Weld Pond | Chris Wysopal
@WeldPond
Followers
56,687
Following
1,029
Media
1,537
Statuses
29,590
Hacker. Co-founder/CTO Veracode. Former L0pht security researcher. GenAI Auto-repair of vulns is the future @weld @infosec .exchange
Boston, MA
Joined March 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
JUNGKOOK
• 708543 Tweets
casilla
• 300158 Tweets
NEVER LET GO IS COMING
• 197434 Tweets
#EleccionesMéxico2024
• 190721 Tweets
Flamengo
• 161594 Tweets
Rojo
• 56145 Tweets
Racing
• 55968 Tweets
Maldives
• 55078 Tweets
Whindersson
• 54021 Tweets
بن نافل
• 40863 Tweets
O Vasco
• 34471 Tweets
THE CLIMB
• 29243 Tweets
Sinner
• 26002 Tweets
Sporting
• 24346 Tweets
RIP Rob
• 21599 Tweets
Allan
• 18654 Tweets
Metz
• 16549 Tweets
Rony
• 14405 Tweets
Beileid
• 12944 Tweets
Oviedo
• 12670 Tweets
David Luiz
• 11029 Tweets
Cebolinha
• 11008 Tweets
Rossi
• 10822 Tweets
Moutet
• 10640 Tweets
Pinned Tweet
.
@jonsakoda
is a great interviewer. We went deep and way back. “How Hackers Became the Celebrities of Cybersecurity” - The Decibel Podcast: Founders Helping Founders
0
3
15
So the Secret Service stuck Zhang's thumbdrive into their computer.
1K
5K
12K
What are all the people who used "Sign in with Facebook" doing now?
112
563
3K
We've lost a true pioneer of the digital world, Kevin Mitnick. His ingenuity challenged systems, incited dialogues, and pushed boundaries in cybersecurity. He will remain a testament to the uncharted power of curiosity.
#RIPKevinMitnick
80
857
3K
.
@sifutweety
pointed out that the fact that this is getting so many retweets is a credit to infosec education -- everyone knows this is a stupid idea.
48
176
2K
Does anyone want to share 15% of their password?
331
259
2K
"There are nearly 600K unfilled cybersecurity jobs in the U.S. right now, and about 3.5M open roles globally, says Lisa Gevelber, Google’s chief marketing officer for the Americas"
This is because all the openings are entry level positions requiring 5 yrs experience.
85
257
2K
Log4j 2.16.0 is out and completely disables JNDI by default.
17
766
2K
Current status: Sorry, I’ll have to get back to you. I’m dealing with an open source issue.
49
244
2K
"Password expiration requirements do more harm than good, because these requirements make users select predictable passwords"
Thank you Microsoft. NIST agrees. Everyone who attacks password auth agrees. Can we get compliance to update their requirements.
35
496
2K
House passes Protecting Americans’ Data from Foreign Adversaries Act, H.R. 7520
17
281
1K
An infrastructure bill should include funding for cybersecurity. The internet is critical infrastructure for public and private realms in the 21st century.
24
167
1K
No government helped WannaCry victims. It was independent security researchers who found & used the kill switch, and built a decryption tool
31
696
1K
3.5" floppy disks may be obsolete but their ghosts live on in cyberspace as little save button outlines
34
143
939
I'd rather hire someone who knew how to use netcat than someone who thinks one of these answers is correct.
65
281
927
The patched version of log4j 2.15.0 requires a minimum of Java 8. If you are on Java 7 you will need to upgrade to Java8
When there is active exploitation and you need to patch fast it is beneficial if you have been updating your other dependencies over time.
13
238
868
The cryptocurrency ecosystem requires a lot of “trusting people not to write bugs.”
40
276
836
For Apache Log4j remediation priority it seems the best approach right now is:
1. log4j 2.x through 2.14 - update to 2.16
2. log4j 1.x - update to 2.16
3. log4j 2.15 - update to 2.16
30
192
793
Tonight Pres. Biden mentioned cybersecurity twice. Once as a career a student can learn at a community college (potentially for free) and once as an example of a global challenge where the U.S. can’t go it alone. This bodes well for a more secure digital world.
12
115
765
Put on guest network. Tape over camera. Snip wire on internal mic.
I'm available for additional White House IoT security consulting.
16
80
771
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that's beyond the reach of the user and security solutions.
21
298
749
"We [Facebook] also describe our in-house BGP software implementation, and its testing and deployment pipelines. These allow us to treat BGP like any other software component, enabling fast incremental updates."
19
186
753
Zoom video conferencing zero day patch now available.
11
204
721
Going through TSA tonight I got randomly flagged for an electronics inspection. Seeing the stickers on my laptop the agent asked if this was my college laptop. I didn’t have the guts to tell him they didn’t have laptops when I graduated college.
29
54
719
Like if you wrote software that had menus like this.
55
41
695
“But the [Luxor] beam has also become a magnet for grasshoppers, which experts say could linger in Las Vegas for weeks.” The Luxor is next to the Black Hat conference hotel. This is not the bug bounty I was expecting.
26
200
681
I first learned hacking from underground BBSs. Banning demos/info from mainstream services will harm security. One of my earliest hacker lessons is all cybersecurity info is dual use. Let's stop pretending learning about attacks is harmful.
24
193
667
A disaster foretold — and ignored. L0pht’s warnings about the Internet drew notice but little action
http://t.co/ZRnZVFdw56
64
305
632
How Banksy authenticates his work.
7
253
629
Not the best way to open an email to a security person.
"Chris,
I would like to introduce you to XXXX, the premier global solution for non-hackable, completely secure and authentic long term data storage."
68
26
564
If Trump is soliciting Russian hackers to find Hillary's missing emails isn't he taking away jobs from hard-working Americans hackers?
20
330
532
We’re going to start seeing a lot of these signs.
10
184
515
Singapore launches cyber security label for smart home devices.
11
204
518
What a crypto backdoor looks like. NSA Backdoor Key from Lotus-Notes
10
238
473
On Sunday, it will be 25 years since day was registered. was a homebrew 486 33MHz running a Slackware distribution of Linux 1.0 on a 28.8K dialup line to . The machine also ran mail and routed our class C.
13
95
462
Turn off your ad blocker they said.
6
264
448
This is a good time to reconsider giving yet more usage information to data aggregators like Facebook by using their sign in with feature.
5
69
438
The head of a pen testing company redacted text by overlaying black boxes and saving it as PDF.
37
48
438
We are entering the era of forever vulnerable hardware. D-Link router with CVSS 10.0 vuln won't get a patch because it is EOL.
32
243
407
the attack leveraged a unique design flaw of the open-source ecosystems called dependency confusion.
7
148
396
Leaving Tokyo now and I have to say it is the most cyberpunk city I have visited.
11
144
392
Costumes from the movie "Hackers" on display in a London gallery.
5
88
396
OH from some 90's hackers:
"I hacked NASA" is straight up there with "I had a newspaper route"
21
34
381
27 year old invoice for
@L0phtHeavyInd
56 kbps dedicated line which ran our website and gave our LAN internet access. We eventually stepped up to 128 kbps ISDN as we sold more shell accounts, t-shirts and archive CDs.
25
34
387
Imagine if election security hadn't improved in the last 4 years and instead of the current 95% paper ballots we were back at 82% like in 2016. Our democracy depends on secure elections. Thank you to all the patriots who defended and continue to defend our elections.
7
30
348
The Senate Cyber caucus had a surprise for me when I came to speak today
18
58
356
Syncing your phone to the car or having a built in GPS are privacy risks. Cars don’t have the data protection of a modern phone.
18
163
344
Following a serious vulnerability disclosure affecting casinos globally, an executive of casino technology vendor Atrient has assaulted the security researcher who disclosed the vulnerability at the ICE conference in London.
18
243
325
Today is the 25th anniversary of my testimony to the U.S. Senate as part of a group of 7 hackers from the L0pht. The hearings were titled, "Weak Computer Security in Government: Is the Public at Risk?" (cont)
6
64
323
I'm happy to see secure network shell access promoted.
7
228
305
What was the very first cybersecurity task you remember doing? For me it was turning off services in /etc/inetd.conf to harden a default Linux install.
184
21
311
My son graduated today from the U of Oregon with a degree in music performance and I couldn't be happier. 🎺
24
0
310
Looks like they gave this poor guy all the workstations for all of the still open positions.
19
43
305
DEFCON [videos on YouTube] is cancelled.
23
179
297
How much is my PiHole is costing them? Can simple network blocking evaporate 10s of $billions? Is it really this easy to gain privacy and destroy value.
11
59
305
I’m shocked that they have been unable to fill this cybersecurity leadership position for $109k.
33
50
295
Hey U.S. govt. look here! "The Swiss government has issued a 150,000 Swiss franc (US$149,790) challenge to online hackers; break into our new generation electronic voting system and we'll reward you."
12
174
284
I can't wait to give this a read.
11
71
298
ProTip: looking for a way to bypass NAC when you are on premises? Find an unused docking station that has ethernet. Its MAC is already approved.
11
38
298
Does everyone with a stickie or cover over their Mac camera feel more justified tonight?
47
65
283
A 13 yo notified the city that 35K student records were exposed. Police confiscated his computer. Then an online bank offered him a job.
3
101
279
"Computer scientists from Stanford University have found that programmers who accept help from AI tools like Github Copilot produce less secure code than those who fly solo."
Looks like there will be a market for AI vuln remediation!
13
84
281
The Colonial Pipeline shutdown is a good example of why we need a CyberNTSB. If a criminal group can shut down 45% of the east coast's fuel supply we all have a right to know how this happened and how it should be prevented.
15
59
280
A response to ISIS required a new kind of warfare, and so the NSA and U.S. Cyber Command created a secret task force, a special mission, and an operation that would become one of the largest and longest offensive cyber operations in U.S. military history.
12
142
275
Yes those 1981 Hayes Modem Command set AT commands. "including the ability to enable USB debugging, bypass Android security controls, exfiltrate sensitive information, perform screen unlocks, reflash device firmware, and inject touch events solely through the use of AT commands."
Vulnerabilities in
#Android
security controls accessible via the AT command interface
#BHUSA
Briefing by Grant Hernandez (
@digital_cold
)
3
33
60
21
165
274
Who remembers when technical knowledge was disseminated this way?
30
44
267
Seems my son had a little fun with my keyboard last night.
22
10
257
Calling something unhackable is the best thing you can do if you want lots of testers.
17
47
252
Who remembers reading newspaper articles on microfiche? We had a portable unit at the L0pht bought at the MIT flea market. Then we found DEC manuals on microfiche. Such cool tech.
25
10
258
I don't think naming your vulnerability after a popular security tool is a good idea. Have these researchers never heard of netcat?
19
93
251
The NSA, yes the NSA, is urging people to patch.
14
190
248
A 20th anniversary viewing will be as fun as the 1st time.
16
33
248
I see the following advice over and over.
Enable 2FA for any sensitive accounts
I don't think people understand how difficult and expensive this is to do (and enforce) across any business with thousands of employees and 100+ SaaS applications.
42
36
249
But Macs don't get malware. Yes, you should run AV on your Macs.
9
89
249
Cisco patches router flaw by banning Curl user agents. Netcat FTW!
@info_dox
@TheHackerNews
@bad_packets
@hrbrmstr
We were also quite surprised to find this /etc/nginx.conf in 1.4.2.20
48
417
1K
7
114
236
Don't fear the tool. Fear the vulns. Police are alerting on
@flipper_zero
's potential for bypassing access control systems. I wouldn't call it a bypass. These are systems *missing* access control and relying on solely security by obscurity.
12
78
236
But it used blockchain...
13
86
234
Re: log4j 2.17.1. Wherever RCE or “arbitrary code execution” is mentioned it needs to be qualified with “where an attacker with permission to modify the logging configuration file” or you are overhyping this vuln. This is how you ruin relationships with dev teams.
Apache has released an update for
#Log4j
to address a newly discovered arbitrary code execution
#vulnerability
, making it the 5th security flaw discovered in the span of a month.
Read details:
#infosec
#cybersecurity
#hacking
3
17
11
13
50
237
I bet the NSA knows about this one.
25
71
231
Beto O’Rourke Rocked by Scandal as High-School Mixtape Appears to Include REO Speedwagon
12
37
220
“the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom that web server persists and can reinstall Zoom without your intervention.”
9
173
215