scriptjunkie @sj@social.scriptjunkie.us

@SwiftOnSecurity https://uxdesign.cc/the-worst-volume-control-ui-in-the-world-60713dc86950

The Council of Elrond is the "follow up meeting" where the client acts baffled that all the stuff you said would bite them in the arse, did.

MORTALS: This ring of power didn't work the way we wanted
ELROND: Worked the way I told you it would. Mordor is that way. Have fun.

Remember, the only elf that volunteers to join the Fellowship on the Second Mordor Project is the one who wasn't around for the first one.

If you repeat Low Confidence assessments loudly and frequently enough, they eventually turn into High Confidence findings. I don't make the rules here. #CTI #ThreatIntelligence

I laughed so hard at Astronaut Scott Kelly's tweet. The thing is, this really happened! Here's the story behind when Scott lost his luggage on the way to the ISS:

https://youtube.com/shorts/cAFNoZZEYpo

#space #nasa #iss #tech #technology

Ouch, my heart is breaking. We just had about a dozen Security Program Managers have their positions eliminated from our group as part of the MS layoffs. Skills range from security product development to fundamentals and compliance to threat modeling and secure software design. If you're hiring for any positions like this, please respond below and I'll make sure they see these opportunities.

#fedihired

Hahahah we have a new toot length limit here at #Mathstodon. Guess what it is?

1729

NIIIIIIICE

I love crypto research that demonstrates practical attacks. The paper `A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm` by Nicky Mouha and Christopher Celi demonstrates RCE (!) through controlled memory corruption in the final-round update of the Keccak code used by SHA-3. This implementation bug affected Python, PHP, and the SHA-3 Ruby package: https://eprint.iacr.org/2023/331

Bonus points for dropping a Metasploit reverse TCP payload!

If you have shell access on an EC2 and want to steal creds for "reasons", instead of remembering how to get them from the 169.254.169.254 path, recent versions of the AWS CLI allow you to use `aws configure export-credentials --format env` which will print them with `export` commands so you can quickly add them as env vars in another shell.

Is there someone who knows more about MiFare classic who can explain why the “reader attack” [1] gives a different key every five minutes? All readers in the building give the same key during that five minutes.

[1] https://github.com/equipter/mfkey32v2

Desktop computing if JavaScript was never invented.

#DOFH excuse #67:

BGP border control agents furloughed due to government shutdown.

another thing about #BlackLotus

for about a week or two last august a security researcher had on their github their own baton drop payload to load an EFI binary and execute it.

from what I can remember from when i saw it, blacklotus' baton drop payload first stage appears to match this exactly.

unfortunately i didn't save it locally at the time, i didn't expect the repo to disappear within a week or two, so my source now just has to be "trust me bro", sorry