Show more

Every submission is carefully manually reviewed. Keep em coming. Get patched today, whether your change control management likes it or not!

Are you in IT security yet not allowed to patch vulnerable systems?
Do you have five bosses, each of which must approve changes?

Enter Undocumented Admin!

Friendly white-hat hackers who gently access your vulnerable systems and patch them for you

Signup undocumentedadm.in/

Extract this archive and use as in previous screenshot:
scriptjunkie.us/files/scriptcs
All files are from the chocolatey scriptcs package with presumably good reputation. chocolatey.org/packages/script

You know you can embed C# in a PowerShell script, (but the PowerShell scanning and logging makes it no longer great for hacking, not to mention that it internally compiles and loads a .dll) but did you know about the C# REPL scriptcs?
- Known good EXE/DLL's
- No AMSI, logging...

You need ad-level micro-targeting on your phishing lures so you know who will open HappyHolidays.exe and who will open MerryChristmas.exe

People are talking about how they support inclusion. Well I don't!

Include statements in PHP and C are a mess! Module imports like other languages have are much cleaner.

The vast majority of vulnerability researcher positions are in support of DoD/IC/LE for example. But advocacy is rare to see here, possibly due to overclassification and STFU OPSEC. Either way, they seem to heavily incorporate public techniques and code.

Again I think it's interesting that info security/defense/blue is assumed to be the ultimate goal in so much of these discussions. The US and presumably others seem to value more (spend more on) offense than all of defense-focused infosec.

Normally I only share opinions on the release of hacking code with a trusted circle of vetted friends. Since many of them are leaking and being used by unsavory actors I am compelled to release the compendium here.
scriptjunkie.us/2019/12/should

Programming is staring at a computer frustrated it isn't working like it's supposed to. Hacking is staring at a computer frustrated it's working like it's supposed to.

20 years ago right now a significant number of people were ditching town, heading to cabins in the woods they bought to survive the Y2K digital collapse.
19 years ago they looked like fools.
Now it's starting to seem like a better and better idea.

Server TCP stack (sending data): SEQ1 SEQ2 SEQ3 SEQ4 SEQ5...

Client TCP stack: ACK2 ACK3 ACK4 ACK4 ACK4

Server: Don't ACK like I never told ya

"Every person who... subjects, or causes to be subjected, any citizen of the United States or other person within the jurisdiction thereof to the deprivation of any rights, privileges, or immunities secured by the Constitution and laws, shall be liable..." but QI says "nah"

Which ironically was passed because Congress was concerned that...

What RATM said. Literally. That's literally why they passed it. That's why it's the KKK act.

Another example of horrendous abuses excused by Qualified Immunity. The courts made up QI, which is not in constitution or federal law, to shield gov officials from liability for violating your rights. They should be liable due to the 1871 KKK act.
twitter.com/RMFifthCircuit/sta

Signal's solution to lost devices: a simple password + lots of crypto and SGX to limit brute force attacks. At no point does the article mention credential stuffing or password reuse. Ughhhhh. It would grant the attacker your master keys.
mobile.twitter.com/matthew_d_g

Show more
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!