Documentary photographer, old creaky hacker. Co-author of
@OWASP
ASVS standard. Blackhat/Brucon Review Board & UK Government Cyber Security Advisory Board
To this day, the most frustrating and stupidest thing mobile device manufactures have done is remove this from their devices to push inferior Bluetooth headphones
In 1999, a chap called Chris Sawyer wrote a wild game using nothing but Assembly language. The game, Rollercoaster Tycoon was super addictive, but 99% of the code in assembly? That’s pretty hardcore right?
If you’ve used
@letsencrypt
to make use of trivially easy free and open certificate authorities, then you owe a huge amount of gratitude to Peter Eckersley who sadly just left us.
Thank you Peter and RIP
There isn't a cybersecurity/IT skills shortage.
There is a shortage of modern interview skills. We rely too much on outdated whiteboard tests, questions to trick candidates, unnecessary pressure, and lengthy processes.
Bugs happen but it's rare you see a bug that grabs you so hard and makes you nod like a little dog..
CVE-2023-44487 did that for me
good god what a bug and here's why
If 41 lines of code can bypass the authentication process on the administrative interface of FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances, then something is very wrong.
This is not acceptable
@Fortinet
The Sun truly is a despicable rag and recent events have shown how we have to cut off their revenue supply. Many say block the sun, but how?
I've mapped out their entire footprint on the web so you can easily import and block it via your hosts file or firewall.
#TheScum
Decades of UNIX and Linux use have taught me to love the terminal more than any other app out there. If there's one thing I'd recommend any newcomer learn, it's how to tame the command line.
Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless.
The flaws found by this researcher result in the execution of arbitrary commands on user's computer.
The TL;DR is wow
Ever wondered what lies beneath that cool looking chip on your bank card? What does it do? Why is it there?
Well here's a little pointless thread that delves into the magic using my
@monzo
card as an example
We are delighted for Barton Hill to hear that the beautiful piece of artwork which popped up overnight yesterday has been confirmed as a genuine Banksy! Just up the road from our school🤗A much welcomed addition to the area.
#streetart
#bristol
#Banksy
#BartonHill
@VenturersTrust
hey
@1Password
&
@LastPass
here's an idea:
I will give you extra money, on top of the money I give you every month, to use a U2F/FIDO token to access my password manager instead of a master password.
I'm sure im not alone here.
This just blows my mind. From a chip encased in silicon, stripping each layer away until you see the ROM and then using 50x magnification you can see the binary 0 and 1s.
@akacastor
this is nerd pr0n and a half
I've tried to keep this bottled up, but seeing as we've a whole wave of new people to our industry, maybe it's time to help rather than stand silent.
0hday/Zeroday/0-day exploits should be the least of your worry. Adversaries mostly wont be using them*
This is worrying
NSO Group has a full zero-click zero-day iMessage exploit chain that can install the Pegasus spyware on the latest version of iOS at the time of writing (14.6).
Not the first time iOS has struggled with messaging.
I've agonised for days over this and chatting to my wife has made me realise it's not good to keep quiet, especially given my personal experience. This will be a long and ugly thread I'm afraid about the exploitation of children by those who should know better.
3 years ago I replaced my wifes MacBook with a Pixelbook. It was mostly done for security reasons, for she is the CFO and controls all.
Was the best damn decision I've ever made, security-wise. She can click shit all day long because
@Google
have made a bloody good OS
I do apologise for the language but just f*** off now with this bullshit. We've had enough of threat intel firms/ambulance chasers telling us how the dark web was the hotbed of all criminality, and now this?
GTFO
I was intrigued about how Alexa listened, the potential for false positives and what was recorded. This was done over Xmas and the results leave me with more questions.
Laptop on tube. With RSA token on lanyard. With full company ID and name. Numerous stickies on desktop with IP’s and passwords. No matter what new products come out to protect, fixing fundamental human stupidity issues is a killer
One hour spent setting up father in law's devices to use 2fa, password managers and passphrases. My god we don't make this an easy journey at all. If I struggled with the quirks, how can we expect anyone else to be at ease?
What is very clear to me, at least, from this Conti leak is that we need to seriously stop with Active Directory now. We pretend we know how to do it but the fact is, it continues to be that pig with lipstick on that no one can secure and attackers find so easy to own
This isn’t getting enough exposure as it should. What is being proposed is incredibly dangerous and is a direct attack against the free press. The official secrets act has a place but classifying journalists as spies to stem whistleblowing
Worst statement ever
“To date, we’ve seen no evidence that this vulnerability has been exploited”
Stop using it. It means nothing. There is no all-seeing eye that could possibly give you such insights.
Whatsapp: Pfft RCE via a missed call, check me out!
Microsoft: Whateva!! hold my craft beer, RDP RCE baby!
Linux: oh you two are so cute.. RCE <5.0.3 kernel. Hah, keep up
A rather ugly day for the web
Old security vocabulary: No, can't, control, stop, force, remove, disrupt, destroy, block, denied
New security vocabulary: "let me see if i can get it to work securely", "sure, ill help", openness, willingness, embracing change
Old security needs to retire.
There is nothing more enjoyable than seeing a pentest happen where testers are part of the sprint
test > defect > confirm > JIRA defect > assigned to dev > fix produced/push > sent back to tester > JIRA closed
This is how it should be done. No to reports. Reports must die
Watching how Zalensky is leading by example has made me yearn for more modern, younger leaders elsewhere and not shrivelled sacks of custard like we currently have.
My concerns right now around the security industry is that we are seemingly seeing more layoffs, less investment into security teams and yet breaches going harder than ever before.
it's a worrying trend, NGL
For all that effort, they got awarded $1750
Seventeen Hundred and FIFTY bucks.
@SlackHQ
firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please.
Because this would be worth much more on
Having lived through the first dot-com, the "firewalls will stop it", the "we've a WAF!!", the "do you even next-gen EDR bro?" and now the "AI fixes all", I think this is a bit optimistic
The optics here for
@arm
are not good at all. This is bullying behaviour and given how much Azeria has done to highlight arm security and research, a poor look for arm.
Update: my blog is currently blocked due to the C&D.
It’ll (hopefully) be back up once this has been resolved and I transferred all my arm related domains to
@Arm
.
Though I am upset about the impatience despite my willingness to cooperate.
I requested all the data Apple had one me since the dawn of time, which goes back to 2008 with my original iPhone 1. There is such a vast amount of data here to comb through that this will be fascinating, to me at least. Even the bloody U2 album is listed!
It never ceases to amaze me how fellow business people look down upon you for wearing a black t-shirt and jeans and daring to stand in group 1 line. Like a poorly fitted suit jacket and awful brogues maketh the person. So cute
The Internet never fails to make me smile.
Apple M1 benchmark comes out
person decides they need hard facts as they arent convinced
Original designer of Ultrasparc V reorder unit responds.
Unpopular opinion: you will not buy you way into being secure. No matter what any vendor says or promises, throwing money at a solution rarely gives the results you think. Invest in people. Invest in engineering and build build build.
After spending 8 hours reverse engineering Javascript, I've come to the conclusion that it is indeed the work of the devil and those who use it and enjoy it are somewhat special and disturbed
Infosec: our redteam will use multi-stage payloads with TLS 1.3 and heavy obsfucafion to steal the cash using anonymous relays all over.
Criminals: shut it nerd, crowbar and Vinny
Thanks
@lisetteguittard
As a father and a hacker, I’m doing all I can to disrupt and destroy tracking techniques used by all to collect data on us as a family.
We need stronger protection for all, not just our kids. Online marketing needs controlling
🚨 A shocking ~72 MILLION digital data points will be collected by companies on each child by the age of 13.
🚨 This can be sold to marketers who can target and attract each child.
👉 We need stronger national protections for kids.
Full report:
#auspol
7 days solid of log4j and I've decided a break is needed..as such watching a show about Maine people restoring cabins in Maine.
Tech sucks, I'm moving to Maine to live in a cabin.
Spare a thought for your IT/Network admins desperately trying to make remote working work using clunky VPN tech from the 90s.
If only we all embraced new ways of working sooner, and not forcing people to use on-prem/physical networking
#remoteworking
I too am over the "dont use public wifi" brigade. Often the advice is from tests done over a decade so, so it's good to see someone actually testing what modern devices behave like when interception is happening.
Can anyone tell me why the public WiFi with an attacker in it is unsafe?
I can read all the targets traffic metadata but I can’t read their traffic.
Anybody? The ASD say it’s not safe but I’m not really sure why…..
If you can show me an attack that will do something let me…
An interesting new feature found in
@Apple
’s latest privacy and security report is that of Link Tracking Protection and I’ve not stopped thinking about this
Exfil via DNS isn’t new but I do respect what
@TheContractorio
&
@DeathsPirate
have found here with regards to subtle new ways to move data out of networks
A short thread about what is perhaps the most successful cyber attack in the history of any nation state conducted by a group called “Belarusian Cyber-partisans”. Last month they hacked the servers of Belarusian police and the Interior Ministry. 1/6
For most of us, it's about taking care of IT hygiene. Know what you've got under your control, plan and implement a solid patching routine as quickly as possible and use telemetry. Save the millions for hiring good people, not tech!