Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
@LutaSecurity CEO @payequitynow MIT&Harvard visiting scholar, @MasonNatSec fellow, 1/2 Chamoru, hacker @k8em0.bsky.social Legacy blue check
Sep 21, 2018 5 tweets 2 min read
I just got this from Twitter, so I asked:
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised? Putting this at the top of the replies so that people can stop feeling like they need to correct my original tweet. :) Clarification is in my timeline, but not high enough in the replies to see that it is *even worse* than I initially thought:
Sep 21, 2018 6 tweets 2 min read
I got 2 consecutive restraining orders against an MIT professor, the 1st of which he forced an evidentiary hearing w his own character witnesses & full cross examination of me on the stand, he wasn't disciplined at all.
I was 21. He was 34.
Why do that ever again
#WhyIDidntReport I left my job at MIT, where I'd worked 4 years, moved across the country & became a Linux dev. I chose not to get a 3rd restraining order in San Francisco, so that he wouldn't know where I lived. To this day, now that I'm a public figure, I worry that he will snap & come hurt me.
Aug 29, 2018 11 tweets 3 min read
Marketing can often get things wrong. So can media. I expect technical folk to use technical terms correctly.
"Integration in SDLC" which I've discussed extensively regarding vuln disclosure/bug bounties has little to do with nifty JIRA bug bounty integration (which is cool). It sure makes for glossy marketing to say that it does - but that labels a feature erroneously. It is actually a process. The process can still be missing. Why does it matter so much?
It's like saying a bug bounty can make you more secure - which is a lie without back-end process
Aug 13, 2018 19 tweets 7 min read
Last view of the crime scene that was my invaded hotel room and violated space, courtesy of @CaesarsPalace who still have not told me anything, offered me anything (except to move my room - like that really would prevent their security team screaming at me again). My last #DEFCON The reporting out of this event so far has noted "privacy" concerns. The fact of the matter is, a male's chief concern is privacy. Women's includes that, but our high order bit is that this policy designed to keep people safe from gun attacks *increases* our chance of assault.
Jul 26, 2018 4 tweets 2 min read
TFW you're happy folks are celebrating others & you, yet there's still an annoying focus on your least significant bit, nothing to do with your work. I'm so fucking sick of the "women in" lists. The equality I crave is that professional lists have plenty of unscripted diversity. Also annoying as hell: people coming to me, expecting me to be an expert in diversity & diversity hiring. What the fuck does hacking (my tech background) or policy work have to do with recruiting skills? To me, it's as offensive as expecting all women to know how to cook & clean.
Mar 19, 2018 5 tweets 2 min read
What used to frustrate me as a young professional pen tester was needing to overprove myself each time, whereas junior males were assumed to be more technical than me. Now I get it on Twitter w people who know my work, yet still think dismissing my expertise counts as "debate".
Feb 7, 2018 12 tweets 5 min read
1. @four did a great job under tremendous pressure & made zero excuses. I don't think anyone could've done better under the circumstances. He said Uber made a mistake in both paying extortion (he was clear it wasn't a bug bounty) & failing to notify affected users & drivers. 2. I made the following points:
- it's great that there are more legal ways to report bugs, & ways to be paid bounties, but we are creating a skewed market by saying everyone needs a bug bounty without building a robust overall defense. More bug hunters does not = more bug fixers
Jan 8, 2018 17 tweets 6 min read
The assumption "bug collisions are so common in all software that everyone should assume that for any bug disclosed, it's probably been found by attackers & exploited already" contrasts how scientific research works. Security research is no exception. Bug & research "collisions" can happen due to lots of low-hanging fruit. It can also occur when researchers pay attention to reach other's work. I've discussed researcher "swarming" for years, & recently on stage at BlackHat this summer.
Dec 17, 2017 4 tweets 2 min read
New from me:
Important changes to #Wassenaar protects defenders from export control paperwork impeding #vulnerabiltydisclosure & #incidentresponse . Done? Not yet! Let's celebrate this win for tech/policy collaboration now. What's next? Read on. 🍻🥂🥃
thehill.com/opinion/cybers… All options, including seeking further clarifications, or drafting a proposed domestic export control rule, are all still on the table in the US. There will likely be further opportunities for the public to weigh in on this undecided next move by the US.
Dec 4, 2017 6 tweets 3 min read
Excellent post re hunting #bugbounties . These stats show the researcher's persistence & skilling up, & also inadvertently highlights problems w the #bugbounty ecosystem. What other security job only pays for 57% of your work?
"13% reward rate for 1st month, then 25%, then 57%." I'm a fan of creating incentives. What #bugbounties have turned into is a misinformed (on both hunted & hunter sides) replacement for other security activities. Thoughtful incentives (including but not limited to bounties) creates win-win. The 1st MS bounties had no duplicates.