Katie Moussouris

Katie Moussouris


Founder/CEO @LutaSecurity . Bug bounty & vuln disclosure ??. Hacker. MIT Sloan & Harvard Belfer visiting scholar. @NewAmCyber & @MasonNatSec Fellow. She/her.

80306 followers  •  6833 follow  •    •   https://t.co/Rr0sVzPmEc

I have 19900 unread messages in my main inbox.

Had a magical tour of @sydneyobs  last night. Who knew the Bug Nebula was a thing. Who knew that we are so small yet so precious in this vast, expanding, breathtaking universe.

@johnpavlovitz  My mother's high pitched laugh, which I can still hear in my own moments of unchecked, uncensored mirth. I miss her every day.

@caseyjohnellis  @Jo3RamY  @ZDNeto  @stilgherrianu  didn't see the presentation. I didn't say that all running these programs are relying on it. So maybe don't judge! Especially when I've been speaking highly of Bugcrowd doing its best to avoid these pitfalls and disasters. Your take on what I said, sight unseen, is a bit daft

Dynamic, role based access control FTW! MFA all the things! #GartnerSEC 

tweet picture

Someone I'm so glad to call my friend & advisor, the inimitable @marcwrogers  speaks about identity management & threat defense at #GartnerSEC  .

tweet picture

You need to have these, relabeled with members of @TheBADASS_army  , clearly.

Why do I ever speak at all. Thanks for coming to my TED tweet.

tweet picture

Took exactly 3 seconds for one man I call a friend & one man I don't know to immediately criticize me, assuming it was my fault, saying I should have done something different. Guess what: I even asked ahead of accepting for analyst meetings & media to discuss my talk Cool, bros

Loading
Loading

I got 2 consecutive restraining orders against an MIT professor, the 1st of which he forced an evidentiary hearing w his own character witnesses & full cross examination of me on the stand, he wasn't disciplined at all. I was 21. He was 34. Why do that ever again #WhyIDidntReport 

Anonymized Data Set + Anonymized Data Set ________________________ = De-anonymized Data Set 😱 "took a week to match up 17% of the users and 11 weeks to get to a 95% rate of accuracy. (With the added GPS data from smartphones, it took less than a week to hit that number.)"

How is it that a raccoon climbing a building without food or water for a couple days gets a bunch of TV/social media coverage, yet asylum seekers who traveled farther with their kids being stolen from them at the US border by authorities isn't a daily news story with live video?

Current status: two members of hotel security banging on my door after I asked to go into my room and verify them with hotel security. I'm on speaker phone with hotel security, asking for a supervisor to come verify. I'm terrified. What the hell is this #DEFCON 

Most of my followers are infosec people & not all American. I don't usually explicitly ask for retweets. But the fact the worst storm to make landfall in the US has barely seen any coverage makes me sad & scared for the islands of my family. Please help RT

Paying a ransom isn't illegal, not should it be. Evading breach notification laws is illegal because the laws were made to stop companies from covering up when PII is or was in unauthorized hands. Don't conflate ransom risk management (ok) w breach notification cover-up (not ok).

Ladies, if he: - has no vulnerability reporting mechanism like a security@ email - has no internal process to prioritize & fix bugs - doesn't fix bugs in a timely fashion - threatens security researchers with lawsuits & law enforcement He's not your man, he's a bad vendor

Today, infosec Twitter (re)learned the following are hard: 1. Fixing design bugs in chips 2. Multiparty Coordinated Vuln Disclosure 3. Differentiating authoritative fact vs speculative hype 4. Holding embargoes 5. Naming things so they don't sound goofy #Meltdown  #Spectre 

Is Russia still attacking the US? 🍊: yes yes yesyes yesyes yes yes yes yes yes yes yes yes yes yesyes yes yes yes yesye yes yes yes yes yesyes

Last view of the crime scene that was my invaded hotel room and violated space, courtesy of who still have not told me anything, offered me anything (except to move my room - like that really would prevent their security team screaming at me again). My last #DEFCON 

tweet picture

Loading
Loading