This is a far larger problem than most people realize (not specifically the GM situation). Password reuse is so pervasive that these password stuffing attacks are usually wildly successful unless the online service mandates 2FA, which many services are hesitant to do because of the negative user experience. theregister.com/2022/05/25/gm-

Use a password manager. Use unique passwords for each site/service, turn on 2FA/two step auth when available.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

Show thread

YouTube channels have their own RSS feed.

Go to a channel and look at the URL

https://www.youtube.com/channel/blahblahblah

Take their ID in the URL and put it in the URL for the RSS feed.

https://www.youtube.com/feeds/videos.xml?channel_id=blahblahblah

The Hacker-Scientific Method: FAFO

Fuck Around and Figure Out. :hackers_town: :crt_w_green_lines:

When the Imposter Syndrome and the Brainweasels of Doubt start running around inside my head, I stop, take my hands off the keyboard, and repeat to myself:

“All I need is a fraction of the self-confidence of a mediocre dumbass.”

Show thread

If the infosec community can thank cryptocurrencies for one thing, it's that 0days get exposed much quicker (universal profit motive vs. targeting a specific firm), and with potentially less damage than a breach that exfiltrates data.

Also, patch your shit. Also, stop paying for virtualization.

We've got:

- Google Chrome
- Blue Google Chrome
- Orange Chrome
- Red Chrome
- Round Chrome
- Microsoft Chrome
- ... and Firefox

@tek Hacking Verizon isn't nesecary. On Android, download termux. Install sshd and run it. Set a password. Run "ssh -N -D 9090 localhost -p 8022" (I think 8022 is the default port, if not, check the sshd config file). Now in your computer connect your phone with adb (run "adb devices" and accept the prompt on ur phone) and run "adb forward tcp:9090 tcp:9090". Now set your browser/OS to use 127.0.0.1 port 9090 as a SOCKS5 proxy. This should be possible with iOS too, use iSH rather than Termux and usbmuxd rather than adb. The commands will be different.

- a microSD card weighs somewhere around 0.4g
- the highest capacity microSD that's easily available is 256GB
- a trebuchet can throw a 90kg projectile over 300m

90kg worth of microSD cards is 225,000 of them

Therefore a trebuchet can throw 57.6PB of data over 300m

This would have the highest throughput of any telecommunications network ever created

Anyone recommend any privacy aware, outdoor Ethernet cameras, that can run from PoE? (I'm going to put them on a separate physical network, but I'd still prefer something with a web interface that doesn't try to phone home. Google/Apple anything support is an anti-feature).

Today I learned that unprivileged users can run "systemctl show servicename" to see all the environment variables set in the .service file.

This means if someone sets their AWS_SECRET_ACCESS_KEY in there (or any other secret), it can be read by an attacker even if they don't have read privileges to read the .service file.

For defenders, use EnvironmentFile= instead of Environment= and as long as your environment file has the correct privileges, you will be fine on this front.

We are traumatized by society to believe that no action can be taken unless it is necessary or allowed.

Being told we have a choice in the actions we take triggers intense shame and trauma over all those times we were told throughout our lives that we didn't do the "right" thing.

In order to accept the power we have in our own lives, we must first forgive ourselves, to let go of the shame, trauma, and fear of being "wrong" or being a bad person for making the wrong choices.

finally a chance to use one of the many adapters I've hoarded

VINDICATION!!!

No really.

If you have been putting off any security tightening for your stuff... NOW is the time.

Not tomorrow.

Not next week.

Now.

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.