Show newer

Did you know, on Zyxel GS1200-5 switches they use a crappy admin password encoding algorithm that makes the password “Password6” interchangeable with “p5ssWor8b”? It ignores case and overlaps characters a-e with 5-9. Also, shout out to @hdm and @runZeroInc for including zyxel’s info disclosing system_data.js data in their runZero scan results! Read all about my adventures bug hunting this switch. This is my nemesis project and has taught me so much about #reverseengineering and #hardwarehacking.

But if you would ever consider writing a scientific paper, this is the best way to do so:

@accidentalciso don’t need a security team if your risk tolerance is high enough

I point this situation out whenever people say Blue Checks have nothing to do with social status:

Richard Spencer, the white supremacist, was once a Blue Check. What's more people demanded that his Blue Check be removed—not because the Twitter account in question was an imposter. There was no doubt the account was verified, that was not up for debate.

The Blue Check was removed because Twitter wanted to revoke the social status that came with the it.

The appeal is social status.

@sj Oh, and that reminds me of the time a client asked me to audit an app they hired another company to write. So the person paying for the audit was not the person who wrote the code.

One requirement was 256-bit AES in transit. The devs couldn't figure out hire to get any DH exchange working, so they just had each side generate and send the AES key.

I kid you not.

My report reflected they did not initially meet that security goal, but we helped them meet it by the end.

@sj sounds fun.

Look at the SMTP headers from services like PhishMe and you can write a rule that guarantees the user will pass all phishing tests. Roll that out and security will be measurably beter. 😂🤣

The difference between what is being required or measured is worth higlighting.

So obviously this proves that the decentralized network is a scam and we must not use it and also obviously it proves we must all use the decentralized network instead.

Show thread

There's a decentralized network built on some cool ideas that's running by itself, and then there's the large centralized site operated as a multibillion dollar company that's kind of related. The multibillion dollar site is falling apart as a direct result of centralized failure

Access must be limited to <10 people? No worries, only 5 in the allowed group. But 1,000 are in the group that can add members to the allowed group.

No point in a self serve password reset portal if you first need to know the old password, just throw up a new one. It's all good.

I'm thinking about writing a guide on how to make anything just as insecure and convenient as before while still meeting any arbitrary security requirement.

Data must be encrypted at rest? No problem, store the key in a different file in the same folder as the ciphertext.

I consider it a very under-appeciated fact that Xiaomi was caught red-handed spying on their users from their default browser. And by that I mean: exfiltrating the entire browsing history and more, sending the data to their servers.

Then there was an outrage and they “fixed” the issue. If you enable “Incognito Mode” but leave “Enhanced Incognito Mode” off, this exact settings combination will make them stop collecting your data. It’s so self-explaining that they in fact don’t bother explaining it.

And everybody is just fine with that. Tech publications review their devices by their hardware merits. People keep buying them. The topic is over.

ICYMI Some of the ML work I did on threat detection from net flow and graph features got published in the IEEE International Conference on Computing, Communication, and Intelligent Systems. Basically autoencoders on some good datasets & feature engineering

if you manage to go into $2,147,483,648 worth of debt an integer underflow occurs meaning that the bank now owes you $4,294,967,295 trust me bro that's how it works bro

@Lee_Holmes those are nice, but it reminds me of all the pain that Metasploit went through trying to scale Ruby, very painful issues when the thread count started increasing. Lots of recopying strings. GIL. It can be done, usually passing a lot of things through sockets to other processes. One can dream of a rusty, truly parallelized solution that avoids all that CPU and IPC.

I'm just saying that the envy-free cake-cutting problem can be solved much more efficiently if you allow the usage of the axiom of choice while cutting...

Every post about fiddling with process count configs etc to scale mastodon feels extremely wrong. I mean, sure, there's probably a setting that will work for a given site, but the process not being able to efficiently scale multithreading itself is a huge arch/efficiency red flag. I wonder if anybody has taken on polishing up rustodon lately.

Everyone loves and I wholeheartedly recommend that you take a look (and adopt the free tokens if nothing else); but there is another amazing free+awesome toolkit that most companies would benefit from without a privacy audit requirement: - they do exactly what they say, really well, and are both cost-conscious and nerd-savvy. This is almost the opposite of a canary - it reports things that didn't fire - you can find all kinds of creative ways to make this security relevant while staying super inexpensive.

Show older