and less impactful breaches?
“Today’s" ransomware tools were built using the profits from “yesterdays" attacks. Consider how much how in BTC ransomware groups received in 2015-2020. This period BTC went from a couple thousand to tens of thousands. They made billions, and likely sitting on billions more.
Ransomware group have crazy R&D budget access and as BTC rises in value, it gets just that much more powerful. For the forseeable future, we’ll be fighting against some of the most powerful cyber-criminal tooling we’ve ever seen.
2013 example: "CryptoLocker, in an attempt to gauge the operators' takings. The four addresses showed movement of 41,928 BTC between 15 October and 18 December, about US$27M at that time.” en.wikipedia.org/wiki/CryptoLoc…
In 1999, Microsoft was ruled a monopoly. In 2002, Bill Gates announced the Trustworthy Computing Initiative. Over the next decade they made great improvements in software security. No one disputes this...
However, nearly 20 years since TWI a large number of 0-days are floating around and hundreds of thousands of companies are getting hacked. Millions of people too. And of course, this isn’t just restricted to Microsoft — other companies are decades behind.
Bottom line. Software security problems and breaches, whether caused by 0-days or anything else, aren’t going away anytime soon. More software is going in every day, other software is being EOL’ed without being removed.