The @BlackHatEvents locknote is always one of my favorite talks to attend! With @dcuthbert @notameadow @albinowax @Marmusha and Thomas Brandstetter 
“During this lockdown lots of people became sourdough masters but…what do hackers do when they’re in lockdown? Suddenly they have time, so they hack more!”
“If I buy a toaster I’m sure I’m not expected to get shocked when I plug it in. Why doesn’t the same happen with software? You can get shocked pretty quickly if you make basic deployment mistakes.”
“It was eye opening to hear talks about how human factors can positively impact security, and not just negatively like we usually hear.”
In the intro @thedarktangent explained how ransomware + insurances create an ecology, a viable marketplace. Is this a healthy situation for us?
“We still not have a culture on how we communicate downtime, even to customers” @Marmusha
“How to actually fight the fire is still an afterthought” “We’re creating a fantastic soil for this criminal economy to grow” “for sure we’ve invested a lot in negotiating ransomware payments, but is that the real place to invest?” @Marmusha
“We’ve seen interesting trends as review board members. Vulnerabilities are harder and harder to find, but it’s great to see new techniques and tools to finally unfold them.” @albinowax
“HTTP/2 is still not getting adopted, and the same is for IPv6. They seem around the corner, but one day we’ll wake up they will be there. We should anticipate security research on such technologies” @notameadow
“Why we still see professionalized fuzzing services not being fully used? Because it’s damn hard to set them up. People should invest time to convert their unit tests into fuzz harnesses.” @Marmusha
“In the academic world we’re seeing ICS security courses to bridge the skill gap.”
“We’ve had lots of good fuzzing talks. How many people here in their organizations embrace fuzzing to find security bugs?” @dcuthbert
“The DDS talk was eye opening to me” @notameadow
“It still takes pressure to get some critical bugs fixed” @albinowax
“Being in this ICS industry for over a decade I’m shocked to have discovered DDS only now, and see how much there is left to find in there” @Marmusha
“It’s very difficult for asset owners to understand the impact of a vulnerability, despite CVSS and similar contextual information usually attached to the report” @Marmusha
“Pick some random ancient technology and you’ll find some really good bugs in there. Take the recent findings on sudo!” @dcuthbert
“A lot depends on certificates nowadays, but certificates need an accurate notion of time, but this morning @rfidiot taught us how not to take time for granted!”
“Can we stop with the logos and fancy names for bugs? 😊” @dcuthbert - could not agree more to this my friend!
“The attack against the Colonial Pipeline is the loudest example of how much concrete impact a cyber attack can have in the real, physical world” @dcuthbert
“We have to care more about ourselves and our employees because at some point security experts may decide to retire in the mountains and enjoy their time.“ @notameadow
• • •
Missing some Tweet in this thread? You can try to
force a refresh
