Why am I not surprised?

Security Comms fail: If you have enough info to know I’m not affected, don’t send a security notice. Doing so trains users to click through & take no action. Don’t do it. Example of unnecessary security communication that will drive target users to ignore warnings over time:

💰 How to make cyber crime more profitable thaddeus e. grugq describes how FIN7's operational innovations (resources/personnel), not technical ones, made them more 💸 * Scaling your attacks across many targets * JIRA used to track victims * and more sec.okta.com/articles/2020/…

When someone says they’re an expert in cybersecurity, remember this.

Threat level: very préoccupé CVE-2020-16947 - Microsoft Outlook RCE Vulnerability” allows attackers to send specially crafted emails that can execute commands when opened in the Microsoft Outlook software. This attack also works when an email is viewed in the preview pane.

ReconNote - Modern target recon automation for bug-bounty hunters 🤩 github.com/0xdekster/Reco… - by Prasoon Gupta #AttackSurface #InfoSec #hacking #bugbounty #bugbountytips

Me: Here you go boss. Boss: What's this? Me: This is the best I could do with the security budget you gave me. Maybe next quarter we can make it better.

Web Authentication Methods, there are a lot of them. The most confusing one is OAuth. I have it covered in my Zine. Here is the Teaser, Releasing soon. Follow for updates. 😉 #infosec #security #BugBountyTips #BugBounty #bugbountytip #web #webcomics

Biscuit, the foundation for your authorization systems clever-cloud.com/blog/engineeri… // This is the future of authentication and authorization at Clever Cloud and we open source everything around it :-)

#FridayVibes

In 2011, RSA was hacked by Chinese spies, who stole the "seed" values used to generate codes on SecurID 2fa tokens, shocking the security world. Now, after 10 years, the NDAs of the staff involved have expired. This is the untold story they shared with me: wired.com/story/the-full…

If you work in a SOC, print out this screenshot & pin it to a wall in your office Two important observations 1. Generic rule matches can uncover unknown threats 2. It’s hard to distinguish threats from legitimate software (mainly b/c the latter is often crap)

You are driving back home, and then...

Am I doing this right?

If you have a blue screen of the death at startup time with @Doctolib on iOS 17 , let us know if 17.0.1 solves it. We don’t (yet) reproduce the issue internally and it seems it could be a safari issue (dirty caches or similar)

Have you noticed? Doctolib has doubled the max reward for its public #BugBounty program to €50K in October! Perfect timing to share our must-watch interview with CISO Cedric Voisin & Senior Product Security Engineer Paul MARTY on #Doctolib’s five-year Bug Bounty journey ⤵

#cybersecurite on vous raconte le quotidien d'une équipe sécu chez Doctolib demain soir à 20h sur Twich Micode

Témoignage des équipes Sécurité de @Doctolib sur YouTube youtube.com/watch?v=m0FLBb… avec Cédric et Clément.

Six years ago, I worked for InfoSec at Netflix making over $500k/year in cash salary when I was 24. I won’t work in cybersecurity again for the following reasons: - Unclear measurements of success Best case scenario in cybersecurity is nothing bad happens. Measuring nothing