Ok!

@mjg59 That's definitely a tough problem. One too where the ideal solution ends up being different depending on the endpoints, auth mechanisms etc.

@micahflee @jerry They don't need to learn the mail, they can just try to log in with the username and say "forgot password" and it will send it to you.

@lorenzofb Oh yeah and there's also the stuff that @racheltobac has done

https://www.youtube.com/watch?v=YRpxYZnvatM
https://x.com/RachelTobac/status/1554444909993607170
https://www.youtube.com/watch?v=GVv833KHqZc

@lorenzofb Hmm, there's the nerdcore genre - that'll help you branch out.

I.e.: https://www.reddit.com/r/nerdcore/comments/4ho0i3/artistssongs_that_focus_on_digital_security/
https://www.reddit.com/r/nerdcore/comments/5aaaif/nerdcore_music_about_actual_hacking/

MTG fan? How about this version that works with regular playing cards!

Arcane Duel - Playing Card Magic

(www.leeholmes.com)

Life hack:

"Convert the discussion in this meeting transcript into a word-based design document. Make sure it covers all of the major areas and design choices explained in the meeting, but doing so like a design document rather than a meeting transcript. Use screenshots from the video where appropriate. For all questions that the security team asked and were answered during the meeting, make sure the 'answers' are rewritten as primary content in the design document under the appropriate major strategic area."

Seriously, don't go it alone. Look at these unit tests. SSRF defense is hard!

Sweet! The Microsoft anti-SSRF library is now open source: https://github.com/microsoft/antissrf

This has been a core defense for SSRF at Microsoft for a time now. It's insane how complicated the topic really is.

Woot woot! BlueHat is back!

@lcamtuf Yeah, not a good situation - even doing it in "safe C++" or somesuch would have had the same result. Decades of hard-learned lessons should be encoded in decades of well-written unit tests.

Shout out to my homies that still remember the track numbers on the CDs for their favorite songs.

@adamshostack I think the answer should be "Defensive Design Patterns." Good security architects have built up a bank of these in their head: "It looks like you're writing an updater! Here are some best practices around that." Once somebody makes that connection that they are writing an updater, they can always search the internet (or ask AI) for the best practices part - but having that lightbulb moment is not guaranteed.