Forbes just created a top 200 list of the most secure companies.

This will end badly.

H/T @mikepsecuritee

forbes.com/lists/most-cyb… What happens every time someone claims to be unhackable, or difficult to hack, without exception?

They become a target.

And more often than not, they get hacked. And the only motive necessary was the public statement of confidence.

There seems to be a lot of confusion around what does and doesn't constitute a "data leak" with regards to using ChatGPT and OpenAI's services, so I did a little digging.

This article seems to suggest that, by simply using ChatGPT, Samsung leaked secrets:
techradar.com/news/samsung-w… If you use ChatGPT's consumer interface (chat.openai.com), your prompt data is opted IN by default. There's a form you can fill out to opt OUT

If you use OpenAI's API interface (api.openai.com), you are opted OUT by default. There's a form you can use to opt IN

I've been working on a talk tentatively titled "Myths and Lies in InfoSec"

Some of the research I'll be referencing in the talk was inspired by one particular stat: "60% of small businesses go out of business within 6 months of a data breach"

How do we know a stat is fake? 🧵⏲️

https://twitter.com/BrettCallow/status/1553562319329759233

Before we get into hunting for the truth, why do I debunk myths and fake stats in the first place?

I've always had a deep desire to understand how things work, which I think led to computer/IT work, where I did a lot of root-cause analysis.

You know what pisses me off?

Best practices.

we're WAY too unstable an industry to have any best practices

common practices, sure

but for most of what we call "best practices",

we have little to no evidence they are even effective, much less the "best" way to do something we call them best practices to get people off our backs and leave us alone

all we have to say is, "well, this is how [bank] does it" and suddenly it's a best practice

Equifax had the staff they needed and the tools they needed. What they lacked were solid leadership and processes.

https://twitter.com/campuscodi/status/1226888383399649280

They KNEW Struts was an issue but failed to find it in their environment before the attackers did.

They lacked preparation, experience in using their tools and knowledge of their tools' limitations.

They didn't test or check security controls after putting them in place.

This thread is about #Simjacker.

A good friend asked me what I thought about it and I admitted I hadn't bothered to read up on it.

One of the things we did with @savagesec was that we wrote up advisories for our customers. A lot of them had to do with these 'named' vulns. My first impression is superficial and not positive. We've got all the red flags here.
🚩named vulnerability
🚩logo (animated, even!)
🚩dark, ominous video
🚩lacking key, important details
🚩lead gen form to download paper

I just found out that Tennessee State Law formerly recognizes tomorrow as Nathan Bedford Forrest Day. The general sentiment on Twitter is negative, as he was apparently the first KKK Grand Wizard.

🤦‍♂️

Lovely.

https://twitter.com/natalie_allison/status/1149681785065869312

But who was Nathan Bedford Forrest? How did he become the first Grand Wizard? Was the KKK always evil, or did it start out as something else entirely?

Instead of tweeting "Nathan Bedford Forrest is trash and my state is cancelled", I decided to do some research first.

I don't ask for help much, but today I'm asking.

Me and the kids donate a lot of our time to a farm animal rescue called Hooves and Feathers. They've been hit by a sudden tragedy and need some help.

hoovesandfeathers.org Over the years, this rescue has become more than just a charity we donate our time to on Saturdays - they've become family. Sometimes animals make it and get adopted. Sometimes the abuse is too much an we mourn together. I've worked with some of the most amazing people there.

Alright, today is the day we get to find out if I was right or wrong about the level of dysfunction necessary for the failures that allowed the #Equifax breach to occur.

Why today? Because the House Oversight report has been released. Merry Christmas! oversight.house.gov/wp-content/upl…

https://twitter.com/sawaba/status/916067632415170560

Feel free to download a copy and read with me as I go through the report. I predicted 30 failed controls? I'm sure that was just a random number I threw out, but let's see how close I was. #Equifax

Why it will never be the year of the Linux Desktop
1. Install Linux. Works great!
2. Stumble upon interesting software on GitHub.

This looks really cool! You get excited. 3. Tackle 37-step process to build or install involving setenv, sandboxing, $PATH, export, tmux, gem install, apt-get, yarn, CPAN, rvm, nvm, pip, curl tgzs & nodejs to run 50kb of code.

2004 - I remember being so relieved when I could finally stop running my own email server. Why? Because the GMail beta was out and it was awesome.

Goodbye Postfix and Squirrelmail, hello GMail.

Now, it's looking like email servers at home is cool again? thehelm.com 2 My initial response was similar to @iiamit - "wait, what? - Is running a personal server myself really the best option right now?"

But I get it - privacy is an issue that has many people concerned. Still... there's a lot to give up here.

https://twitter.com/iiamit/status/1052603094658412544

1/ Alright. InfoSec Industry. Mainstream media.
It's time we sit down and have a serious chat.
Almost all your stats and claims are bullshit.

Yes, it's rant time.
Yes, I'm using the patronizing filter, sorry.
My patient filter is all out of batteries. 2/ Breaches are bad. We can agree on this. They're disruptive. They're expensive. They can have a negative impact on reputation (mostly when handled badly).

They're not destroying companies at a horrifying rate, or any rate we can calculate.