Notices by Mike Sheward (secureowl@infosec.exchange), page 3

Thinking of entering Rosie in the National Dog Show next year

#dogsofmastodon

“Have we been able to able to contact London?”

“Negative, Commander. All of our primary and backup channels remain down. We have also been unable to make contact with any other British submarines.”

“It’s been four days, now. I think it’s time. It’s safe to assume something catastrophic has occurred.”

The commander looked solemnly toward another senior member of the crew.

“Fetch the letter.” He said.

“Absolutely, sir.” The officer said, moving out of the submarine’s control room.

“You see,” the commander said, addressing the remaining crew. “Every Prime Minister prepares letters of last resort for British Submarines. It contains instructions on what we should do in the event that the government has fallen and we cannot make contact with them. No one has ever opened one of these letters, let alone had to follow the instructions.”

The senior officer returned with a sealed envelope, and handed it to the commander. The commander proceeded to open the envelope. He took out a folded piece of paper and paused.

“We are a family aboard this submarine, and we may be all we have left for one another. For that reason, I will read this aloud, so we all know the plan at the same time.”

He unfolded the paper.

“Here goes,” he said, taking a deep breath. “It reads, HP Laserjet P1102W Self Test and Device Configuration.”

The Commander stopped and looked up.

“I believe they may have put the wrong page in.”

Just watched a gentleman squeeze his Cybertruck into a compact space which leads me to believe we need to clarify the thing that is supposed to be compact is the vehicle, not the brain or penis

The best email you can get from any company is “you haven’t logged into our app for a while, so we are going to delete your info unless you do in the next X days.”

Now that is an indicator of a company that has their shit together.

It shows they are auditing activity.

It shows they don’t want to hoard data.

It shows they are making an effort.

Ironically, it makes me want to sign in and use their stuff more.

ugh

“Whoa, is that the Cheesecake Factory menu or something?”

“Nah it’s just a print out of all the TXT verification records in our DNS.”

Imagine if they had open-enrollment for cyber insurance and the only way you could enroll outside of that window was a qualifying life event. Those events would be stuff like:

1) executive saw a presentation on AI
2) mergers and acquisitions where you were so quick to want to join the networks you didn’t check what you were connecting too
3) company decided to move back to on premises Exchange for some reason
4) executive saw a presentation on blockchain
5) Elon Musk purchases a majority stake in your company

“A key question for the NTSB and Boeing over the coming days will be whether this whole thing could’ve been avoided with the Flex Seal family of products.”

I wrote an LLM usage policy at work today and this is 100% in there

“So it says here you’ve held executive positions at Theranos, FTX and most recently, WeWork.”

“That’s right, I’ve dedicated my career to non-profits.”

Another benefit to being a remote employee is it forces you to be better at documenting things because you can’t just have a passing conversation with someone where a decision is made. Instead, there’s a perfect record of decisions made, concerns raised and who is accountable and oh wow this is another reason some companies hate it.

QEMU IS a generic and open source machine emulator and virtualization tool, it IS NOT a conspiracy theory involving an emu with the highest level of security clearance.

A reminder that if your company experiences a Ransomware incident, technically you should update your privacy policy to include whichever Ransomware group was behind it as a sub-processor

Lots of bad hot takes on LinkedIn (or as I think we’re supposed to refer to it here, the Berksite), regarding social engineering and employee security awareness training post-MGM, “your employees are the biggest risk”, yada yada yada.

Nope.

If a single employee can be socially engineered resulting in such devastating impact, that’s not a failure of that employee. It’s a failure of several layers of people, including some who will have been paid more in a year than the socially engineered employee would have in ten, to allow such a target rich, mission critical environment, to develop without putting proper controls in place to stop an attacker at the first opportunity once they are in.

And sadly, this story will play out hundreds more times, and the “untrained employee” will be thrown under the bus each and every time.

#infosec

I keep forgetting I need to disclose a vulnerability to all physical key manufacturers. Essentially, it's possible to bypass the 'do not duplicate' message stamped into certain keys by taking them to a hardware store and asking a person who works there to duplicate them.

Top 3 most popular enterprise password managers:

3) Slack conversation with self
2) bash history
1) Microsoft Excel

When you think about it, opening the cabin door at 700ft during landing is just the natural progression for those folks who like to stand up and start getting their bags before the plane has parked at the gate

Idea: if you’re being forced to return to an office to work and are also required to be on-call, insist upon commuting into the office before you start work on fixing whatever outage triggered the on-call to make it easier to collaborate with your peers.

“Oh no, site down, that’ll be costing us about $100k a minute - well better jump in the shower, get dressed and head on in, see you in about an hour and a half”

"so since our organization's annual spend with your company is now over a certain amount, you are classified as a 'critical' vendor to us, and we need you to fill out this security survey, or we can also accept a third party audit report like a SOC 2 or ISO 27001, do you have an audit?"

Bartender: "erm"

who called it BGP instead of “fuck around and find route?”