Hacker Rules

[Ping Weafer]

Threethe more civilians take an active part in warfare, the more the line blurs between who is a civilian and who a combatant. As a result, the risk of harm to civilians grows; and legal experts have asked whether the principle of distinction, the centre-piece of international humanitarian law, will withhold this pressure.

It goes without saying that civilian hackers must respect the law of the countries they operate in. Where these national laws are lenient, not enforced, or if a civilian hacker decides to disregard them, in times of armed conflict international humanitarian law (IHL) provides a universally agreed set of rules that aim to safeguard civilians, and soldiers who are no longer able to fight, from some of the horrors of war. The most egregious violations of these rules constitute war crimes, which may be prosecuted nationally or internationally.

For example, hacking into communication systems to publish information designed primarily to spread terror among civilian populations is prohibited. Likewise, designing and spreading graphic content to spread terror among civilians in order to make them flee is unlawful.

Do not encourage or enable others to conduct cyber or other operations against civilians or civilian objects. For example, do not share technical details in communication channels to facilitate attacks against civilian institutions.

In addition, and specifically with regard to the conduct of private individuals in times of armed conflict, States have undertaken to respect and to ensure respect for IHL. This legal commitment means at least four things:

Third, States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory (see here, para. 183). Of course, a State cannot prevent all violations of the law. However, it must take feasible measures, such as taking public positions requiring civilian hackers not to conduct cyber operations in relation to armed conflicts, to respect IHL if they do, and suppress violations under national law (see next).

IHL sets out essential rules to limit the effects of armed conflicts on civilians. No one that participates in war is beyond these rules. In particular, every hacker that conducts operations in the context of an armed conflict must respect them, and States must ensure this is the case to protect civilian populations against harm.

A strong password can help individuals protect themselves against hackers, identity theft and other privacy invasions. The strength of a password is a measurement of its effectiveness in guess resistance and attacks. It estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The strength of a password is a function of its length, complexity, and randomness.

5. Passwords become harder to crack with each character that you add, so longer passwords are better than shorter ones. A brute-force attack can easily defeat a password with seven or fewer characters.

6. To help you easily remember your password, consider using the first letter from each word in a sentence, a phrase, a poem, or a song title as a password. Be sure to add in numbers and/or special characters.

8. Despite admonitions to the contrary, one easy way to remember your passwords is to write them down and keep them in a securely locked place. Never leave them on a Post-It note on your monitor, in an address book, in a desk drawer, or under your keyboard or mouse pad (or any other obvious place).

While the integrity of your passwords is important to maintain your privacy, it is also important to consider what can happen when you pass away. You may have bank statements, bills, and other important papers that are only accessible online. Your heirs may not be able to access this information without a potentially lengthy and costly court proceeding ordering the website to release the information. You may wish to provide it to your attorney or another trusted individual.

Sometimes you learn some "natural" rules when you've been doing something for a while. Being an indie hacker is no different. Over time, I've identified these rules for my work on bootstrapped indie projects:

"I can build a better version of this in a weekend." never works out. I started to multiply my estimations by at least 3. For any larger unknown or new technology I can't just get out of my head, I add at least a factor one. Don't know how to do oAuth with this site? Plan another two days for reading yourself into the topic and getting it working properly.

Marketing > Building: If I'm not willing to put at least 3-5 times the (actual!) development time into marketing, I shelve the idea or give it away. Yes, that means "I can build this in a weekend" turned already into full-time work over weeks by now.

"I can do this better" is seldom worth rebuilding weeks of work someone else already invested. Generally: None of those million-dollar-over-a-weekend stories (which will never apply to you) show any of the years learning and preparing for overnight success. I don't believe them, I don't read/watch them. Rome wasn't built in a day and so this won't be a successful project. Sure, there are exceptions - but the exception isn't doing more than showing the underlying rule.

I only do projects I can and will dogfood* myself. It simply doesn't make any sense to build something you aren't even using yourself. How are you going to find out if your features are really solving the problem? Plus motivation is going to fall flat in the long run until you get your first customers, if you aren't having any direct benefit from it.

I love to find the right name and snap up the domains quickly. I've even made a project for exactly this! But I have to put on the brakes: No new domains until the old ones are put to use! #DomainersAnonymous

Producing > Consuming: I get it, the Internet is a place full of shiny stuff with something for everyone. But let's be honest: consuming doesn't help in getting anything out of the door. It starts with the latest news/controversy/products/analytics or search console stats/growth-hacking ideas/________ - you name it. It also doesn't stop with the current live-stream of SpaceX launching again or with simply watching YouTube passively while coding - all of these are distracting you from achieving your goals. Sounds tough? Yeah, maybe, but I can't do any of these and be actually productive.

Thinking "Yeah, but ....."? I'm not saying I never watch YouTube or register a domain in overboiling excitement for a new side-project. These are just my personal rules I try to live by. That's all ?️

Besides tones of crap, the web also has lots interesting open-source libraries, actually innovative side-projects and awesome free knowledge. Once in a while, I share these awesome web-findings via email. If this sounds like something you are into, subscribe below:

The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed.

To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specifics "would pose a substantial risk to national security or public safety."

They also necessitate registrants to describe on an annual basis the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats, detail the material effects or risks arising as a result of those events, and share information about ongoing or completed remediation efforts.

"The key word here is 'material' and being able to determine what that actually means," Safe Security CEO Saket Modi told The Hacker News. "Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels."

That said, the rules do not extend to "specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."

The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by U.S. companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.

In recent months, more than 500 companies have become victims of a cyber attack spree orchestrated by a ransomware gang called Cl0p, propelled by the exploitation of critical flaws in software widely used in enterprise environments, with the threat actors leveraging new exfiltration methods to steal data, according to Kroll.

Tenable CEO and Chairman, Amit Yoran, said the new rules on cyber risk management and incident disclosure is "right on the money" and that they are a "dramatic step toward greater transparency and accountability."

That said, concerns have been raised that the time frame is too tight, leading to possibly inaccurate disclosures, given that it may take companies weeks or even months to fully investigate a breach. To complicate the matter further, premature breach notifications could tip off other attackers to a susceptible target and exacerbate security risks.

"The new requirement set forth by the SEC requiring organizations to report cyber attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries," James McQuiggan, security awareness advocate at KnowBe4, said.

3a8082e126