!hannah 🦄(@infosec.exchange) @superruserr@infosec.exchange

Our company is remote only, and I think this site is a good point of reference for anyone interested in how that works: https://www.remoteonly.org

The #Apache Software Foundation (#ASF) is looking for another #sysadmin (paid position): https://s.apache.org/hiring2018

#job #opensource

@superruserr Mmmmhm, syslog... Unstructured data galore.
Good thing we now have Splunk and logstash and Greylog and the commercial variants of syslog-ng to choose from to consume syslog (among others) - though personally I've been with Splunk ever since I happened to get into contact with Raffy Marty via DAVIX and the secviz.org project over 10 years ago (who, as far as I remember, was working for Splunk for some time after he finished his Applied Security Visualization book).

I just launched my website! BountyGraph helps secure free and open source software through crowdfunded bug bounties and security audits. I hope you'll check it out!

https://bountygraph.com

Blog post: https://justi.cz/bountygraph/2018/08/01/introducing-bountygraph.html

In particular, I think it is a security anti-pattern to have application build pipelines pull fresh downloads of packages from upstream servers on every build if the packages are not expected to change. If for some reason you have to do this, you should pin dependencies using a cryptographically secure hash function.

https://justi.cz/security/2018/08/28/packagist-org-rce.html

@maxj

@derekcaelin Welcome!
Do you have any resources / advice for those getting started on security training?

I wrote a 'security wiki' for the company manual at my work, but we are remote workers so it was a bit tricky with the remote work setup, different devices used, etc.

#introductions
Hi Folks. 👋 I train global activists and civil society organizations on how to use tech for social good. I also volunteer for RagTag, and next week I'll be conducting security training. (How to set up 2FA, etc.) It'll be my first time training on security. I'm glad to join this community and expand my knowledge of infosec.

@alkahest @craigmaloney I -think- if memory serves me correctly you can buy the related car parts/firmwares only from a car shop and play around with these. See http://opengarages.org/handbook/

@ed1conf @florian It's greatly reduced, but not completely eliminated on x86. I'm not an expert though. 😅

Todd Mortimer has made significant headway toward reducing the amount of useful ROP gadgets on x86 too. But made especially difficult by polymorphic instructions, x86 being a variable length ISA. ARM64, by comparison, being fixed-length.

I'd highly recommend reading his mailing list post, and commit messages. He's also giving a talk at #EuroBSDCon 2018!

https://2018.eurobsdcon.org/talks-speakers/#ToddMortimer

Alternative to exploit-db?

https://sploitus.com/

I wonder if there would be any interest in an Infosec/Hacker "fall camp" that was actually camping, in the spirit of the old "Linuxbierwanderung"

A few days of camping and hiking combined with an unconference and an emphasis on making…

Would someone want to help organize an ActivityPub room at FOSDEM 2019? https://fosdem.org/2019/news/2018-08-10-call-for-participation/

Now working on the #decentralized internet & #privacy #devroom proposal for #FOSDEM 2019 edition.

https://forum.enough.community/t/fosdem-2019-devroom-proposal/52/2?u=loic

Anyone interested in participating in the organization is invited to join the dedicated forum:

https://forum.enough.community/c/events/fosdem

@collectible1 @coolpowers The deleted toot was in response to a question from someone I follow:

https://trblmkr.net/@mookie/100675065285350464

I replied that it was possible. I didn't say that I was doing it, or that I had plans to do it. If you read the parent toot, it's obvious it wasn't a nefarious conversation.

It is indisputable fact that it's possible to scrape public accounts and toots. You should lock your account and hide posts from the public timeline if that's a concern.

I remember showing up over here by following the jetsam [1] of the first infosec migration across the tumultuous seas of microblogging, slightly disoriented but little worse for wear.

There was a lot of space back then. You could swing a raccoon in a circle around your head [2] without having to worry about giving someone a faceful of frenetic fur. [3] Fewer than twenty-five thousand souls inhabited this archipelago [4] at that point, gathering on a handful of islands.

I was pretty sure I was destined to be consumed [5] by those who had arrived before my cohort.

In a way, I was. I am no longer the person I was when I arrived here. I have been changed by this place. I have been changed by this ever-changing group of groups of people. I have been changed by you. [6]

Fierce storms will batter these little islands. Battles will arise. Pain and grief are by-products of interaction.

But so are laughter and cheer and warmth and contentedness.

And love.

My neighbors, the very least that I wish for each and every one of you is to find days so filled with love that there's no time for hate and nights so restful that you rise burning with the force of the sun within you.

Mend what is broken. Build shelters you need. Make mistakes and make them count. This is your world and mine and it will be exactly what we make it, but the sky is the limit if we keep looking up instead of bringing ourselves down.

Thanks for being here, thanks for being you, and thanks for listening to the rambling of a silly old dog.

[1] unbeknownst to many, stale infosec memes are extremely buoyant
[2] assuming the raccoon consented to be swung such
[3] assuming someone wasn't throwing their face at the nearest bit of fur
[4] h/t to @priryo for https://linernotes.club/@priryo/100565446740959131 and @sydneyfalk for https://mst3k.interlinked.me/users/sydneyfalk/updates/85279
[5] ​
[6] assuming I consented to be changed such [7]
[7] I did