Alex Gaynor

@alex_gaynor

software engineer, security engineer, and generalist trouble maker. we are all responsible for the choices we make.

here
Vrijeme pridruživanja: svibanj 2008.

Tweetovi

Blokirali ste korisnika/cu @alex_gaynor

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @alex_gaynor

  1. Prikvačeni tweet
    9. pro 2019.

    I still regard Twitter as a net-negative force. But it's also a very loud megaphone, and I've got enough things to say that I don't want to keep giving that up.

    Poništi
  2. prije 15 sati

    Which parts of a situation were predictable a priori is never as easy as we like to think it is.

    Prikaži ovu nit
    Poništi
  3. prije 15 sati

    There'll be lots of Iowa takes this morning. Try to remember you (and everyone else) are operating on limited facts. In any environment, but particularly this one, please give weight to "Hindsight biases post-accident assessments of human performance":

    Prikaži ovu nit
    Poništi
  4. 29. sij

    Just yesterday Apple disclosed 23 vulnerabilities in iOS. Two-thirds were due to memory unsafety. Migration away from C/C++ simply must be a priority: And journalists should ask Apple whether they're funding teams to do this work. And if not, why not?

    Prikaži ovu nit
    Poništi
  5. 29. sij

    You can't talk about exploits like this one, the one targeting Uyghurs, those targeting journalists, and others without talking about how preventable they are. The memory unsafe languages used by Apple and others is a massive enabler for exploitation.

    Prikaži ovu nit
    Poništi
  6. 23. sij

    Fantastic paper. Has anyone done the analysis to see whether this impacts Privacy Badger as well?

    Poništi
  7. 22. sij

    Via the extremely normal process of "have a friend who works at AWS", they were able to reach directly out to an engineer on that team to resolve the issue. Yay for happy endings. For some values of happy at least.

    Prikaži ovu nit
    Poništi
  8. 22. sij

    It has been suggested I should pay for AWS support. I do not need support. I need AWS to fix the fact that between 1:54pm and 2:23pm their product stopped working. Status page: Service is operating normally. Naturally.

    Prikaži ovu nit
    Poništi
  9. 22. sij

    Go to make an AWS forum account. "Your account is not ready for posting messages yet". "If you recently activated your AWS forum account, you might not be able to post messages for a few hours." How is this kafkaesque nonsense acceptable when _their product is not working_? 2/N

    Prikaži ovu nit
    Poništi
  10. 22. sij

    AWS CodeBuild is currently setting CODEBUILD_RESOLVE_SOURCE_VERSION to a hash of all 0s. This is not on the AWS status page (of course). I don't pay bonus money for AWS support, so the answer for "our product is broken" is "post in the forums". 1/N

    Prikaži ovu nit
    Poništi
  11. 22. sij

    I pray that if WhatsApp is serious about not being a vector for authoritarians to conduct surveillance (as their lawsuit against NSO indicates), that they have a fully funded engineering team working to replace all code in memory unsafe languages that processes remote packets

    Poništi
  12. 20. sij

    For web apps, real-world exploitation is generally considered catastrophic, and would lead to serious self-reflection and need for reforms. For browsers, real-world 0day exploitation is a somewhat regular occurrence, and doesn't seem to lead to the same public self-reflection.

    Prikaži ovu nit
    Poništi
  13. 20. sij

    I've had the fortunate opportunity to work on security for both web apps as well as for client software (web browser). There is a fundamental difference between how the security teams for these products carry themselves, and it is fascinating to me:

    Prikaži ovu nit
    Poništi
  14. 17. sij

    Looking forward to participating in the security panel at the upcoming DC area Python2 EOL Mini Conference:

    Poništi
  15. 15. sij

    An implicit belief many people have about software security: Vulnerabilities exist almost entirely in legacy code, new code doesn't have many vulnerabilities. Therefore we just need to burn down the existing vulns and we'll be good. In reality, new code often introduces vulns.

    Poništi
  16. 11. sij

    There is _zero_ empirical support for the idea that memory safe and unsafe languages are equally susceptible to critical vulnerabilities. Just read the feed. I'm confident that many attack surfaces could have an 80% reduction in vulns in a memory safe language.

    Prikaži ovu nit
    Poništi
  17. 11. sij

    Complex systems are heavily and successfully defended against failure () Building secure systems must rely on more than just trying hard not to make mistakes. Memory unsafe programming languages are always a single missed bounds check from catastrophe.

    Prikaži ovu nit
    Poništi
  18. 11. sij

    As happens anytime I make an anti-C/C++ argument, folks have chimed in to say "it's not the language's fault, it's the developers making mistakes's fault". This position is wrong for at least two reasons:

    Prikaži ovu nit
    Poništi
  19. 10. sij

    Millions of dollars are spent on fuzzing, red teaming, exploit mitigations, and bounties. Nevertheless, based on the (limited) public record, the majority of 0days seen in 2019 can be blamed on memory unsafe languages. Make 2020 the year you start abandoning C and C++.

    Prikaži ovu nit
    Poništi
  20. 24. pro 2019.

    In January, I wrote my Security Wish List for 2019. Now, as the year draws to a close, I'm looking back on how we did: We're still far too willing to play whack-a-mole with vulnerabilities. I hope in 2020 more people will admit that we have a problem.

    Poništi
  21. 17. pro 2019.

    It is remarkable to me how many Googlers I know who feel (a) there's no other place they could do the technical work they're doing (particularly on infosec), (b) they object to a great many things Google itself does. No other company I know engenders this reaction from its staff.

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·