mh_'s comments

We build tools (commercial: https://canary.tools) and free (https://canarytokens.org | https://opencanary.org) that help slowdown/detect attackers.

It supports normal(ish) pacman-like activity, except some of the dots you consume might be canaries, which will slow you down/likely lead to you being detected/caught.

It’s our birthday - so we built everyone this retro game.

(Complete all levels, and we will send you a special 10-year edition t-shirt)

Heh. "You can totally put in any value here, as long as its exactly this one"

You totally can?

Ouch. I’m super curious why you found it such a waste. I found it super interesting (I guess for all the reasons in the post)

I wrote this about 13 years ago (a little tongue in cheek) but it held up:

https://sensepost.com/blog/2009/twitter-killed-the-infosec-b...

-snip- There’s something liberating about saying “here’s a link”, as opposed to taking the time to formulate your thoughts into a full blown posting.

We were curious if this twitter-effect was real, imaginary or only applicable to lazy people like us.. Thanks to python-twitter and a few lines of script we can look at the the blogging habits of some info-sec superstars (and maybe confuse correlation and causation to jump to conclusions while we at it). -snip-

We are already pretty ok at gifting back (our hoodies/gifts have a pretty good rep).

I kinda default to “don’t mess with it” but sometimes wish we could do more to say thanks.

You can wave the encoding away (with a tick-box) but in general, people over-estimate what attackers will "notice". In cases like this, many are as desperate to get the loot as users are when they get phished. dialogue boxes and browser warning fade into the background as they hit "accept" to move closer to their goal.

I think it would depend on how those experts roll.

For infosec for example, i think if your product did "X amazing thing", then you'd definitely get a seasoned experts attention if you tweeted "hey, we built a thing that does X amazing thing, give me 5 minutes and i'll show it to you"

I think theres a part of this that means your products has to convince them in the 5 minutes they give you (or at least has to convince them to give you 5 minutes more)

I've previously pondered how we would have approached our early steps if we were completely unknown, and the best option i can think of is a kind of sincere, influencer marketing approach.

i.e. if you dont have the voice in the industry that people will listen to, find people who do, and get them to see your product. Most industry leaders are constantly looking to up their game, so you should be able to catch their eye, and if your product is awesome, they will say so

We do average to above average salaries, and all share a profit share bonus at the end of the year. Everyone gets a company credit card to buy books/tech needed to do their jobs. Everyone gets side benefits like an audible subscription, other mini stipends.

It's worth noting that we couldn't always do this (starting off we just went with "decent salaries and smart ppl to work with").

We try to keep doing this right so that we all do well as the company does.

We were a little bit lucky in this regard, because we had some authority in the niche (2 members of our original team had spoken at security conferences internationally for the previous 10 years).

I have lots of thoughts on this though. I think with a low enough burn rate, you can overcome this with a great product, and taking just one bite at a time. ie. one happy customer, then another. Actual customer happiness is so low, that you just have to do a little better to have people talk about you, and over time it compounds nicely.

Also, in our defense, we wrote this in 2015 :)

What they (we) are talking about, is that nobody caught the attacks.

The article then goes on to explain why, even with hundreds of thousands of ppl doing incident response investigations, nobody caught / correctly attributed these attacks.

As the original author of the piece... I agree :)

To defend Canarytokens here (and I’m totally biased because we make it) some tokens can’t be easily avoided. Ie. If the token is a Slack/AWS/something API key, then the only way for the attacker to profit is to use it, and the moment they do, they tip their hand. The joy of Canarytokens is not having to set up infrastructure to get the alerting win, with very little effort.

Thanks! I'm guessing it must have been in the talk given at Google (that the essay is based on) that appears to no longer live on the internet.

This is neat.. Its currently a single type of token (ie. a URL).

If you check out https://canarytokens.org you will notice the ability to create several others (be notified when someone resolves an IP address, be notified when someone opens a file, be notified when someone views a QR code, etc)

Canarytoken allows you to download a docker instance, so you can host the server on any domain you like.

You are spot on.. I mean, look at Target.. They were pillaged because they didn't have.. Oh.. Wait.. They had a security team of over 300 people..

This problem might just be a little more complex than we are giving credit for..