Paco Hope @paco@infosec.exchange

Encrypted #SNI sounds like it fixes a long-standing weakness in SNI. This is really interesting. #mozilla, #security #https

I once asked a candidate if they knew what SNI was. He replied that it was the thing that let him know what web sites people were going to even though they were using https. Correct answer I suppose.

https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

Off to #LUX for a few days. Then #TLS. Busy week. #LON all next week (home) and #MAD the week after.

I hate the birdsite’s algorithmic timeline. Someone posts “here’s a great keynote.” Original tweet of keynote is 3 days old. I watch the keynote. It is good. Now I have like 5 more tweets in my timeline saying “here’s a great keynote” all linking to exactly the same tweet. Ugh.

#CloudWatch logs show the impact on my #MySQL server of taking the blog off #WordPress. Most of the network traffic had been blog traffic. But the blog changes so rarely, that's really pointless traffic.

Wanna tell #AWS what you think of them? They're actually surveying. They want to know how the business is perceived by people. If you wanted a chance to be heard, this is that chance.
https://amazon1.qualtrics.com/jfe/form/SV_3jYnmfhBhTbqyLb

I make various #infosec-themed parody songs. Taking famous songs and rewriting the lyrics to be funny #security stuff. They’re on my YouTube channel. Here’s “Thank God I’m a Hacker Boy”, to the tune of John Denver’s “Thank God I’m a County Boy”. https://youtu.be/qCdRoTHwrtg

Spent the whole day teaching cloud security to AWS partners. Fun but exhausting.

If, your job title, department, and company name combine to use the word #cyber MORE than 3 times, I can't even.

And if you "Cyber Security" as well as "Blockchain Evangelism" on your CV, I think we can safely pass...

People with "knowledge of the cyber domain" are also low on my list. What the fuck is #cyber? Can you name me two things? One that everyone would agree is cyber and one that everyone would agree is totally not cyber? I mean, I'm gonna assume a horse isn't cyber. But maybe it is. A chair? A door? Obviously everything that has electricity is cyber. An electric toothbrush, a kettle, an analog wristwatch. I just want to cyberstab myself in the cybereye.

It is hard to take someone seriously whose CV talks about the "challenges of Cyber" including the gratuitous capitalisation...

I don't want to fly to Toulouse unless I can fly to TLS1.2.

#BadInfosecJoke

While a hilarious news story, it also shows how—for outsiders—Dublin is Ireland. London is the UK. Edinburgh is Scotland. Paris is France. When you're acquainted with these countries, you lose this association. But the fact that they use "Ireland" in the headline shows how implicit this association is. https://newsbots.eu/@boingbot/100838198961797718

Reading about the alleged hardware supply chain attack. This is a hilarious quote.

If you are American, I am not your enemy. We might disagree. Sharply even. But I am not your enemy.

I have been a #FreeBSD user for a very long time. But I have rarely been prouder of them than when i read their Code of Conduct. Wow. Just Wow. So thorough. Impressive. I hope they live up to it in practice.
https://www.freebsd.org/internal/code-of-conduct.html

I'm sick and tired of people framing the speed disparity between security and development as "development going to fast" instead of "security going too slow". A blog post from ThreatStack (typical survey-backed marketing spew) got me going this morning. I rewrote it from the "your security team can't keep up" point of view. Makes it a really different read.
https://www.peerlyst.com/posts/what-happens-when-security-can-t-keep-up-and-common-ways-security-gets-left-behind-paco-hope