Alan Shen

To clarify the Windows crypto fail: The problem isn't in signature validation. The problem is the *root store/cache*. CryptoAPI considers an (attacker-supplied) root CA to be in the trust store if its public key and serial match a cert in the root store, Ignoring curve params.

My point being that if this stuff is interesting to you, we put a lot of work into making model problems accessible to anyone with a working Python or Ruby interpreter, and you should take a whack at them. https://cryptopals.com/  https://toadstyle.org/cryptopals/ 

It is not reasonable to expect every political campaign to be able to afford a qualified CISO for a temp gig when the F500 can’t recruit full-time CISOs. We need to change campaign finance laws to allow the parties to operate shared cloud infrastructure secured by central teams.https://twitter.com/dnvolz/status/1217499725450108935 …

Sources say Microsoft on Tuesday will fix an extraordinarily scary flaw in all Windows versions, in a core cryptographic component that could be abused to spoof the source of digitally signed software. Apparently DoD & a few others got an advance patch https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/ …

Helping a friend prepare to break into InfoSec as a career, and I keep coming back to @SecurityGuill, his infographics, and website. If you are breaking into infosec or are needing to communicate to nontechnical folk, check him out! Security + Designhttps://twitter.com/SecurityGuill/status/1200068588104830976?s=20 …

Before I speak at a conference, I always talk to the audience first. You might call it "crowd work." Here's why I do it and why I think you should too. 1. A lot of conf's give you 10-15 minutes between talks to get set up. For most of us that takes 4-5 minutes. 1/

For 2020 I'm doing a 1 C++ Best Practice per retweet thread! I wrote my first blog article about C++ best practices in 2007. In many ways I've been repeating myself over and over again for the last 13ish years. And very little of what I say is novel. Thread follows:

Best thread of the day!https://twitter.com/cybergibbons/status/1213572501395120134 …

Apparently a non-trivial number of systems are experiencing #Y2020 bugs. A common Y2K "fix" just postponed things by 20 years, interpreting 00-19 as the 2000s and 20-99 as the 1900s. 20 years is now up, some of those systems are still in use, and they think it's 1920. Oooops.