WingNews logo WingNews GitHub [2]

breadtk's comments

breadtk | 8 years ago | on: Ask HN: Who is hiring? (May 2017)

Amazon Web Services (AWS) Security team is hiring in Seattle (WA), Herndon (VA), Dublin (Ireland), and Sydney (Australia). We're looking for folks interested in the following areas:

* Penetration testing and general software breaking

* Application Security & Design

* Incident Response

* Compliance / Security Assurance

* General software engineering

Successful candidates are those that can not only break software, but are also able to build software. No formal education is required, but demonstrable technical prowess is encouraged.

Other particulars: Relocation is available. VISA sponsorship may be possible for qualified candidates. Remote work is not available.

Interested individuals should send their resume, professional/technical background information, and what areas you're interested in exploring career options to "b3NtYW5zQGFtYXpvbi5jb20K" (base64 decode it) and use the subject line "HN May 2017" to be considered. No recruiters.

breadtk | 9 years ago | on: Ask HN: Who is hiring? (October 2016)

Amazon Web Services | SEA | Security Engineer | ONSITE

In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form of web services -- now commonly known as cloud computing. Today, Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world.

AWS's Application Security team is looking for security professionals interested working in the areas of:

  * Penetration testing
  * Application security
  * Automation
  * Building of security services
Ideal applicants have a strong passion in the field of computer security and have experience programming/scripting away problems. Professional experience and/or a degree from a university is not a prerequisite if the candidate is able to demonstrate his/her competency in other ways.

To learn more about these positions and others, please reach out to me directly at osmans _at_ amazon.com with a subject line of "HN Hiring (OCT 2016)" and information about what area of computer security listed above that you are interested in; alternatively you can also tweet/dm at me @surkatty.

breadtk | 9 years ago | on: Researchers crack open malware that hid for 5 years

I believe it's less about fear mongering and more about understanding the level of sophistication of the software. Talk to anti malware analyst and they'll tell you how commoditized the malware game is nowadays. There's an endless stream of malware and ransomware which can be linked back to just a handful of frameworks. These types of malware families also fall under the spray-n-pray mentality for distribution. Spam, drive-by-downloads, infected torrents, etc.

Compare the mass of malware that is out there with the level of technical sophistication, OPSEC to prevent detection, and precise targeting of its victims. Along with other big name malwares (i.e. Stuxnet, Flame, etc.), this class of malware is very precise in its objective. It isn't trying to make money for its owners. It isn't trying to replicate itself across the internet endlessly. Rather it has a key objective of infecting a specific set of networks. So when researchers call out the fact that it is likely to be "state sponsored", they are saying the purpose of the malware is very different than your average piece of malware.

breadtk | 10 years ago | on: SHA1 sunset will block millions from encrypted net, Facebook warns

It isn't _completely_ broken. That is why FB is still advocating for a two tiered approach (SHA2 when possible, SHA1 everywhere else). SHA1 hash collisions are indeed now within the range of well funded governments, but it is not within the range of your average script kiddie to find possible collisions. To prove my point, I'd ask you to find an arbitrary Root CA cert which uses SHA1 hash and attempt to clone it. I think you'll find that this takes still a considerable amount of effort and/or it is completely out of reach.

I should be clear that SHA1 shouldn't be used for cryptographic purposes that require high amount of trust, but for your average everyday FB status updates it is probably fine when coupled with other protections.

breadtk | 10 years ago | on: SHA1 sunset will block millions from encrypted net, Facebook warns

Facebook's user base as of January 2014 was at 1.24B monthly users[1]. According to FB's post, up to 7% of their users do not support SHA2 certs. This would mean approximately 86.8m FB users alone would affected by full-stop SHA1 degradation. I'm happy to see FB has implemented a mechanism selective cert selection and other organizations that care about their user's security ought to look at them for a model on how to approach this methodically.

SHA1 isn't great, but it is certainly better than plaintext communications.

[1] http://thenextweb.com/facebook/2014/01/29/facebook-passes-1-...

breadtk | 10 years ago | on: Ask HN: Who is hiring? (July 2015)

AWS is looking for Security Engineers of all skill levels!

Locations: Seattle (WA), Herndon (VA), New York (NY), Sydney (AUS), and Dublin (IRL)

All positions are full time with benefits and possible international relocation/visa sponsorship for great candidates.

AWS is one of the world's largest cloud hosting environments and we're looking to scale up its existing fleet of security engineers. We're looking for engineers passionate in the areas of:

* Security engineering

* Red team / penetration testing

* Incident response

* Cryptography

* Network protocols

* Application Security

* Web application

* Large scale automation tasks

* And pretty much any other topic related to Information Security

No prior knowledge of AWS is required, however it would be preferable.

Interested candidates should send their resumes as a PDF to => osmans @@ amazon . com <= with the subject line "HN Thread".

(keywords: cloud, security, information security, and begrudgingly 'cyber')

breadtk | 11 years ago | on: BIT Poised to Become Publicly Traded Bitcoin Fund

It's the same reason why you don't buy and own steel, but rather you buy stock in a mining conglomerate or a refinery. Owning a piece of a business in the long-run may be more less volatile than the commodity itself. Though the two can't necessarily be separated in terms of future outlook.
page 1
more