Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Dan Guido Profile picture
@dguido
Feb 5 7 tweets 3 min read Read on X
Everyone's been sending me the deepfake CFO article. I'm not sure if it's real, so waiting for facts to emerge. But, here's what I'd do if it's accurately reported 🧵
amp.cnn.com/cnn/2024/02/04…
Make sure you follow the four-eyes rule: Use access controls that require two (or more!) person approval for transfers above a risk threshold. Banks like @mercury and @meow make this easy.
Image
Image
Between certain staff (e.g., accountant -> CFO), it may make sense to share a secret passphrase to authenticate each other. If you want to get fancy, share a TOTP seed to reduce the risk further. Image
PROTIP: Use a generator to make a 16-character alphanum password. Bam, there's your seed.
Invites to the deepfake videocall probably didn't come from the correct addresses: it's still useful to consider mitigating phishing. Great services available from @material_sec, @sublime_sec, and @hoxhunt to pick a few.

Image
Image
Image
Finally, don't give attackers any advantages for stealing valid accounts: require Security Keys for all logins (yes, for everyone). In 2024, it's time. Image
More: If large transactions are frequent and not out of the ordinary, make a separate process to more strongly authenticate new destinations, likely more rare.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dan Guido

Dan Guido Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @dguido

Dan Guido Profile picture
Feb 20, 2022
Here's the most correct recap of what's happening with OpenSea right now.

tl;dr The security of web3 platforms depend entirely on wallets with universally poor security UX, and there's very little the platforms can do about it.
If you're looking for sites to revoke your approvals and limit your exposure to phishing attacks, here are 3 sites that work right now:
If you're building a web3 site, turn up DMARC to a reject and strict alignment policy and monitor it with DMARC Digests, at minimum dmarcdigests.com
Read 9 tweets
Dan Guido Profile picture
Aug 10, 2021
My scooter was stolen last week. Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. Here’s how it all went down:
The theft occurred on Monday night. I went out to dinner and locked it to a grate with motorcycle handcuffs. I find them easier to use than a cable lock, but apparently I forgot to lock one cuff. It was gone after ~2 hours.
amazon.com/gp/product/B00… Image
No fear! The most important part of IR is preparation, and I hid two Airtags inside the scooter: one “decoy” in the wheel well and a second, more subtle, one inside the stem. Covered in black duct tape, they’re hard to see. Image
Read 22 tweets
Dan Guido Profile picture
Jul 27, 2020
MDM is a pain in the ass, and we’ve been looking for a new vendor since Fleetsmith was acquired by Apple (and then disabled 90% of their product). Their agent barely worked, and frequently mishandled security updates. Image
Fleetsmith had clearly become a burning bridge when they failed, again, to apply 10.15.6 to our machines (one of their few remaining features). We found Kandji and within 3 days, their solutions team helped us plan and execute a one-way migration to their product. Image
In our last meeting, Kandji provided us a custom package to remove Fleetsmith from all our machines and step-by-step instructions for migrating to theirs. Satisfied with our testing and their help, we began migrating immediately. Image
Read 6 tweets
Dan Guido Profile picture
Apr 26, 2020
We're hired to provide industry-best advice @trailofbits, and that's exactly what we provided to @HegicOptions. How, then, were bugs found in their code mere hours after they deployed it to mainnet? (1/n)
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.

Bottom line: we told them to hold off deploying. ImageImageImage
This was the right advice, and we generally expect people listen to us when they're paying for our help.

Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an "audit", then immediately deployed. ImageImageImageImage
Read 17 tweets
Dan Guido Profile picture
Mar 3, 2019
Most people are now aware that @trailofbits conducted a security review of the Bitcoin Cash client on behalf of @BitcoinSVNode. While we cannot release our report in its entirety yet, I wanted to share a few details of what we found…
First, as far as we are aware, this was the first time a professional services firm reviewed the security of a Bitcoin client. We began with a comprehensive review of the bitcoind attack surface and surveyed previous attempts to fuzz it.
Prior fuzzing efforts appeared ad-hoc, did not share their input sets or report code coverage, and referred to outdated, unworking instructions. We identified surprising gaps in coverage when compared to our attack surface modeling and set about to remedy the situation.
Read 10 tweets
Dan Guido Profile picture
Mar 20, 2018
Google sure is good at plagiarizing my work. I released @AlgoVPN, an open-source, self-hosted VPN solution, in 2016. I find it hard to believe @Jigsaw was unaware since I’ve met their engineers more than once.
wired.com/story/alphabet…
Since I released @AlgoVPN, it’s attracted ~7500 Github stars, 700 external contributions from 80 contributors, and endorsements from @motherboard, @kennwhite, @TheRegister, @thegrugq, @TechCrunch, @lifehacker, and more.
I’m proud of what we accomplished but taking @AlgoVPN to the next level requires external funding. I have been relentless in trying to obtain it. I started by recording a podcast, then bundled it with my proposals. georgianpartners.com/the-problem-wi…
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(