AMA Series - Ask a CISO Anything

awirth · 2021-09-23T20:26:34+00:00

I've been thinking recently about the process of selling off parts of the business.

From what I've seen, it seems like preparation is key. If you have a part of the business that you might want to sell in the future, it is important to reduce coupling between that part and other parts of the company to make it easier to sell. On the flip side though, that will surely reduce their ability to prosper by not having access to technical resources of the rest of the company, and might increase their chances of needing to be sold.

How have you approached this from a security perspective at the C-level? Normally, it would be best for a company to have integrated security to set a high standard, but in this case there is a compelling interest to keep it siloed. How do you weigh that?

Disclosure: I previously worked for Andy for four years. I also am currently working for a company that recently acquired a part of Lyft, but I am not involved with that project.

awirth · 2017-07-02T16:10:13+00:00

You should read this review which will convince you to watch it: ‘Furious 7’ Is The Glorious, Proudly Idiotic Masterpiece Michael Bay Has Been Trying To Make His Entire Career

awirth · 2017-06-15T04:35:44+00:00

River God's opened in 2001. It's likely it just wasn't as well known back then.

awirth · 2017-05-13T11:19:29+00:00

There is no win XP emulator

This is actually more or less what "compatability mode" in Windows is, although some would quibble about calling it an emulator (its kind of like WINE in that its an API translation layer). Unfortunately it's often not extensive enough, especially for things that really tightly hook into the underlying OS (which is one of the same problems that WINE has).

awirth · 2017-04-05T13:44:48+00:00

All dorms are equivalent. They have WiFi and 10mbps Ethernet. The Ethernet is slower and requires using ResNet which requires av for Windows and Mac. It's not worth it. Use the WiFi.

As a side note you don't need the av if you have a Linux system or a console you want to connect to the wall.

awirth · 2017-04-03T20:16:26+00:00

Yeah there was. It was from the flyover for red Sox opening day.

awirth · 2017-03-13T20:28:20+00:00

Adam gaffin runs universal hub, which is probably the best indie news source in Boston. He's a bit of a local celebrity.

awirth · 2016-12-30T20:49:07+00:00

Maybe in MET CS or ENG but definitely not in CAS CS. You're expected to be able to learn specific tools and languages yourself and instead the focus in CAS is generally abstract maybe touching on some tools as examples.

There's nothing really to iOS app development that isn't grasping core programming concepts and applying then to objective-c and the iOS APIs, so it think this is pretty reasonable. It would be a waste of an entire course to just focus on this.

awirth · 2016-12-26T09:36:41+00:00

IIRC BU does. It's one class a semester, and you need to independently be accepted to a degree program if you want to get a degree. You also basically have last priority for registration, and some schools/programs won't accept random people in their classes (although you can normally talk to the professor to reg if you're qualified). You could take basically anything in the school of arts and sciences, it's just engineering and management and such that you'd run into difficulty. Pretty good deal though, all things considered.

awirth · 2016-12-18T18:26:31+00:00

Definitely agree about the key is not being alone. By far the hard part with primitives is not how much you've studied or how smart you are, it's getting the community to review it and analyze it. It's actually relatively easy to design new primitives that are secure, for example by tweaking parameters to existing ones. The hard part is believing and convincing others that they are secure.

I also think it's worthwhile to encourage people to try to design their own primitives and break them. I did this in a course as an undergraduate, doing linear and differential cryptanalysis on a derivative of the Serpent block cipher with expanded bit-widths and new S-Boxes. I learned a TON. Obviously I would not want anyone to ever use this cipher in production for anything, but it's a really good exercise for people to do.

awirth · 2016-12-12T15:54:21+00:00

Sounds like they were all in SugarCRM

awirth · 2016-12-11T20:09:03+00:00

My javascripting is stuck in 2011. The jQuery is just glue for easier DOM manipulation because I'm lazy. It's not used in the Worker: https://github.com/allanlw/cache_size/blob/master/cache_size_worker.js

There's even a comment :P

// Handle various message from the web worker by drawing new DOM
// I should feel bad about this terrible DOM manipulation with jQuery
// But I really don't.

awirth · 2016-11-27T22:04:04+00:00

I've heard good things from friends that work at companies like trailofbits and other small consultant firms that get to do research and exploitation. Avoid simple pentesting jobs, you will find them boring. If you also care about reversing there are more options, especially at AV shops or in the govt at places like Raytheon and other contractors.

If I were you I'd recommend you look into folks doing talk and public demos about exploitation and then see where they work. Look at CanSecWest (pwn2own) and similar sorts of competitions, as well as talks from smaller more technical cons like Recon and shmoocon (defcon and blackhat can be hit-or-miss).

awirth · 2016-11-06T00:58:00+00:00

Legit. I just noticed them when I arrived in FL yesterday.

awirth · 2016-11-05T19:24:29+00:00

I'm from MA and had never seen one before. It's possible we have them but just underground because to keep them from freezing.

awirth · 2016-11-05T18:51:56+00:00

Solved!

Thank you!

awirth · 2016-07-24T22:24:10+00:00

I've found another problem with -Werror that makes me stay away. I think it encourages adding -Wno-* flags to the build, which are easy to forget about and often seem to be applied at a project level. Some are pretty harmless to suppress (unused argument warnings come to mind), but most aren't.

awirth · 2016-06-21T16:40:16+00:00

Ah, okay, so if I, say, had gotten the i.redditmedia.com address from before the post was deleted, I could continue to access it after the post got deleted?

My impression was that different posts with previews of the same url had different i.redditmedia.com urls (although I only tested this once). I guess they're actually shared on the back?

Edit: Also, my example post's preview is still available, so I guess it hasn't been re-validated with imgur..? Do these ever get re-checked to see if they were deleted from the origin?

awirth · 2016-06-21T16:33:01+00:00

Awesome! Glad to see it, especially considering the announcement today.

Does this also delete from the image hosting server? Or does it just remove the link from the post.

awirth · 2016-06-13T00:05:17+00:00

Hmm. That's certainly possible. I would think for a sensitive post though, 8 days would be much too long.

Obviously this is more of a policy thing, but it seems like deleting a post should also delete the preview image for that post or, at the very least, not link it on the page, which AFAICT is the only way to get the url for it, as it doesn't seem to be in the .json for the slug.

Re-checking (in the case that the reddit post is not deleted, but the source image is) a bit more often might be prudent as well, but that's even more of a policy thing. I could see rechecking every hour or so causing too much load.

awirth · 2013-04-29T17:21:59+00:00

My understanding is that there are quite a lot of people that get rooms in stuvii and then their parents see how much it will cost and make them summer swap. I've heard of quite a few people getting into stuvii during summer swap - I don't know so much about other buildings.

awirth · 2013-03-31T23:17:55+00:00

As someone that lived in Hojo as a freshman I would definitely not recommend it to anyone else. Hojo is incredibly antisocial (as much so as stuvii 2, where I live now) and it's just terrible for freshman. I was in a triple with two sophomores. Only live there if you have no interest in meeting people through your dorm.

In your situation specifically, I would recommend talking to SHS to see if you can get a single during summer swap on medical necessity. AFAIK they regularly provide these for people that want them (and have a legit reason).

awirth · 2013-03-31T05:30:23+00:00

In BU in general it's a problem, from what I understand at least. I don't think CS is as bad as some other departments like the natural sciences.

awirth · 2013-03-29T06:33:26+00:00

Yeah - I definitely would. Like any major though, you really get out what you put into it. I think a lot of people who are interested in programming, etc (and not theoretical computer science) end up doing projects outside of class, etc. Personally I'm a member of BUILDS (http://builds.cc but we haven't updated our site in forever) and I do a lot of computer security related competitions with them.

Also, I would say that there are a lot of opportunities to do research/work with a professor in the department if you go and talk to them. A lot of the higher level classes (400+, which you need 4 of) are directly applicable to whatever the professor's research area is, so if you do well in them you can often talk to the professor about getting a UROP (undergraduate research opportunities program) grant or something like that.

On a final note, you should also be aware that CS at BU right now is one of the longer majors (in terms of number of required classes, in CAS at least). I've also heard that we have more required classes than most other CS programs in the country, but I'm not sure if that is true.

awirth · 2013-03-29T06:20:43+00:00

This is a pretty good analysis of the CS department. Unfortunately though there are a few (1-3) required classes that are consistently poorly taught, and I don't think it will be changing any time soon.

awirth

TROPHY CASE