"A 2FA bypass is not a bug because you'd need to know the username and password to use it"

uhhhhh folks what do you think 2FA is for?

Show thread

If the infosec community can thank cryptocurrencies for one thing, it's that 0days get exposed much quicker (universal profit motive vs. targeting a specific firm), and with potentially less damage than a breach that exfiltrates data.

Also, patch your shit. Also, stop paying for virtualization.

This should be really fun to watch.

Lesson learned: "The cloud" is an infinitely large (and expanding) attack surface.

Do not purchase "cloud" manageable enterprise equipment. Limit it to an internal management network, and always use TLS, even on internal networks.

Hey, Your IT Guy here,

Don't do this. Not only will your changes be reverted in under an hour, but it will take less time than that to attribute it to you. You will catch federal charges.

There's far better ways to be a saboteur than being an rm monkey.

Selling educational materials for educational purposes only is still legal. Just saiyan.

Alternatively, giving away cyberattack tools is based and GNUpilled

pam-duress: A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password.

github.com/nuvious/pam-duress

A complete dumpster fire from start to finish, and WD has absolutely no plans to put it out.

But you can always buy a new dumpster. From us, please.

DO NOT USE eval()
DO NOT USE exec()

For the use case mentioned here ("you don't know what the variable name could be"/"you need to dynamically change the name) use getattr() instead.

DO NOT USE eval()
DO NOT USE exec()

If you use eval() and/or exec() in your code, you are literally begging your application to get hacked. You've taken out a billboard saying "please RCE my face"

If you're ever wondering "How the hell does my company find customers", remember that there's a place that says...

"Our company specializes in the design of a variety of equipment to thicken the ice on lakes and rivers for commercial and industrial purposes," Rossington noted. "We undertake contracts to build ice all across Canada."

If the ice thickeners found a market, you can, too.

thedrive.com/news/39914/saving

Please compare: The "harassment" Molly White claims to have received (no screens tho 🤔)

And the real actual threats of physical violence I've received.

Cry me a fucking river, Molly.

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.