I just got this from Twitter, so I asked:
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised? Putting this at the top of the replies so that people can stop feeling like they need to correct my original tweet. :) Clarification is in my timeline, but not high enough in the replies to see that it is *even worse* than I initially thought:

https://twitter.com/k8em0/status/1043209666342219777?s=19

I got 2 consecutive restraining orders against an MIT professor, the 1st of which he forced an evidentiary hearing w his own character witnesses & full cross examination of me on the stand, he wasn't disciplined at all.
I was 21. He was 34.
Why do that ever again
#WhyIDidntReport I left my job at MIT, where I'd worked 4 years, moved across the country & became a Linux dev. I chose not to get a 3rd restraining order in San Francisco, so that he wouldn't know where I lived. To this day, now that I'm a public figure, I worry that he will snap & come hurt me.

Marketing can often get things wrong. So can media. I expect technical folk to use technical terms correctly.
"Integration in SDLC" which I've discussed extensively regarding vuln disclosure/bug bounties has little to do with nifty JIRA bug bounty integration (which is cool). It sure makes for glossy marketing to say that it does - but that labels a feature erroneously. It is actually a process. The process can still be missing. Why does it matter so much?
It's like saying a bug bounty can make you more secure - which is a lie without back-end process

Last view of the crime scene that was my invaded hotel room and violated space, courtesy of @CaesarsPalace who still have not told me anything, offered me anything (except to move my room - like that really would prevent their security team screaming at me again). My last #DEFCON The reporting out of this event so far has noted "privacy" concerns. The fact of the matter is, a male's chief concern is privacy. Women's includes that, but our high order bit is that this policy designed to keep people safe from gun attacks *increases* our chance of assault.

TFW you're happy folks are celebrating others & you, yet there's still an annoying focus on your least significant bit, nothing to do with your work. I'm so fucking sick of the "women in" lists. The equality I crave is that professional lists have plenty of unscripted diversity. Also annoying as hell: people coming to me, expecting me to be an expert in diversity & diversity hiring. What the fuck does hacking (my tech background) or policy work have to do with recruiting skills? To me, it's as offensive as expecting all women to know how to cook & clean.

What used to frustrate me as a young professional pen tester was needing to overprove myself each time, whereas junior males were assumed to be more technical than me. Now I get it on Twitter w people who know my work, yet still think dismissing my expertise counts as "debate".

External Tweet loading...
If nothing shows, it may have been deleted
by @k8em0 view original on Twitter

Yes.
1. @four did a great job under tremendous pressure & made zero excuses. I don't think anyone could've done better under the circumstances. He said Uber made a mistake in both paying extortion (he was clear it wasn't a bug bounty) & failing to notify affected users & drivers.

External Tweet loading...
If nothing shows, it may have been deleted
by @msuiche view original on Twitter

2. I made the following points:
- it's great that there are more legal ways to report bugs, & ways to be paid bounties, but we are creating a skewed market by saying everyone needs a bug bounty without building a robust overall defense. More bug hunters does not = more bug fixers

The assumption "bug collisions are so common in all software that everyone should assume that for any bug disclosed, it's probably been found by attackers & exploited already" contrasts how scientific research works. Security research is no exception. Bug & research "collisions" can happen due to lots of low-hanging fruit. It can also occur when researchers pay attention to reach other's work. I've discussed researcher "swarming" for years, & recently on stage at BlackHat this summer.

New from me:
Important changes to #Wassenaar protects defenders from export control paperwork impeding #vulnerabiltydisclosure & #incidentresponse . Done? Not yet! Let's celebrate this win for tech/policy collaboration now. What's next? Read on. 🍻🥂🥃
thehill.com/opinion/cybers… All options, including seeking further clarifications, or drafting a proposed domestic export control rule, are all still on the table in the US. There will likely be further opportunities for the public to weigh in on this undecided next move by the US.

Excellent post re hunting #bugbounties . These stats show the researcher's persistence & skilling up, & also inadvertently highlights problems w the #bugbounty ecosystem. What other security job only pays for 57% of your work?
"13% reward rate for 1st month, then 25%, then 57%."

External Tweet loading...
If nothing shows, it may have been deleted
by @eur0pa_ view original on Twitter

I'm a fan of creating incentives. What #bugbounties have turned into is a misinformed (on both hunted & hunter sides) replacement for other security activities. Thoughtful incentives (including but not limited to bounties) creates win-win. The 1st MS bounties had no duplicates.