Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Beau Woods Profile picture
Beau Woods
@beauwoods
Connecting hacker & cyber policy communities w/ @cyberstatecraft @iamthecavalry @defcon @supplychainsbx @bsideslv @hillhackers @columbiadefrag ++
Jan 4, 2020 16 tweets 6 min read
The Iranian amateurs are scoring some quick hits, while their professionals are planning. I would expect to see some major impacts from both types of adversaries. Iranian amateurs are going to have a field day with low hanging fruit. I doubt many of them are thinking about prosecution or retaliation right now, so expect to see a lot of attacks from 5kr1p7 k1dd13z, criminals, and probably some of their legitimate professionals.
Jul 30, 2019 12 tweets 7 min read
Airplanes rely on CANbus, a protocol designed in the 1980s with no adversarial threat modeling. Any device on that taps into that bus can send commands to any other device, which will happily execute them - without authentication or authorization other than presence on the bus. For instance, we know cars’ engine, steering, and brakes, which use CANbus, can be controlled by sending commands from the radio. This should never happen in normal circumstances, yet it’s possible under adversarial conditions because of the CANbus architecture.
Apr 24, 2019 13 tweets 3 min read
Inspired by a @hacks4pancakes thread.

I end up spending ~$10K/yr out of pocket to speak at and help run conferences. Not for biz-dev, just for fun and to make a difference. Many, many others in the infosec community do too.

Some thoughts from 5+ years of my expensive hobby. Speakers: it’s alright to ask for some help with travel or outright cover it if you’re not telling your company. Worst case the con says no.

I usually ask events to cover travel (except small nonprofits), sometimes an honorarium from _blatantly_ commercial ones.
Mar 22, 2019 13 tweets 8 min read
Yesterday it was revealed that 750,000 @Medtronic pacemakers are potentially vulnerable to unauthenticated radio frequency attack, causing battery drain or alter how it works.

Don’t panic, it sounds worse than it is! fda.gov/MedicalDevices… Mitigating factor 1: The attacker would have to be close to the victim. The RF spec says 20 feet, but we all know that can be extended with a directional antenna and a high power radio. That’s still way less bad than if it’s vulnerable across the Internet. Physical isolation.
Aug 27, 2018 17 tweets 8 min read
This response perpetuates stereotypes about @defcon and about cybersecurity that are no longer true, if they ever were. It puts in writing the degree to which many of their executives and board are ignorant of good security practice in 2018. Let’s start at the top. @thedarktangent is a member of @CFR_org, a fellow with @AtlanticCouncil, former CSO of @ICANN, and advises @DHSgov. These groups aren’t likely to be undermining US national security any time soon.
Jul 19, 2018 62 tweets 12 min read
At the @NTIAgov multistakeholder process on software component transparency. Expecting sparks here today. ntia.doc.gov/SoftwareTransp… Auditing a single application with 100M Lines of Code: 300+ 3rd party components, from 150+ sources, 25% are individuals' names with little more detail.

This is a hard problem for tracking, it's a bigger issue for security and quality.