Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    228
  • Joined

  • Last visited

  • Days Won

    32
  • Invited by

    DarkOverlord

Posts posted by Kevin Beaumont


  1. It’s definitely fun, the real name thing has generated a bunch of issues I expected and a bunch of things I haven’t. Same with the invite system. 

    The way I look at it, the site isn’t for everybody, and that’s okay. As different platforms provide different things. I’ve thought about dropping both real names and invites, but then you basically become Hackforums. 

    My hope with what we currently have is people use it to post content which helps others, and a majority of that is visible to all. Then as that grows, we invite more people to the point where it is easier to get an invite than not.

    We may also get into a position where the site just dies of lack of interest (I think the most likely scenario), and that’s okay too - I like experiments. We’ll see what it looks like in a few months. 


  2. I really liked this, thanks for writing. Our community is really bad for this I think (although as mentioned it’s definitely not unique - it’s a human condition and herding thing). 

    It’s always amusing when I hear people dismissed as script kiddies, especially when they’re busy breaking through all the corporate security controls. If you think they have no talent and they’re able to get into your network, you might want to introspect. 

    • Like 2

  3. The most popular feature on this website is forgot password, true story. 

    I can say from experience, when people lose their phone they will likely get locked out. I’ve seen it happen first hand, even with IT people, as they just don’t understand how Google Authenticator works.

    At scale you have to offer phone recovery, as it’s a business imperative - with Twitter they 71,000 users per staff member. They can’t afford to have people locked out, literally. 

    • Like 1

  4. Counterpoint - having deployed these solutions at scale, SMS and phone calls are the way to go. Apps are too complex for many users, and there’s a very high probably of users getting locked out.

    Here is a classic example - half the users have just configured Google Authenticator. That will be the 50% of users who lose access when they lose their phones or upgrade in a few years, as the tokens are lost and I don’t offer a recovery process. Those who setup Authy will retain access as it has phone backup. 

    • Like 2

  5. I've generally been messaging people to enforce the real name policy, but I've just deleted 5 accounts where they haven't replied or I haven't had time to message them - if you registered with only a first name or a nickname and I deleted you, please get another invite and use a real name.  Cheers.


  6. 6 hours ago, Alan Coo said:

    Is it possible (and desirable?) to perhaps redact displaying surnames to readers who aren't logged in?

    I don’t have an easy way of doing so, unfortunately - plus it would get confusing as there’s multiple people with same first name. 


  7. The second bucket, http://akhtaboot.s3.amazonaws.com/, has been fixed by AWS security after Akhtaboot failed to reply to emails. 

    It was Akhtaboot, a large Middle East jobs site which allows you apply via Facebook. It hosted both CVs and proof of identity and certification. 

     

    Since both sets of data are now no longer publicly accessible I will open this topic.

    One company cannot disclose to customers as they are bankrupt. The other, Akhtaboot, have not disclosed to customers. 

    I have many more CV buckets across multiple cloud providers, those will be separate topics. 

    F20AD5B0-F57A-4A39-9D89-8A02A060CC80.jpeg

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy