Ok, this is great.
Follow
Click to Follow DanielMiessler
ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ 
@DanielMiessler
Founder of UL
Building products that help companies/individuals discover and pursue their purpose
Apple, IOActive, Robinhood, HPE, US Armyᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ 📚’s posts
Most companies are not Uber this morning as a matter of luck, not skill.
This could easily have been ~90% of organizations.
Don’t point and laugh. It could be you next time, and it might be already.
We just trained millions of people to scan arbitrary QR codes.
This week the internet has learned—once again—that asset management is the center of security.
It’s hard to patch what you can’t find.
This is why you don't build secretive, all-powerful surveillance tools.
You never know who's going to get keys.
Someone shared this in our community just now. Genius.
Google's search engine is jumping the shark.
1. Half the page is ads.
2. There's one result on the page.
3. Then recommendations for more questions.
It's almost like their mission is to sell ads rather than organize information.
What's better? Startpage? Kagi? Something else?
Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.
cards.twitter.com/cards/x2oh/2z9
Enterprise Vulnerability Management
pic.twitter.com/zPGDziTGS3
In the battle of dystopias, Orwell argued that we would be denied knowledge. Huxley argued we wouldn’t even want it.
Huxley is winning.
The Difference Between the Internet, the Deep Web, and the Dark Web (Darknet) | danielmiessler.com/study/internet #infosec
This is the best security tool released in probably 10 years. Maybe longer.
It’s Nessus—except transparent and automatable—and for AppSec as well.
This administration is doing some kind of meeting where they tell the public what they're doing. (weird)
OH: “Schrodinger’s Backup: The condition of any backup is unknown until a restore is attempted.”
I created a visualization that security people can use to help people improve their password/auth hygiene.
danielmiessler.com/blog/casmm-con #infosec
Holy crap!
🛡️Microsoft just released a Security-focused chat interface called Security Co-Pilot!
❓You can:
- Vuln information
- Incident information
- Reverse engineering
- Etc
Millions of people clicking "Accept All Cookies" all day long is not improving anyone's security.
This is the new textbook example of security being in the way, and not exploring the tradeoff between efficacy and experience before making a policy change.
My summary of the Meltdown / Spectre situation for those who cannot (or don't have time to) read the papers.
danielmiessler.com/blog/simple-ex #infosec
Saying Goodbye to Google Services | http://t.co/ifh5M9cM3q http://t.co/QP3tyno5HY
“What one programmer can do in one month, two programmers can do in two months.”
– Frederick P. Brooks
💡🤝💪Being mentored by someone ahead of you can change your whole trajectory, but there are good and bad ways to do it.
📄
Here are the main things to do—and avoid doing—when contacting and working with a mentor.
I’m not sure who needs to hear this, but when you’re typing in iOS, you can use the space bar as a mouse.
[ TUTORIAL ] amass — Automated Attack Surface Mapping
The first in my new tutorial series on OSINT/Recon tools, and this one is on amass!
danielmiessler.com/study/amass/ #infosec #tutorials
Twitter is a bowl of Ice cream.
If you have one every once in a while, it’s pure magic.
But if you eat it for every meal, in place of better foods (like doing your own projects), there is a 0% chance you won’t feel like garbage.
Do not eat too much Twitter.
What if I told you that the vast majority of your privacy risk comes not from the seedy darkweb, but from completely legal data brokers?
Finally finished a piece I've been wanting to write for years!
It's a capture of the key skills that security managers are constantly asking their people to do, and therefore the skills that new applicants need to be ready to do on Day 1.
danielmiessler.com/blog/day-1-ski #infosec #jobs
The more creatively you pay for your tickets to DEFCON the more you’re showing you deserve to be there.
Hacking has always been about doing unexpected things in the name of curiosity.
The idea of demanding “traditional” behavior from hackers is the epitome of losing the plot.
Hey you.
...
Yes, you.
...
It’s going to get better.
You’re going to be awesome in 2021.
I know it.
We've been saying for years that it's bad for ads to be able to run code on your machine. And has been aggressively pro Ad Blocking for years.
But who would have guessed that 2018 was the year that using an Ad Blocker defends your kernel memory?
If you’re feeling lonely this Christmas, I think you’re awesome. And I’m glad you’re in the universe.
Feel free to DM I’d you want to chat.
If you can work from home consider yourself lucky.
There are millions of people in the service industries right now who are everyday making the choice between potentially getting (or spreading) a sickness, and paying bills.
This thing will be so much worse for them.
A lot of ransomware gangs have suddenly and mysteriously found Jesus.
I just put out v1.0 of my AI Attack Surface Map that goes over the following:
🤖 The primary components of AI attack surfaces
🔓 Learn about AI Assistants, Agents, Tools, Models, and Storage
🎯 Explore various attack methods and their potential impact
danielmiessler.com/blog/the-ai-at
If you can’t produce an asset list then save the money you would have spent on pentests and download a copy of the CIS Top 20 Controls.
Then start at the top, where it says to create an asset list.
We're elated to announce the release of the OWASP IoT Top 10 for 2018 !!!
This release focuses on simplicity and usability, with a list that combines the top issues facing manufacturers, enterprises, and consumers.
owasp.org/index.php/OWAS #iot #infosec
Just updated my tcpdump primer for the first time in 10 years. Now includes a better TOC and new filters!
danielmiessler.com/study/tcpdump/ #infosec
You want to know a liberal, big-government, pro-environment policy that I would LOVE to see?
A BAN ON PAPER JUNK MAIL
I'd vote for that shit instantly.
Google has so little money that they had to fill this page with ads to the point of only having 1 actual result.
One result on the entire page.
The rest is ads.
How-to-exit-Vim — A comprehensive guide to exiting Vim.
It’s 11x more glorious than you’re thinking right now.
github.com/hakluke/how-to #vim
AWS banning Parler from their platform is not censorship because there are countless other providers that will host them.
Individual providers are not required to host anyone. It’s their choice who to take on as a customer.
They are not the government.
✅I'm calling it now. Hottest development positions for the foreseeable future (12 months?)
⛓️langchain.ai Developer.
⚒️If you can create AI tooling using Models, Agents, and Tools you can basically set your own prices.
💶 Like seriously $1-5 million a… Show more
Doing pentests on orgs with no security is like doing full genome analysis on morbidly obese people.
You're wasting valuable time and money by not jumping directly to diet and exercise.
The pentest industry thrives off the false belief that the problems are hard to find.
Genetic Algorithms Could be More Significant Than Machine Learning danielmiessler.com/blog/genetic-a cc:
If Trump destroys the world at least I won't have to accept any more website cookies.
The first rule for implementing something with machine learning or blockchain…is to figure out if you can implement it without machine learning or blockchain.
🤖This is my new essay on how AI is going to eat most existing software. Topics include:
🧠 How GPTs actually *understand* things
📐 A new AI-based software architecture
🕸️ Companies largely become APIs
The Mudge/Twitter situation is what happens when a company wants to hire a named security personality for marketing purposes, and not to actually fix things.
Companies need to realize that such people often got famous in the first place by having principles they won't violate.
Actually, “bug” is the technical term for the superclass of anything that gives either the “Heebie-geebies”, the “nopes”, or the “hell-nos”.
Google has a new feature that lets you view, and remove, results about you on Google.
myactivity.google.com/results-about-
A brief thought on the Hawaiian missile warning failure.
When an Amazon employee deleted a bunch of infrastructure, Amazon had the best response ever.
They basically said it wasn't the employee's fault because that option shouldn't have been available to them.
1/n
Replying to
- How bad common city toxins are, e.g., trace amounts of drugs, metals, other chemicals
- Overall tap vs. bottled vs. reverse osmosis
- The right amounts, which you talked about recently
- The downsides of too little, too much
- The importance of speed of intake
The most progress InfoSec’s made in the last 20 years have been due to PCI and Ransomware.
Two things everyone hates and can’t avoid.
It’s never the positive things that cause us to grow.
If you are under-represented in information security, and you're looking to get into the field, please consider me a personal resource to you getting your first job.
My email is first@firstlast.com, and while I might not always be timely, I will respond to ever email I receive.
Remember when 280 characters destroyed Twitter?
And when Microsoft destroyed GitHub when they bought it?
It’s crazy that people move to aggressive panic insults when tiny, inconsequential things change on the internet.
You can only use Word 97 for so long.
Embrace change.
I'm pleased to announce the public launch of my company HELIOS !!!
“Helios actively monitors a company's external attack surface in near-realtime and notifies you when it finds something dangerous”.
Learn more below and ping me with any questions!
helios.exposed
Hey all, I made a primer on my favorite @tomnonom recon tools.
danielmiessler.com/blog/a-tomnomn #recon #infosec
It’s time to make police wear pink and peach, with a slogan of “Community Protector”.
Dressing 20-something males up like Navy SEALs is attracting the wrong fucking people to this job.
Ransomware is the new PCI.
1. It’s annoying
2. It’s not nearly the whole story
3. It’s forcing a lot of organizations to take security seriously
No catalyst for change compares to real-world consequences.
Business disruption is the ultimate argument.
I just wanted to say, I’ve always had a very mixed signal here on Twitter. I talk about tech, politics, and human/philosophical topics.
And I know between 1-3 of those have annoyed the crap out of you.
If you’re seeing this, thank you for accepting the whole me.
The Ubiquiti breach will bother you less if you grok that you use dozens of similar vendors everyday that are just as insecure.
Assume most services you use have either been hacked already or will be soon.
And behave accordingly.
I find it remarkable that a massive percentage of the country believes the Democrats somehow committed voter fraud when everyone watched Trump launch a massive attack on the post office—in broad daylight—so that fewer democrat votes would be counted.
Like, *actual* voter fraud.
So I guess tomorrow starts the UK’s 5-15 year effort to get back in the EU.
What a colossal waste of time and money. Same with the US and lost global trust.
The lesson for both is to listen less to large numbers of old white people trying to prevent the future.
DEFCON has an internet radio station, and it's exactly what a lot of us need. Hacker vibes, but chill.
This month I learned that the most “essential” people in the world are those who are paid the least, have the fewest benefits, and who are required to expose themselves and their families the most during a medical crisis.
This month I learned our society is an embarrassment.
I just did a major update to my article on the difference between URIs, URLs, and URNs.
I did a deep-dive on the pertinent RFCs, made some corrections, and updated the diagram as well.
May it help you in your next religious war.
danielmiessler.com/study/url-uri
🛰️ BREAKING: Similar Chinese spy satellite installed on the phones of most US teenagers.
A lot of people are asking about the motive of the NSA releasing a free reverse engineering tool at RSA this year.
Theories include: it’s a backdoor, it’s a tracking mechanism, etc.
My opinion? Recruiting.
It’s a PR move to attract talent post-Snowden/ShadowBrokers.
People who think cloud hosting is insecure have never had to hunt down corporate crown jewels hosted on a Windows 98 SE box using ping.
Photograph of musical notes based on the shape their vibrations make in a bowl of water.
I just deleted a tweet of mine that asked a question about why someone would wear a mask while alone in a car.
It was poorly worded, and had a negative tinge to it.
I'm fiercely pro-mask and don't want to be associated with those who aren't. Sorry for the off-note.
Trump on COVID:
“If you keep testing people you’ll have more cases!”
Trump on ELECTIONS:
“If you keep counting ballots you’ll have more votes!”
It's time to say goodbye to ifconfig.
The ip and netplan commands are the new ways of configuring networking in Linux.
danielmiessler.com/study/set_ip/
I think requiring users to “accept all cookies” multiple times per day while browsing the internet is going to become a future case study for how not to do security—from a user interaction standpoint.
If you ruin the experience, you often do more harm than good.
Replying to
Or—and this might be crazy—it could be a variant of a virus that’s killed more people than 5 million people.
Generally it’s not called sales when you inform the public about such things.
Drug companies wanting to make money doesn’t turn all their products into farces.
💡
Instead of doing 11 projects at 35%, pick 1 or 2 and do them at 95-100%.
Learn to say no.
Fewer, better.
Compliance is fantastic when you’re worried about auditors attacking your network.
I feel ashamed to be so affected by his loss, given that the way I learned about him is through Black Panther—a comic book movie.
But he did such a great job of conveying kindness and strength. It was just beautiful.
Fiction matters. He was brilliant. He’ll be missed.
Quote
RIP Chadwick Boseman. Heaven has gained a warrior.
GIF
read image description
ALT
Awesome Asset Discovery — A list of awesome asset discovery services.
github.com/redhuntlabs/Aw #OSINT #Recon
I just finished the first major update to my article on getting into Information Security (after 10 years!)
Updates to many sections, including education, certifications, and others.
danielmiessler.com/blog/build-suc #infosec
10 Things Everyone Should Know About the Middle East | danielmiessler.com/blog/10-facts-
Replying to
Gaming will be humanity's salvation while we transition from the current state to the post-AI/Robotics state.
A tool I wrote for finding sensitive content in your GitHub repos. Do yourself a favor and run it on your public repos.
