*New* https://t.co/7SkIGzjJEj : a cleaned up ebook version of Kerckhoffs' "La Cryptographie Militaire" A while back @againsthimself and I read the often-cited seldom-read paper and wanted to share with all! Apropos to classic cryptography, DNSSEC is enabled on the domain. 😂

Prof Ross Anderson, RIP https://t.co/rFXz6NAnFx #RossAnderson

A reactionary take on memory safety:

🚨Important NCSC news 🚨 We're delighted to welcome our new Chief Technology Officer, @ollieatnowhere, to the NCSC. Ollie will play an instrumental role in shaping and delivering the UK’s national approach to cyber security. https://t.co/4IxAWUXBNh

This article is wild. “The driver also reportedly knocked over the casket, but Stonebraker said the body didn't fall out.”

I wanted to read the new Council for Foreign Relations report about the fragmented Internet ( https://t.co/bdq6MkECGX). For reasons that are too annoying to get into, I was using a proxy in Amsterdam. This is what got served up. A bit on the nose, eh?

I enjoyed meeting @jadefh and @ke4qqq at the event and was glad to share Cisco’s experience responding to the log4j event with the Committee. A big THANK YOU to all involved for helping pull the info together to make the session such a good use of time. <end>

About my mask. @EricWenger freaked out when I showed up wearing a blue mask with 🍍 on it. He thought it was some subversive reference to the whole @C_C_Krebs #WarOnPineapple https://t.co/0lgvkeVrrB For the record, I didn’t know anything about that.

I was the only person on the connection flight from DCA to EWR, which was really weird.

The session ended about two hours after we started. I went back to the hotel to change out of my suit & tie as fast as possible.

One thing I wasn’t able to work into the Q&A was Cisco’s leadership in a cool new open source project: @gitBOM https://t.co/nDc9ickOII We see this as a complement to the work happening in the SBOM space and encourage folks to get involved.

Throughout the event we updated this page https://t.co/TUyHzlwAzM every ~4 hours as new status updates came in from the various teams across Cisco engineering and IT.

By the end of the first weekend of the response (~72 hours after the first log4j patch was released) we largely knew what work had to be done. Most updates were published to customers within 14 days of the initial log4j patch release.

The fastest teams were able to remediate within 24-48 hours and many teams had gotten their code patched fast enough that they got to do it all over again when the second log4j patch was released on Tuesday 14 Dec.

We managed the Cisco response across three “swim lanes:” 1) identify affected “on-premise” products and publish security updates for customers to apply; 2) remediate any impacted customer-facing SaaS/cloud products and 3) remediate any impacted Cisco IT / back-office services.

Ranking Member Portman and I talked about Cisco’s experience shipping security updates to our customers. Cisco published details ( https://t.co/TUyHzlwAzM) regarding impacted products and ship dates for each affected product.

After each witness finished reading their prepared statements, we moved to Q&A. @ericgeller https://t.co/7wk1tNftY9 and @aevavoom https://t.co/msc6baQWBf published 🧵 s of the session.

5) Executive Order 14028 drives two important areas of work—improving the security of software development so we reduce bugs, find/fix faster; and zero trust networking so we are more resilient when there are problems that require patching.

4) @CISAgov’s Binding Operational Directive 22-01 correctly emphasizes importance of prioritizing efforts to remediate those known vulnerabilities with available patches or mitigations showing signs of active exploitation.

3) Incident reporting legislation like @SenGaryPeters and @SenRobPortman introduced will ideally spur @CISAgov to accelerate timely sharing of actionable information at lowest level of classification possible to vendors who can fix the bugs.