scriptjunkie @sj@social.scriptjunkie.us

Did you know, on Zyxel GS1200-5 switches they use a crappy admin password encoding algorithm that makes the password “Password6” interchangeable with “p5ssWor8b”? It ignores case and overlaps characters a-e with 5-9. Also, shout out to @hdm and @runZeroInc for including zyxel’s info disclosing system_data.js data in their runZero scan results! Read all about my adventures bug hunting this switch. This is my nemesis project and has taught me so much about #reverseengineering and #hardwarehacking. https://medium.com/@gerrygosselin/project-zyxel-gs1200-5-part-1-c79db5148956

@accidentalciso don’t need a security team if your risk tolerance is high enough

I point this situation out whenever people say Blue Checks have nothing to do with social status:

Richard Spencer, the white supremacist, was once a Blue Check. What's more people demanded that his Blue Check be removed—not because the Twitter account in question was an imposter. There was no doubt the account was verified, that was not up for debate.

The Blue Check was removed because Twitter wanted to revoke the social status that came with the it.

The appeal is social status.

@sj Oh, and that reminds me of the time a client asked me to audit an app they hired another company to write. So the person paying for the audit was not the person who wrote the code.

One requirement was 256-bit AES in transit. The devs couldn't figure out hire to get any DH exchange working, so they just had each side generate and send the AES key.

I kid you not.

My report reflected they did not initially meet that security goal, but we helped them meet it by the end.

@sj sounds fun.

Look at the SMTP headers from services like PhishMe and you can write a rule that guarantees the user will pass all phishing tests. Roll that out and security will be measurably beter. 😂🤣

The difference between what is being required or measured is worth higlighting.

I consider it a very under-appeciated fact that Xiaomi was caught red-handed spying on their users from their default browser. And by that I mean: exfiltrating the entire browsing history and more, sending the data to their servers.

Then there was an outrage and they “fixed” the issue. If you enable “Incognito Mode” but leave “Enhanced Incognito Mode” off, this exact settings combination will make them stop collecting your data. It’s so self-explaining that they in fact don’t bother explaining it.

And everybody is just fine with that. Tech publications review their devices by their hardware merits. People keep buying them. The topic is over.

https://palant.info/2020/05/08/what-data-does-xiaomi-collect-about-you/

if you manage to go into $2,147,483,648 worth of debt an integer underflow occurs meaning that the bank now owes you $4,294,967,295 trust me bro that's how it works bro

Phew. So glad I didn't fall for that FTX thing.

I'm just saying that the envy-free cake-cutting problem can be solved much more efficiently if you allow the usage of the axiom of choice while cutting...

Everyone loves https://canary.tools and I wholeheartedly recommend that you take a look (and adopt the free tokens if nothing else); but there is another amazing free+awesome toolkit that most companies would benefit from without a privacy audit requirement: https://healthchecks.io - they do exactly what they say, really well, and are both cost-conscious and nerd-savvy. This is almost the opposite of a canary - it reports things that didn't fire - you can find all kinds of creative ways to make this security relevant while staying super inexpensive.

#DOFH excuse #77:

FAT broke up (now it's exFAT).