Chris Wysopal
@WeldPond
Followers
55K
Following
8K
Media
2K
Statuses
30K
Hacker. Co-founder/CTO Veracode. Former L0pht security researcher. GenAI Auto-repair of vulns is the future @weld.bsky.social @[email protected]
Joined March 2008
My Congressional testimony on how vulnerabilities are discovered by researchers, how patching doesn't solve our problems and the need for secure by design. This was 9/11/2003. Are we making progress yet?
12
15
89
So the Secret Service stuck Zhang's thumbdrive into their computer.
1K
4K
10K
What are all the people who used "Sign in with Facebook" doing now?.
102
523
3K
We've lost a true pioneer of the digital world, Kevin Mitnick. His ingenuity challenged systems, incited dialogues, and pushed boundaries in cybersecurity. He will remain a testament to the uncharted power of curiosity. #RIPKevinMitnick
76
801
2K
.@sifutweety pointed out that the fact that this is getting so many retweets is a credit to infosec education -- everyone knows this is a stupid idea.
35
153
2K
"There are nearly 600K unfilled cybersecurity jobs in the U.S. right now, and about 3.5M open roles globally, says Lisa Gevelber, Google’s chief marketing officer for the Americas". This is because all the openings are entry level positions requiring 5 yrs experience.
73
237
2K
Log4j 2.16.0 is out and completely disables JNDI by default.
13
708
2K
Current status: Sorry, I’ll have to get back to you. I’m dealing with an open source issue.
47
230
2K
"Password expiration requirements do more harm than good, because these requirements make users select predictable passwords" . Thank you Microsoft. NIST agrees. Everyone who attacks password auth agrees. Can we get compliance to update their requirements.
29
432
1K
If you have an .io domain you should read this. When the British government announced last week that it was transferring sovereignty of an island in the Indian Ocean to the country of Mauritius, Gareth immediately realized its online implications: the end of the .io domain.
49
335
1K
Due to U.S. telco networks being compromised, today CISA is recommending:.1. Use only end-to-end encrypted communications.2. Enable Fast Identity Online (FIDO) phishing-resistant authentication.3. Migrate away from Short Message Service (SMS)-based MFA.4. Use a password manager.
42
313
1K
House passes Protecting Americans’ Data from Foreign Adversaries Act, H.R. 7520.
16
240
1K
An infrastructure bill should include funding for cybersecurity. The internet is critical infrastructure for public and private realms in the 21st century.
23
150
928
No government helped WannaCry victims. It was independent security researchers who found & used the kill switch, and built a decryption tool.
31
645
937
3.5" floppy disks may be obsolete but their ghosts live on in cyberspace as little save button outlines.
32
134
857
I'd rather hire someone who knew how to use netcat than someone who thinks one of these answers is correct.
60
256
844
The patched version of log4j 2.15.0 requires a minimum of Java 8. If you are on Java 7 you will need to upgrade to Java8 . When there is active exploitation and you need to patch fast it is beneficial if you have been updating your other dependencies over time.
12
212
777
This might be the most classic hacker photo of all time. It has it all: style, swagger, butt set, huge laptop, and a casino security guard's watchful eye.
40
100
808
The cryptocurrency ecosystem requires a lot of “trusting people not to write bugs.”.
37
252
760
For Apache Log4j remediation priority it seems the best approach right now is:. 1. log4j 2.x through 2.14 - update to 2.16.2. log4j 1.x - update to 2.16.3. log4j 2.15 - update to 2.16.
28
182
733
Put on guest network. Tape over camera. Snip wire on internal mic. I'm available for additional White House IoT security consulting.
16
68
677
Tonight Pres. Biden mentioned cybersecurity twice. Once as a career a student can learn at a community college (potentially for free) and once as an example of a global challenge where the U.S. can’t go it alone. This bodes well for a more secure digital world.
10
103
685
"We [Facebook] also describe our in-house BGP software implementation, and its testing and deployment pipelines. These allow us to treat BGP like any other software component, enabling fast incremental updates."
18
171
678
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that's beyond the reach of the user and security solutions.
20
272
696
Going through TSA tonight I got randomly flagged for an electronics inspection. Seeing the stickers on my laptop the agent asked if this was my college laptop. I didn’t have the guts to tell him they didn’t have laptops when I graduated college.
29
46
641
“But the [Luxor] beam has also become a magnet for grasshoppers, which experts say could linger in Las Vegas for weeks.” The Luxor is next to the Black Hat conference hotel. This is not the bug bounty I was expecting.
24
173
623
I first learned hacking from underground BBSs. Banning demos/info from mainstream services will harm security. One of my earliest hacker lessons is all cybersecurity info is dual use. Let's stop pretending learning about attacks is harmful.
20
177
610
A disaster foretold — and ignored. L0pht’s warnings about the Internet drew notice but little action http://t.co/ZRnZVFdw56.
36
280
598
Not the best way to open an email to a security person. "Chris,.I would like to introduce you to XXXX, the premier global solution for non-hackable, completely secure and authentic long term data storage.".
57
26
512
If Trump is soliciting Russian hackers to find Hillary's missing emails isn't he taking away jobs from hard-working Americans hackers?.
20
296
478
Singapore launches cyber security label for smart home devices.
10
192
490
What a crypto backdoor looks like. NSA Backdoor Key from Lotus-Notes
8
223
453
On Sunday, it will be 25 years since day was registered. was a homebrew 486 33MHz running a Slackware distribution of Linux 1.0 on a 28.8K dialup line to The machine also ran mail and routed our class C.
9
90
428
The head of a pen testing company redacted text by overlaying black boxes and saving it as PDF.
35
44
402
This is a good time to reconsider giving yet more usage information to data aggregators like Facebook by using their sign in with feature.
5
60
372
We are entering the era of forever vulnerable hardware. D-Link router with CVSS 10.0 vuln won't get a patch because it is EOL.
30
226
385
Leaving Tokyo now and I have to say it is the most cyberpunk city I have visited.
11
127
352
the attack leveraged a unique design flaw of the open-source ecosystems called dependency confusion.
7
140
379
Costumes from the movie "Hackers" on display in a London gallery.
5
79
360
27 year old invoice for @L0phtHeavyInd 56 kbps dedicated line which ran our website and gave our LAN internet access. We eventually stepped up to 128 kbps ISDN as we sold more shell accounts, t-shirts and archive CDs.
23
28
356
OH from some 90's hackers:. "I hacked NASA" is straight up there with "I had a newspaper route".
19
32
340
Is this potential ban because the products have more security vulns than average or the update process is poor or is there a fear of backdoors? Make the reasons clear and hold all vendors to the standard.
39
67
352
The Senate Cyber caucus had a surprise for me when I came to speak today
14
49
325
Imagine if election security hadn't improved in the last 4 years and instead of the current 95% paper ballots we were back at 82% like in 2016. Our democracy depends on secure elections. Thank you to all the patriots who defended and continue to defend our elections.
7
28
292
Syncing your phone to the car or having a built in GPS are privacy risks. Cars don’t have the data protection of a modern phone.
14
140
318
Following a serious vulnerability disclosure affecting casinos globally, an executive of casino technology vendor Atrient has assaulted the security researcher who disclosed the vulnerability at the ICE conference in London.
18
223
303
Today is the 25th anniversary of my testimony to the U.S. Senate as part of a group of 7 hackers from the L0pht. The hearings were titled, "Weak Computer Security in Government: Is the Public at Risk?" (cont)
6
56
302
What was the very first cybersecurity task you remember doing? For me it was turning off services in /etc/inetd.conf to harden a default Linux install.
167
19
284
My son graduated today from the U of Oregon with a degree in music performance and I couldn't be happier. 🎺.
22
0
289
Looks like they gave this poor guy all the workstations for all of the still open positions.
18
41
267
How much is my PiHole is costing them? Can simple network blocking evaporate 10s of $billions? Is it really this easy to gain privacy and destroy value.
*New*: @Apple’s privacy settings caused an estimated $9.85bn of revenues to evaporate in the second half of this year at @Snap, @Facebook, @Twitter and @YouTube, as their advertising businesses were shaken by the new rules. Average impact on revenue: -12%. *Thread*
9
54
268
I’m shocked that they have been unable to fill this cybersecurity leadership position for $109k.
29
50
281
ProTip: looking for a way to bypass NAC when you are on premises? Find an unused docking station that has ethernet. Its MAC is already approved.
9
33
273
Hey U.S. govt. look here! "The Swiss government has issued a 150,000 Swiss franc (US$149,790) challenge to online hackers; break into our new generation electronic voting system and we'll reward you."
10
165
260
Does everyone with a stickie or cover over their Mac camera feel more justified tonight?
43
62
262
A 13 yo notified the city that 35K student records were exposed. Police confiscated his computer. Then an online bank offered him a job.
3
95
257
A response to ISIS required a new kind of warfare, and so the NSA and U.S. Cyber Command created a secret task force, a special mission, and an operation that would become one of the largest and longest offensive cyber operations in U.S. military history.
10
135
258
"Computer scientists from Stanford University have found that programmers who accept help from AI tools like Github Copilot produce less secure code than those who fly solo.". Looks like there will be a market for AI vuln remediation!
12
78
262
The Colonial Pipeline shutdown is a good example of why we need a CyberNTSB. If a criminal group can shut down 45% of the east coast's fuel supply we all have a right to know how this happened and how it should be prevented.
13
52
249
Yes those 1981 Hayes Modem Command set AT commands. "including the ability to enable USB debugging, bypass Android security controls, exfiltrate sensitive information, perform screen unlocks, reflash device firmware, and inject touch events solely through the use of AT commands."
Vulnerabilities in #Android security controls accessible via the AT command interface #BHUSA Briefing by Grant Hernandez (@digital_cold)
15
148
248
Who remembers when technical knowledge was disseminated this way?
26
38
232
I don't think naming your vulnerability after a popular security tool is a good idea. Have these researchers never heard of netcat?
15
85
232
Calling something unhackable is the best thing you can do if you want lots of testers.
16
45
221
Who remembers reading newspaper articles on microfiche? We had a portable unit at the L0pht bought at the MIT flea market. Then we found DEC manuals on microfiche. Such cool tech.
22
9
226
A 20th anniversary viewing will be as fun as the 1st time.
13
32
225
I see the following advice over and over. Enable 2FA for any sensitive accounts. I don't think people understand how difficult and expensive this is to do (and enforce) across any business with thousands of employees and 100+ SaaS applications.
36
37
227
But Macs don't get malware. Yes, you should run AV on your Macs.
9
82
230
Cisco patches router flaw by banning Curl user agents. Netcat FTW!.
@info_dox @TheHackerNews @bad_packets @hrbrmstr We were also quite surprised to find this /etc/nginx.conf in 1.4.2.20
5
104
219