Show newer

And Travis CI joins the ranks of companies that cannot be trusted with security. Not because they have issues (who doesn’t) but because they cannot recognize and properly handle a critical vulnerability report.

The details are in this Twitter thread: twitter.com/peter_szilagyi/sta

Biggest trouble with ancient hardware is that it has an equally ancient SSL implementation. Turns out, the most reliable way of “fixing” this is getting recent curl via a Cordova plugin and bypassing the system’s implementation for HTTPS requests completely.

Show thread

Great thread by Matthew Green here. TL;DR: NSA made Juniper add a backdoor to their routers. A presumably Chinese APT hacked Juniper and made the backdoor usable for themselves. Damage caused: still unknown. But politicians keep asking for encryption backdoors.

twitter.com/matthew_d_green/st

Three years after GDPR came into effect, there are still US news websites claiming they care so much about us Europeans that they will straight out lock us out rather than comply with our ridiculous data privacy laws. 🤡

Just to clarify: it’s all user-generated content. And since there appears to be zero moderation…

Show thread

Accidentally stumbled upon a web server hosting masses of illegal material: all kinds of instructions for fraud, drug-related stuff and more. Wanted to see what it is running on. Oh, it’s the Telegram infrastructure. What a surprise. 🙄

Further in the same thread:

> Having strong technical leadership has lots of advantages, but one of them is it naturally leads to a healthier cadence. These folks typically have to be home for dinner, and they're old enough to know that death marches don't work.

twitter.com/aboodman/status/14

Show thread

Here is what a healthy software project looks like:

RT @aboodman@twitter.com:

> Chrome was delivered without any sprints at all. The team came in at 9 and left at 5 (figuratively, people actually kept their own ~8h schedules) every workday for a couple years like clockwork. No drama. No broken marriages, no broken families.

twitter.com/aboodman/status/14

Why waste time on hacking when big corps have plenty of disgruntled employees who will readily deploy ransomware for some quick cash? All while these companies underestimate the insider threat and the destructive power employees could wield.

“Cybercrime Group Asking Insiders for Help in Planting Ransomware”

thehackernews.com/2021/08/cybe

I got my twelve years old but barely used Wikipedia account banned for not following some kind of process. Apparently, I’m a sockpuppet and a honeypot. Yes, this place is exactly the toxic cesspool that people say it is.

Huge “surprise”: the algorithm used by to scan your iPhone for CSAM has already been reconstructed. And the first collision is also there already. Yes, this is going to be fun.

RT @matthew_d_green@twitter.com:

> What’s the German word for “don’t build security systems that rely on obscurity but can’t keep important details confidential for more than two weeks.”

twitter.com/matthew_d_green/st

I don’t have the right words to describe what I think about this organizational dystopia.

RT ashleygjovik@twitter.com:

> And now you all know enough for me to explain... this ticket was closed as "resolved" by Mr. Bullets shortly after I was forcibly re-orged under him (despite my escalation to senior leadership & his history of insults, violence, & intimidation).

twitter.com/ashleygjovik/statu

Show thread

Wow, what a nice chain by @zemnmez exploiting various issues in the Apple ID service. I particularly like the trick to make event.source be null for messages, wasn’t aware of this one. In the end there is even XSS on the domain, CSP isn’t preventing it.

zemnmez.medium.com/how-to-hack

Further reading:

RT ashleygjovik@twitter.com:

Brace yourselves... I'd like to share with y'all an email I sent employee relations on July 16th detailing a list of my concerns & complaints (with associated Box folders & relevant evidence). , , , , more...

twitter.com/ashleygjovik/statu

Show thread

Having read the Steve Jobs biography, I’m somehow not surprised at all that such things happen at . There is no way a healthy company culture would arise with this kind of leadership. And please spare me “the end justifies the means” speech.

RT ashleygjovik@twitter.com:

> My team in SW Eng not only documented their goal of making my "life a living hell" in our dev work tracking system, they also kept whiteboards for tally marks when they "scored points" …

twitter.com/ashleygjovik/statu

The guy wrote this thread without realizing how he is describing a massively toxic culture. And he concludes by stating that he now applies the lessons learned here at his startup. For me this conclusion reads as: “If you work at that startup: run! RUN! NOW!!!”

Show thread

If you ever find yourself at a company doing this: leave ASAP. The “hard work” heroism is an incredibly bad take for everyone. Long work hours destroy people’s mental health, and they don’t even increase productivity. Overworked people make lots of mistakes, only wasting time.

RT hadip@twitter.com:

> The Internet Explorer team was the hardest-working team I’ve ever been on. And I’ve worked at multiple start-ups. It was a sprint, not a marathon. …

twitter.com/hadip/status/14265

For reference: white hat hackers do not transfer out $600 million to “bring attention to a vulnerability,” they would stop a step short of that. But one has to appreciate the gesture of transferring back all that money. 😅

RT PolyNetwork2@twitter.com:

> As our communication with Mr. White Hat is going on, the remaining user assets on Ethereum are gradually transfered to the multisig wallet (0x34D6B21D7B773225A102b382815e00Ad876E23C2) requested by Mr. White Hat.
Image

twitter.com/PolyNetwork2/statu

As @albinowax@twitter.com points out, Transfer-Encoding is indeed forbidden. While I’ve seen the relevant spec section (8.1.2.2), I initially interpreted it as only relevant for HTTP/1.1 to HTTP/2 transition. This is actually not the case.

Show thread

Similarly, the spec lists restrictions for the Content-Length header but ignores the similarly problematic Transfer-Encoding header. In fact, straight out disallowing both might have been the better option.

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.