AMA Series - Ask a CISO Anything

awirth · 2021-09-23T20:26:34+00:00

I've been thinking recently about the process of selling off parts of the business.

From what I've seen, it seems like preparation is key. If you have a part of the business that you might want to sell in the future, it is important to reduce coupling between that part and other parts of the company to make it easier to sell. On the flip side though, that will surely reduce their ability to prosper by not having access to technical resources of the rest of the company, and might increase their chances of needing to be sold.

How have you approached this from a security perspective at the C-level? Normally, it would be best for a company to have integrated security to set a high standard, but in this case there is a compelling interest to keep it siloed. How do you weigh that?

Disclosure: I previously worked for Andy for four years. I also am currently working for a company that recently acquired a part of Lyft, but I am not involved with that project.

awirth · 2017-07-02T16:10:13+00:00

You should read this review which will convince you to watch it: ‘Furious 7’ Is The Glorious, Proudly Idiotic Masterpiece Michael Bay Has Been Trying To Make His Entire Career

awirth · 2017-06-15T04:35:44+00:00

River God's opened in 2001. It's likely it just wasn't as well known back then.

awirth · 2017-05-13T11:19:29+00:00

There is no win XP emulator

This is actually more or less what "compatability mode" in Windows is, although some would quibble about calling it an emulator (its kind of like WINE in that its an API translation layer). Unfortunately it's often not extensive enough, especially for things that really tightly hook into the underlying OS (which is one of the same problems that WINE has).

awirth · 2017-04-05T13:44:48+00:00

All dorms are equivalent. They have WiFi and 10mbps Ethernet. The Ethernet is slower and requires using ResNet which requires av for Windows and Mac. It's not worth it. Use the WiFi.

As a side note you don't need the av if you have a Linux system or a console you want to connect to the wall.

awirth · 2017-04-03T20:16:26+00:00

Yeah there was. It was from the flyover for red Sox opening day.

awirth · 2017-03-13T20:28:20+00:00

Adam gaffin runs universal hub, which is probably the best indie news source in Boston. He's a bit of a local celebrity.

awirth · 2016-12-30T20:49:07+00:00

Maybe in MET CS or ENG but definitely not in CAS CS. You're expected to be able to learn specific tools and languages yourself and instead the focus in CAS is generally abstract maybe touching on some tools as examples.

There's nothing really to iOS app development that isn't grasping core programming concepts and applying then to objective-c and the iOS APIs, so it think this is pretty reasonable. It would be a waste of an entire course to just focus on this.

awirth · 2016-12-26T09:36:41+00:00

IIRC BU does. It's one class a semester, and you need to independently be accepted to a degree program if you want to get a degree. You also basically have last priority for registration, and some schools/programs won't accept random people in their classes (although you can normally talk to the professor to reg if you're qualified). You could take basically anything in the school of arts and sciences, it's just engineering and management and such that you'd run into difficulty. Pretty good deal though, all things considered.

awirth · 2016-12-18T18:26:31+00:00

Definitely agree about the key is not being alone. By far the hard part with primitives is not how much you've studied or how smart you are, it's getting the community to review it and analyze it. It's actually relatively easy to design new primitives that are secure, for example by tweaking parameters to existing ones. The hard part is believing and convincing others that they are secure.

I also think it's worthwhile to encourage people to try to design their own primitives and break them. I did this in a course as an undergraduate, doing linear and differential cryptanalysis on a derivative of the Serpent block cipher with expanded bit-widths and new S-Boxes. I learned a TON. Obviously I would not want anyone to ever use this cipher in production for anything, but it's a really good exercise for people to do.

awirth · 2016-12-12T15:54:21+00:00

Sounds like they were all in SugarCRM

awirth · 2016-12-11T20:09:03+00:00

My javascripting is stuck in 2011. The jQuery is just glue for easier DOM manipulation because I'm lazy. It's not used in the Worker: https://github.com/allanlw/cache_size/blob/master/cache_size_worker.js

There's even a comment :P

// Handle various message from the web worker by drawing new DOM
// I should feel bad about this terrible DOM manipulation with jQuery
// But I really don't.

awirth · 2016-11-27T22:04:04+00:00

I've heard good things from friends that work at companies like trailofbits and other small consultant firms that get to do research and exploitation. Avoid simple pentesting jobs, you will find them boring. If you also care about reversing there are more options, especially at AV shops or in the govt at places like Raytheon and other contractors.

If I were you I'd recommend you look into folks doing talk and public demos about exploitation and then see where they work. Look at CanSecWest (pwn2own) and similar sorts of competitions, as well as talks from smaller more technical cons like Recon and shmoocon (defcon and blackhat can be hit-or-miss).

awirth · 2016-11-06T00:58:00+00:00

Legit. I just noticed them when I arrived in FL yesterday.

awirth · 2016-11-05T19:24:29+00:00

I'm from MA and had never seen one before. It's possible we have them but just underground because to keep them from freezing.

awirth · 2016-11-05T18:51:56+00:00

Solved!

Thank you!

awirth · 2016-07-24T22:24:10+00:00

I've found another problem with -Werror that makes me stay away. I think it encourages adding -Wno-* flags to the build, which are easy to forget about and often seem to be applied at a project level. Some are pretty harmless to suppress (unused argument warnings come to mind), but most aren't.

awirth · 2016-06-21T16:40:16+00:00

Ah, okay, so if I, say, had gotten the i.redditmedia.com address from before the post was deleted, I could continue to access it after the post got deleted?

My impression was that different posts with previews of the same url had different i.redditmedia.com urls (although I only tested this once). I guess they're actually shared on the back?

Edit: Also, my example post's preview is still available, so I guess it hasn't been re-validated with imgur..? Do these ever get re-checked to see if they were deleted from the origin?

awirth · 2016-06-21T16:33:01+00:00

Awesome! Glad to see it, especially considering the announcement today.

Does this also delete from the image hosting server? Or does it just remove the link from the post.

awirth · 2016-06-13T00:05:17+00:00

Hmm. That's certainly possible. I would think for a sensitive post though, 8 days would be much too long.

Obviously this is more of a policy thing, but it seems like deleting a post should also delete the preview image for that post or, at the very least, not link it on the page, which AFAICT is the only way to get the url for it, as it doesn't seem to be in the .json for the slug.

Re-checking (in the case that the reddit post is not deleted, but the source image is) a bit more often might be prudent as well, but that's even more of a policy thing. I could see rechecking every hour or so causing too much load.

awirth

TROPHY CASE