Anant's Social Feed

What @ivory is doing to people is what @sengi_app did to me when i made yet another attempt to stick around fediverse.

People want to have fammiliar looking tools to continue using the environments that are simmilar in nature. Also the expectations from open softwares is generally higher then that with closed software stacks as in opensource world the expectations are heard and changes are made if requested.

With the wave of #mastodon third party clients and some of them interoperable with other #fediverse softwares now i think we also need intermediators like IFTTT, buffer, and likes to start embracing fediverse identities and then the world will suddenly start looking a lot different. right now they do support fediverse entities as input coz most entities are openly accessible on #RSS. but a more active support would definately help.

Boring Appsec by @JubbaOnJeans@twitter.com is back with an interesting article "Is your champions program running out of steam?" : If your org is running or planning to run a Security Champions program do read this article. This has not just information but practical knowledge that can be immediately put to use in your environment.

https://boringappsec.substack.com/p/edition-15-is-your-champions-program

2 Most important highlights for me:

1. Every security champions program should have 3 critical components. A well-defined charter provides everyone clarity, Thoughtful enablement adds value to champions and provides them a community feel and good measurement helps justify the effort put in.

2. frameworks presented here can be useful, I want to emphasize that building a Security Champions programs is an execution game. You will need to plan, execute, refine and execute again

#appsec #securityengineer #championsprogram #securitychampion #infosec

This week was spent consolidating my blogposts, reducing subdomains and domains in my portfolio. made a heart breaking decision that something which was a "I will do this one day project" for past 9-10 years, I should better be letting it go.

one week later 2 domains and a few subdomains lighter. onwards to next steps.

@liztai My approach:

I am okey using plugins which bring stuff in as markdown.
I am ok with plugins like tasks or dataview where i am making queries to visualize my stuff (Less reliance is better)
I am not okey with plugins which move stuff around in non markdownish way so i cant use the vault anywhere else.

A quick check indicator for you should be that if you can use your vault with logseq you should be in good shape.

However after spending nearly a year with obsidian i have made peace with its usage for now and I am using about 16 plugins inside obsidian right now.

Kali - Purple is in the works
https://gitlab.com/kalilinux/documentation/kali-purple

Good to see #KaliLinux (successor of #BackTrack, #Knoppix, WHAX, Auditor Security Collection) which was majorly focused on #pentesters, #dfir and mainly #offensive work is embracing other colors then red. This move is also IMHO a indicator for the industry that Purple is where things are. Moving to #defense and providing tooling for #actionabledefense is what is the way forward.
We at #Infosec have been too much attack focused and attack celebrating. These subtle shifts and realigning of focus for me are also signs of maturity and understanding that offense is glamour but defense is where the work is and people need to start getting good at defense as much as we would like to push boundaries on offense we should be pushing boundaries on defense too.

Listening to how Aircraft technology has evolved over time. Make me wonder we at #infosec are so much at an infancy of this domain.

My understanding:
1. Automation is eventuality.
2. Converting the loved art into science is needed.
3. Mass usage or adaptability comes with regulation. So expect regulations.
4. Regulations make you feel like suffocating innovation. (we need sweet balance)
5. We need stable bases to deal with things not new shiny my precious attitude for everything.
6. Building on top of what exists will make more sense going forward instead of reinventing the wheel.
7. Either make this field an intense competition industry or the world will make it a mono or a duo poly field.

#my2Paisa #futureoutlook

Finally someone found the most severe bug in Keepass. Keepass is unsafe has been the gripe of a lot of people and its is proven now.

"CVE-2023-24055" shows that its trivial to extract the password dump from keepass.

/s

Note:

1. If you outraged on above you ought to start reading the full message before your outrage.
   
2. Re-read the CVE details before enraging. its disputed. https://nvd.nist.gov/vuln/detail/CVE-2023-24055
   
3. Keepass documents this threat scenario very well https://keepass.info/help/kb/sec_issues.html#cfgw
   

TL:DR: the bug is a bogus bug where effectively i have right access on user data dir and i am able to pull off a lot more then just a xml file edit so the specific bug is a non issue. As keepass also says "KeePass cannot magically run securely in an insecure environment"

This is an exercise done to see if people at twitter open the link before responding and if people at fediverse expand the message before responding.

#appsec #keepass #security #infosec

The best protection an organization can offer for your personal data is to not collect the data at all.

GDPR was one good step we need more such forces which makes the organizations rethink do we really want to keep this data and deal with all this hassles of govt regulations or find a way to not store data yet offer services to users.

Understand that orgs are notfearful or paying a sum however large it might be. what they are fearful of is the process and documentation, coz that has potential of bringing in a lot more attention that they would want.

retain minimal data should be the norm not the exception.

We need more :
1. Legislations which make it hard for orgs to hoard data.
2. More simpler ways to take ownership of your own data and make calls about what to be shared and what not.

#fediverse is a example in right direction but still the entry barrier is to damn high. we need simpler tunrkey solutions that people can use to distribute the power away from central agencies.

#ownTheData #appsec #dataprotection

"I dont Know" is a valid answer to a lot of questions. I am a big fan of saying that as an answer to things instead of BS'ing my way around the question.

However here is a crucial thing most people forget.

What is the next step?

My understanding and approach is:
1. If you dont know the answer say it out loud "I dont Know"
2. Append "But, I will find out".
3. Dont just say it, mean it and go for the hunt. Find answer to that question. dig deep but do find that answer so next time someone ask's that question you dont have to say "I dont Know"

Ways to acquire such answers:
1. Ask your peers.
2. ask your seniors / mentors / known people.
3. Ask in public
4. Research yourself.
5. Experiment yourself

Move away from the point of "I dont know" reach somewhere else.

Not knowing something is fine, not being able to understand something is also fine. what is not fine for me is that you are aware that you dont know but you are still not making effort to know about it. If at the end you dont fully understand it then also its fine but now you dont have a "I dont know" state, you have a "I dont fully understand it" state.

#knowledge #acceptingIgnorance