Troy
LightNews LightNews
banner
troymarshall.bsky.social
Troy
@troymarshall.bsky.social
380 followers 340 following 28 posts
Product Security | Privacy | AI Safety | Digital Trust
Posts Replies Media Videos
troymarshall.bsky.social
This might be the best thing on the internet right now. Step away from the political doom scrolling and enjoy this awesome video.

youtu.be/BI_ovUgXC5U?...
Gen Z writes our marketing script
YouTube video by Prince William Public Libraries
youtu.be
April 17, 2025 at 5:00 PM
troymarshall.bsky.social
“Software engineering is not writing code.”

Generative AI tools are making coding accessible to everyone but that doesn’t mean software engineers are going to be out of a job anytime soon.

serce.me/posts/2025-3...
There is no Vibe Engineering
This article explores the relationship between vibe coding and software engineering.
serce.me
April 6, 2025 at 2:23 PM
troymarshall.bsky.social
Are you securing data and workloads on AWS and wondering when to use Service Control Policies (SCP) vs Resource Control Policies?

www.fogsecurity.io/blog/underst...
Understanding RCPs and SCPs in AWS: Choosing the Right Policy for your Security Needs
Using both AWS Service Control Policies and Resource Control Policies can improve security and data perimeters within your cloud infrastructure. AWS recently released RCPs in late 2024, and this post ...
www.fogsecurity.io
April 6, 2025 at 1:35 PM
troymarshall.bsky.social
Lots of attention on the GitHub action supply chain attack this weekend. Is this the source of the tj-actions/changed-files compromise?

If you’re a GitHub user, time to check if you’re using reviewdog/action-setup.

#supplychainsecurity #github

www.wiz.io/blog/new-git...
GitHub Action supply chain attack: reviewdog/action-setup | Wiz Blog
A supply chain attack on tj-actions/changed-files leaked secrets. Wiz Research found another attack on reviewdog/actions-setup, possibly causing the compromise.
www.wiz.io
March 19, 2025 at 12:18 AM
troymarshall.bsky.social
You can’t have your cake and eat it too.

ISPs don’t want to be regulated as common carriers but want the protections from state regulators that the designation would provide.

arstechnica.com/tech-policy/...
ISPs fear wave of state laws after New York’s $15 broadband mandate
When the FCC isn’t regulating, states have more power to impose broadband laws.
arstechnica.com
February 24, 2025 at 5:58 PM
troymarshall.bsky.social
Good for Apple not caving. However, not so good for the British people.

www.bleepingcomputer.com/news/securit...
Apple pulls iCloud end-to-end encryption feature in the UK
Apple will no longer offer iCloud end-to-end encryption in the United Kingdom after the government requested a backdoor to access Apple customers' encrypted cloud data.
www.bleepingcomputer.com
February 21, 2025 at 10:59 PM
troymarshall.bsky.social
Is OSS is dying?

Elasticsearch, Redis, Terraform, and now Semgrep are just a few of the projects that have moved to a more restrictive licensing model in recent years.

What does this trend mean for the future of OSS?
semgrep.com Semgrep @semgrep.com · Dec 13
To better distinguish our free, community-driven tool from our commercial platform, we’re rolling out a series of changes. Starting today, Semgrep OSS is now Semgrep Community Edition, and all Semgrep-maintained rules are licensed for internal-use only.

Read more: semgrep.dev/blog/2024/im...
Semgrep | Important updates to Semgrep OSS
We’re making a few updates to the Semgrep OSS engine and rules—now collectively named Semgrep Community Edition!
semgrep.dev
December 14, 2024 at 3:25 PM
troymarshall.bsky.social
Never trust AI to protect your money!

This was a neat challenge. Congrats to the winner!

www.msn.com/en-us/money/...
MSN
www.msn.com
December 2, 2024 at 6:57 PM
troymarshall.bsky.social
There’s a lot of new OSS data science tools tools being released targeting genAI users. Beware, some tools are not what they seem.

#ai #supplychainsecurity #pypi #python

www.cysecurity.news/2024/11/mali...
CySecurity News - Latest Information Security and Hacking Incidents: Malicious Python Packages Target Developers Using AI Tools
This incident points to risks in downloading unverified packages of open source, more so when handling emerging technologies such as AI.
www.cysecurity.news
November 26, 2024 at 7:52 PM
troymarshall.bsky.social
If you’ve tried GitHub Copilot in the past and weren’t impressed, you should check it out again. The addition of new models like Claude Sonnet and OpenAI o1 models are a huge upgrade!

#GitHub #Copilot #SoftwareEngineering #GenAI
November 21, 2024 at 4:43 PM
troymarshall.bsky.social
Apple has patched vulnerabilities in JavaScriptCore and WebKit. Get those iOS and MacOS devices.

www.malwarebytes.com/blog/news/20...
Update now! Apple confirms vulnerabilities are already being exploited | Malwarebytes
Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.
www.malwarebytes.com
November 21, 2024 at 2:10 AM
troymarshall.bsky.social
MITRE has released the 2025 edition of the CWE Top 25 Most Dangerous Software Weaknesses List.

2024 has seen XSS overtake Out-of-Bounds Write vulnerabilities for top spot on the list.

cwe.mitre.org/top25/archiv...
CWE - 2024 CWE Top 25 Most Dangerous Software Weaknesses
Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses.
cwe.mitre.org
November 21, 2024 at 12:58 AM
troymarshall.bsky.social
If you’re using one of these D-Link routers, it’s time to upgrade. Don’t forget those routers you might have setup for friends and family too!

EOL in May 2024:
DSR-150
DSR-150N
DSR-250
DSR-250N

DSR-500N EOL 9/2015
DSR-1000N EOL 10/2015

www.theregister.com/2024/11/20/d...
D-Link says replace vulnerable routers or risk pwnage
Vendor offers 20% discount on new model, but not patches
www.theregister.com
November 21, 2024 at 12:20 AM
troymarshall.bsky.social
In a surprising bit of news, a vulnerability has been discovered in a Wordpress plug-in for *checks notes* security.

Wordpress security plug-in. The very definition of an oxymoron.

www.bleepingcomputer.com/news/securit...
Security plugin flaw in millions of WordPress sites gives admin access
A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin 'Really Simple Security' (formerly 'Really Simple SSL'), including both free and Pro versions.
www.bleepingcomputer.com
November 21, 2024 at 12:02 AM
troymarshall.bsky.social
How do you realistically solve this? I’ve thought about getting rid of my smart phone to reduce my own footprint but the logistics of that are difficult. Should we ban folks in sensitive roles from having devices and bringing them into installations?
dell.bsky.social dell cameron @dell.bsky.social · Nov 20
WIRED has tracked thousands of US military & intel personnel coming & going from classified sites, incl. NSA hubs & nuclear vaults. We know where they sleep, what they eat, and which brothels they visit.

It's an ocean of blackmail & national secrets within reach of every spy agency in the world.
Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany
More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.
www.wired.com
November 20, 2024 at 5:03 PM
troymarshall.bsky.social
If you’re like me and just getting started on Bluesky, these starter packs are a great way to get started filling your feed with relevant content.
jcchavezs.bsky.social José Carlos Chávez @jcchavezs.bsky.social · Nov 20
In case you are looking for fellow OWASPies bsky.app/starter-pack...
November 20, 2024 at 4:55 PM
troymarshall.bsky.social
Hello, Bluesky!
November 20, 2024 at 3:07 PM