Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
, 9 tweets, 2 min read Read on Twitter
There's some good stuff here. Coordinated disclosure and an SBoM at least at the level of licenses (though not backports) are the basics that are both easy to do and should be considered the bare minimum. On the other hand, NIST 800-160 v1 is complete garbage.
For the past 30 years, the basis for all "secure engineering" starts with being able to receive reports from people who discover a security problem. These days, we call this "coordinated vulnerability disclosure", to avoid nonsense terms like "responsible disclosure".
People imagine the arrow of security goes the other way, that you should start with a Secure Development LIfecycle, and proactively build security in to begin with. Nope, this is wrong thinking. I mean you can try, but you won't succeed, you won't get close.
Instead, the way it really works is that you receive vulnerability reports, then go back and fix the bug, and THEN go back and adjust your development processes that the bug revealed, so that class of bugs doesn't happen again.
No matter how proactively you try to build engineering processes trying to anticipate everything, you'll eventually get a vuln report showing some new wrinkle that you didn't -- couldn't -- anticipate. Especially as times changes and new classes of vulns are developed.
That's why NIST 800-160 v1 is garbage. It's the government approach to make-work where people can point to all the work they are doing, without actually haven't any results to show for it. It measures success only by how many processes you follow.
I see this all the time, large government processes on securing websites where nobody has heard of what "SQL injection" is. It's the most common and notorious vuln on the web and you've built a huge organization that knows nothing about it.
As for SBoMs, as long as you restrict them to the easy bits, like tracking software licenses which all products have to do anyway, then there's some utility but no harm to them.
But some want to make SBoMs into a bureaucratic nightmare, which I vehemently oppose. My earlier tweets on backports is a good example why.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
Questions and discussion are how we learn. It doesn't mean we are rejecting a thing, or that we aren't listening. It means we are trying to wrap our minds around a thing.
It's an important feature of our education system, something teachers encourage. In contrast, other cultures discourage students from asking questions, as disrespectful to the teacher. Students are expected to learn by rote and parrot things back, but not understand them.
We are seeing this same problem in today's politically charged climate. You aren't supposed to understand a thing, to ask questions, to discuss it. Any attempt at discussion gets you shut down with toxic rhetoric.
Read 7 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
Yup.
Though I interpret this differently. I don't think it mean speaking out when everyone around you cheers, but speaking out against the cheers.
I think it means we need to focus on actual debate, citing data and such, not shouting meaningless rhetoric because it makes us feel good. It means understanding a thing, not cherry picking part of it because it makes your outrage feel good.
The major Nazi opponents were the Communists. That didn't mean they were the good guys. Communists (in Soviet Russia) ended up being even more racist and killing more people than the Nazi's did. Holodomor alone killed as many Ukrainians as Hitler Jews
en.wikipedia.org/wiki/Holodomor
Read 6 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
1/ This question asks: "why would you want a non-random random function". This is a common thing, so I thought I'd explain it.
2/ One example is games, like NetHack or the 3D version from Blizzard known as "Diablo". In the game, you descend many layers into dungeons and fight monsters. The map for each level consisting of rooms and tunnels is laid out "randomly".
3/ Only it's not "random". A single 32-bit random number is used to 'seed' a predictable sequence, which determines how hundreds of levels and thousands of rooms are laid out. Saving the game means only saving that one number.
Read 11 tweets

Related threads

Profile picture
Talen Lee
@Talen_Lee
#FlagThread

This next flag thread is CITY FLAGS OF AMERICA by STATE

Okay, so today we're not going to do the flag thread, because this one is _really huge_. Today, we're going to talk about how I'm going to do it, and what that means.
My normal resource for this is straight up looking at these things on wikipedia, and that's a great, useful resource but contributed by fans and enthusiasts.

It also presents a problem of scale.
Some states-and-territories have a tiny number of city flags; some have an ENORMOUS number. Obviously. I mean, Wyoming has two major cities! Some places that have like, more people than Iceland, have more cities!
Read 637 tweets
Profile picture
WaterBluSky
@MsMariaT
Good stuff here.

Sam Patten Sentencing Memoranda

h/t @DirkSchwenk

lawfareblog.com/document-w-sam…
P 4: "...Patten’s relationship w/Foreigner B and the Opposition Bloc did not contemplate any work that would be considered lobbying in the U.S. Instead, Mr. Patten’s engagement required him to assist and advise his clients w/regard to Ukrainian politics and elections..."
"...this work involved drafting POLLING questions and interpreting polling data to predict and prep for the issues and opinions driving the....climate....Patten would explain the significance of the polling data and...propose ways...his clients could SHAPE THEIR MESSAGE...." 🚩
Read 32 tweets
Profile picture
Nick Yates ✏️💰
@iamnickyates
How to create a product in one weekend

(You'll need a list FYI)

This is your weekend plan to begin selling a new product in two days

In this thread you’ll find numerous steps to creating your first product

This idea was inspired by two people: Gary Halbert and John Carlton
Do I advise you to create a product in one weekend and sell it Monday?

For the overall experience of pulling it off, yes!

For a long term business plan, probably not…

But, as an up and coming copywriter (which most of you following me are)
This is the “get off your ass and do something” game plan

Before we start with the actual steps, let’s discuss planning and time management...
Read 36 tweets
Profile picture
Jason #WeWillReplaceYou Consolidation
@tgconsolidation
So tonight, I'm going to livetweet my reading of Chapter 4 of Seth Abramson's Proof of Collusion. You can find an archive of my tweets through Chapter 3 here:
My livetweet isn't anything resembling a summary; it's just the things I find notable, so go ahead and buy Seth's book! simonandschuster.com/books/Proof-of…
Because I'm a weird dude, I'm having fun doing this. :)
Anyway, on to Chapter 4: The Campaign Begins: 2013-2015.
Read 65 tweets
Profile picture
Fred Kiesche
@FredKiesche
Thinking about Greg @GregStafford today, so it only seems appropriate that I combine that with a inventory project of items from or licensed by @Chaosium_Inc -- could be a th'read!
My first purchase from @Chaosium_Inc is lost in time. Different Worlds because there was a Traveller article? The fantastic Thieves’ World Box? Likely Stormbringer.
Many years later I finally scored this early game.
Read 146 tweets
Profile picture
Jonas Termansen
@sortiecat
Thread: After 6 years of #osdev experience, here are my recommendations for trying out making your own Operating System from scratch:
The operating systems development (osdev) wiki is awesome and has the tutorial you should start with: wiki.osdev.org/Bare_Bones
If I still have your attention, you need to read the rest of this thread before starting. You need to read all the instructions carefully!
Read 120 tweets

Trending hashtags

#crystals #nonmonogamous #stevenuniverse #CBB2018 #histsex #Easy #fanfiction #ButHerEmails #GAHB316 #disclosure #c4model #VoterSuppression #twitterstorians #MondayMotivation #GoodOmens #Scotland #bookhistory #TrumpRussia #ThursdayThoughts #Mini #AALS2019 #hewlettverify #osdev #flagthread #StarWars
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!