Bill Lummis
@wblummis.bsky.social
Application security for big tech. Maryland. Father to cute gremlins
Bodyweight roughing the passer calls are not great. I get that it's player safety but in most of them I'm not sure how they expect the defense to move their body to avoid it?
November 9, 2025 at 7:25 PM
Bodyweight roughing the passer calls are not great. I get that it's player safety but in most of them I'm not sure how they expect the defense to move their body to avoid it?
Reposted by Bill Lummis
Reposted by Bill Lummis
Reposted by Bill Lummis
EVERYBODY GO READ THE AWS INCIDENT WRITE-UP! aws.amazon.com/message/1019...
Summary of the Amazon DynamoDB Service Disruption in Northern Virginia (US-EAST-1) Region
aws.amazon.com
October 23, 2025 at 3:47 AM
EVERYBODY GO READ THE AWS INCIDENT WRITE-UP! aws.amazon.com/message/1019...
Reposted by Bill Lummis
This is a clever prompt injection attack. White on white text on a screenshot which Perplexity’s Comet doesn’t protect against as it does with text.
Unseeable prompt injections in screenshots: more vulnerabilities in Comet and other AI browsers | Brave
AI browsers remain vulnerable to prompt injection attacks via screenshots and hidden content, allowing attackers to exploit users' authenticated sessions.
brave.com
October 23, 2025 at 2:48 AM
This is a clever prompt injection attack. White on white text on a screenshot which Perplexity’s Comet doesn’t protect against as it does with text.
Reposted by Bill Lummis
I have some really important questions that somehow the authors didn’t anticipate
October 18, 2025 at 6:10 PM
I have some really important questions that somehow the authors didn’t anticipate
Reposted by Bill Lummis
It's Patch Tuesday and ASP.NET Core has a doozy, with a CVSS score of 9.9, our highest ever. Let's examine why.
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability · Issue #371 · dotnet/announcements
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability i...
github.com
October 14, 2025 at 6:01 PM
It's Patch Tuesday and ASP.NET Core has a doozy, with a CVSS score of 9.9, our highest ever. Let's examine why.
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
Reposted by Bill Lummis
Publish your threat models!
Not convinced?
I'll be hosting a talk with OSTIF on Oct 29 @ 2pm CT for you to ask me questions.
Register now and have your questions, thoughts, and comments ready!
luma.com/6fvp6orm
Not convinced?
I'll be hosting a talk with OSTIF on Oct 29 @ 2pm CT for you to ask me questions.
Register now and have your questions, thoughts, and comments ready!
luma.com/6fvp6orm
Threat Modeling w/ Adam Shostack · Zoom · Luma
Description Publish your threat models! This talk will cover the idea of publishing threat models, the dangers associated with the idea, and why open source…
luma.com
October 13, 2025 at 7:56 PM
Publish your threat models!
Not convinced?
I'll be hosting a talk with OSTIF on Oct 29 @ 2pm CT for you to ask me questions.
Register now and have your questions, thoughts, and comments ready!
luma.com/6fvp6orm
Not convinced?
I'll be hosting a talk with OSTIF on Oct 29 @ 2pm CT for you to ask me questions.
Register now and have your questions, thoughts, and comments ready!
luma.com/6fvp6orm
Reposted by Bill Lummis
I guess I haven't clearly articulated this in writing, but friends do not let friends without substantive IT work experience and/or a credible IT degree take cybersecurity career bootcamps in 2025.
They are up to no good. Shenanigans. Malfeasance. They are not a safe way to get a job.
They are up to no good. Shenanigans. Malfeasance. They are not a safe way to get a job.
October 8, 2025 at 3:25 AM
I guess I haven't clearly articulated this in writing, but friends do not let friends without substantive IT work experience and/or a credible IT degree take cybersecurity career bootcamps in 2025.
They are up to no good. Shenanigans. Malfeasance. They are not a safe way to get a job.
They are up to no good. Shenanigans. Malfeasance. They are not a safe way to get a job.
Reposted by Bill Lummis
When I worked on social features for online games, my favorite test for whether we were taking player safety into account was the "Ex-boyfriend Test", as in:
If I was your ex-boyfriend, how would I use this feature to make your life miserable?
If I was your ex-boyfriend, how would I use this feature to make your life miserable?
Bad actors will SQL inject you, but they will also find ways to take your “good faith” features and abuse them: location services, community tagging, voting, auto-moderating with mass reporting.
October 5, 2025 at 9:36 AM
When I worked on social features for online games, my favorite test for whether we were taking player safety into account was the "Ex-boyfriend Test", as in:
If I was your ex-boyfriend, how would I use this feature to make your life miserable?
If I was your ex-boyfriend, how would I use this feature to make your life miserable?
Reposted by Bill Lummis
#OTD 19 September 1991, walkers in the high Ötztal alps on the Italian border, found a body melting out of the ice. It turned out to be the remains of a c.5200 year old man preserved with all his kit.
Of course, it was essential to replicate him in Playmobil.
1🧵
#PlaymobilÖtzi
#PlaymobilInfestation
Of course, it was essential to replicate him in Playmobil.
1🧵
#PlaymobilÖtzi
#PlaymobilInfestation
September 19, 2025 at 9:18 AM
#OTD 19 September 1991, walkers in the high Ötztal alps on the Italian border, found a body melting out of the ice. It turned out to be the remains of a c.5200 year old man preserved with all his kit.
Of course, it was essential to replicate him in Playmobil.
1🧵
#PlaymobilÖtzi
#PlaymobilInfestation
Of course, it was essential to replicate him in Playmobil.
1🧵
#PlaymobilÖtzi
#PlaymobilInfestation
Reposted by Bill Lummis
The Secret Service isn't claiming it foiled any plot targeting the UN General Assembly. Just that a big collection of SIMs (probably used for fraud) could have *potentially* disrupted NYC cell service. The SIMs were in a *35 MILE* radius of the UN.
These headlines are all pretty egregiously wrong:
These headlines are all pretty egregiously wrong:
September 23, 2025 at 9:20 PM
The Secret Service isn't claiming it foiled any plot targeting the UN General Assembly. Just that a big collection of SIMs (probably used for fraud) could have *potentially* disrupted NYC cell service. The SIMs were in a *35 MILE* radius of the UN.
These headlines are all pretty egregiously wrong:
These headlines are all pretty egregiously wrong:
What if the rapture did happen but there was only one guy who qualified so no one noticed
September 23, 2025 at 10:27 AM
What if the rapture did happen but there was only one guy who qualified so no one noticed
Reposted by Bill Lummis
Bases Loaded and No Runs: a brief history of the Baltimore Orioles
September 21, 2025 at 7:59 PM
Bases Loaded and No Runs: a brief history of the Baltimore Orioles
Reposted by Bill Lummis
They killed Google Reader.
i don't want to hear your most boomer complaint. what's your most millennial complaint?
September 20, 2025 at 1:11 AM
They killed Google Reader.
Reposted by Bill Lummis
Has anyone looked through this alleged leak of the GFW code? gfw.report/blog/geedge_...
Geedge & MESA Leak: Analyzing the Great Firewall’s Largest Document Leak
The Great Firewall of China (GFW) experienced the largest leak of internal documents in its history on Thursday September 11, 2025. Over 500 GB of source code, work logs, and internal communication re...
gfw.report
September 14, 2025 at 2:48 AM
Has anyone looked through this alleged leak of the GFW code? gfw.report/blog/geedge_...
Reposted by Bill Lummis
Great write up on this from @lhn.bsky.social here! www.wired.com/story/apple-...
September 14, 2025 at 12:52 AM
Great write up on this from @lhn.bsky.social here! www.wired.com/story/apple-...
Trying to get my kids to hurry getting out the door like
September 13, 2025 at 11:20 PM
Trying to get my kids to hurry getting out the door like
Reposted by Bill Lummis
My talk at @containerdays.bsky.social this week was on Kubernetes and post exploitation. I've had a couple of requests for a companion blog post, so here it is. The post looks at some things attackers might do in clusters they've compromised to retain access.
raesene.github.io/blog/2025/09...
raesene.github.io/blog/2025/09...
Beyond the surface - Exploring attacker persistence strategies in Kubernetes
raesene.github.io
September 12, 2025 at 10:17 AM
My talk at @containerdays.bsky.social this week was on Kubernetes and post exploitation. I've had a couple of requests for a companion blog post, so here it is. The post looks at some things attackers might do in clusters they've compromised to retain access.
raesene.github.io/blog/2025/09...
raesene.github.io/blog/2025/09...
Reposted by Bill Lummis
Okay, now that I can stop talking with all caps, why is this important?
So, we're looking for planets like Earth, right? It's the only place we've found with life so far.
What makes it "Earth"? Well, some things include being a rocky planet, and being the right temperature for liquid water. (1/N)
So, we're looking for planets like Earth, right? It's the only place we've found with life so far.
What makes it "Earth"? Well, some things include being a rocky planet, and being the right temperature for liquid water. (1/N)
After nearly a decade of saying which JWST result I was most excited about, it's here:
JWST SPECTRA OF THE HABITABLE TRAPPIST-1 PLANETS!
TRAPPIST-1 E!!!
IT'S ... A FLAT LINE!
BUT NOT AS FLAT AS IT COULD BE!?
IS THERE AN ATMOSPHERE?!?!?
WE STILL DON'T KNOWWWWW.
www.nytimes.com/2025/09/08/s...
JWST SPECTRA OF THE HABITABLE TRAPPIST-1 PLANETS!
TRAPPIST-1 E!!!
IT'S ... A FLAT LINE!
BUT NOT AS FLAT AS IT COULD BE!?
IS THERE AN ATMOSPHERE?!?!?
WE STILL DON'T KNOWWWWW.
www.nytimes.com/2025/09/08/s...
Hopeful Hint of an Earthlike Atmosphere on a Distant Planet
www.nytimes.com
September 8, 2025 at 8:32 PM
Okay, now that I can stop talking with all caps, why is this important?
So, we're looking for planets like Earth, right? It's the only place we've found with life so far.
What makes it "Earth"? Well, some things include being a rocky planet, and being the right temperature for liquid water. (1/N)
So, we're looking for planets like Earth, right? It's the only place we've found with life so far.
What makes it "Earth"? Well, some things include being a rocky planet, and being the right temperature for liquid water. (1/N)
Holy shit that was an unreal catch
September 8, 2025 at 2:33 AM
Holy shit that was an unreal catch
Reposted by Bill Lummis
looks like I have never posted Derrick Henry's high school game log on BlueSky. time to fix that
September 8, 2025 at 1:17 AM
looks like I have never posted Derrick Henry's high school game log on BlueSky. time to fix that