da_667

@da_667@infosec.exchange

Senior Security Researcher, Proofpoint Emerging Threats.

I've been doing this cybersecurity thing for the better part of a decade now. Probably longer than that. I'm starting to forget. Time is relative, but it surely isn't kind to my memory.

I'd like to think I do cybersecurity well, but blue teamers collectively get told they're doing it wrong constantly. So maybe I just failed forward throughout my career.

Oh, I wrote a book. Its a good framework for setting up a virtual machine lab. See my bookmarked toots if you're curious.

Work-Related hashtags:
#Iocs #ThreatIntel #DFIR #Malware #NSM #suricata #snort #BEC #phishing #APT #ThreatDetection

Hobbies:
#VideoGames #XCOM2 #Minecraft #Synthetik #Fallout #Skyrim #Anime #Manga #Adventure #Fantasy #Isekai #HomeImprovement #WoodWorking #MetalWorking #HomeLab

This profile is from a federated server and may be incomplete. Browse more on the original instance.

da_667, to random

this web application doesn't support firefox

me, wearing a mask with a mustache, running firefox with user-agent switcher "how about now?"

ah, yes, please come in.

da_667, to random
da_667, to random
da_667, to random

MS TEAMS:`WHATS GOOD, WAGESLAVE? YOUR EMPLOYER IS USING THE NEW VERSION OF TEAMS. YOU SHOULD UPDATE NOW.

[Update Now] [Fuck Off]`

Me: Mashes the [Fuck Off] button

MS TEAMS:Yo, you were idle for ten minutes, so I updated for you

Me: and every other time I shut this app, the window geometry decided to fuck off to some random spot on my second monitor. Go back to your hole.

TEAMS:...

Me: "Oh, A co-worker needs something"

TEAMS:LOOKIT ALL THIS NEW SHIT I CAN DO THAT LOOKS ALMOST EXACTLY THE SAME

Me: Listen, I use you for one fucking purpose, messenger communication. Why does this stupid fucking pop-up not disappear when I hit escape?

TEAMS:you seem to beconfused. You will click next not because you want to, but because Idemandit.

da_667, to random

what working from home for the past 7ish years has done to my good will towards humanity

da_667, to random

Its very rare that I take much seriously around here, but... I'd like to extend my support to those of you out there affected by the latest rash of layoffs in what can only be described as continuing to squeeze blood out of turnips.

Usually if I get tapped for a position on LinkedIn or other places, and I think the position isn't terrible, I'll post it here. I also usually repost those who are looking for work.

I would recommend hitting reddit's /r/netsec and checking out the hiring thread there.

Consider Checking the Infosecjobs and GetFediHired hashtags around these parts for more leads.

If your local bsides or security conference has a slack/discord/whatever, get involved. A lot of the times the folks you meet at your local security meetups will become invaluable friends who will help get you hired. For example, the Defcon Blue Team Village Discord has a Jobs channel.

If there is any chance you're looking for something to keep you occupied, and you have some free time, consider trying to establish a home lab. I have a book on this subject (https://leanpub.com/avatar2).

I'm not trying to sell you anything, you can acquire my book for free. See if it helps you out.

Sometimes during interviews, people will ask you what you do in your off time, or if you have any projects or other things you do to tangentially related to IT/Infosec.

You start telling them about your home lab, their eyes glaze over, and that checks a box for them, that shows them you are motivated to learn more.

Write about your lab experiences and/or maybe things you did differently for your environment. Maybe write about why you wanted to make a homelab to begin with. Maybe you want to analyze malware and write IDS or Yara rules. Maybe you saw cool things on attackerkb and want to reproduce vulnerable environments and test exploits. Maybe you want to try out new software. Doesn't matter. share your experiences.

I'm sorry this happened to you. I know it isn't a lot of advice, but hopefully it helps you.

da_667, to random

If you're running pfsenseCE 2.7.0, might wanna consider upgrading. Two XSS vulns, and an RCE found. I managed to get one of the XSS vulns to trigger, trying for the other XSS and the RCE vuln.

https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/

da_667, to random

I watched this and stole it from another thread.

https://youtube.com/watch?v=P9Q3crLWQY8

We're fretting over a bunch of rich fucks who may or may not be dead, in a sub in which they were likely warned probably isn't seaworthy.

a boat carrying close to 700 migrants sank near greece. Nearly 100 are confirmed dead. Many more are still missing. Nobody seems to give a fuck. The migrants and refugees took their chance because they had no choice. The rich fucks had a choice, but did it anyway. Its in their nature.

da_667, to random

youtube warns that it might make your user experience worse if they detect adblockers

How are you detecting it? user-agents? javascript? fucking client-side javascript? That the adblocker can block. Fucking lmao.

You have a few years in which you're led to believe that javascript solves everything, and you forget that the clients have it too and are really good at telling it to fuck off.

da_667, to random

good morning.

Set fire to a billionaire's yacht
obliterate the obsidian temples
steal from a megachurch and give it to a library
shit on Ted Cruz's lawn

da_667, to gpt

next time I torrent a bunch of shit because yet another streaming service has risen to claim what they believe to be their slice of the pie, I'm just going to say I'm using their shit to build an AI dataset

#GPT #RulesForTheeButNotForMe
#FuckAI

da_667, to random

me, today, constantly getting my account locked out, but having access to the self-service portal

da_667, to random

wanna know how to defeat infostealers? Block DNS resolution for telegram and discord. Skids love back-hauling to that shit. If you don't have a business need for it, don't let it on your network.

da_667, to random

Complete the sentence:

"I work in information security. That's why I _________________"

where blank can be words or an image macro as you so desire.

da_667, to random
da_667, to random
da_667, to random

I told you this was the next step. He'll be kicking you out as a moderator of a subreddit you founded, and installing mods who will bend the knee.

https://www.nbcnews.com/tech/tech-news/reddit-protest-blackout-ceo-steve-huffman-moderators-rcna89544

da_667, to random

So I started reading this

https://www.propublica.org/article/clarence-thomas-money-complaints-sparked-resignation-fears-scotus

and I had to stop on the second paragraph.

Bro borrowed 267,000 dollars to buy a top of the line RV. Are you fucking kidding me? Thats worth more than my house. Has the never to complain he's not making enough. Maybe start by realizing sometimes you have to make sacrifices and that borrowing 267,000 when you're already financially strained is an awful decision?

What the fuck.

da_667, to random

alright y'all. I'm going to give you a small lesson on writing better snort and suricata rules. Its friday, I have nothing better to do, maybe some of you already know (maybe better than I do), and maybe you don't. Thank you for joining me in sharing some arcane knowledge about my corner of cybersecurity.

da_667, to random

some of y'all might not care for the high-volume shitposting to relevant cyber stuff, I have a list of folks I follow when I'm looking for the latest news and things to take a closer look at for IDS rule coverage, among other things:

@hacks4pancakes @FirehaK @Myrtus @jfslowik @campuscodi @metasploit @wireshark @malware_traffic @metacurity @GossiTheDog @SwiftOnSecurity @iagox86 @sans_isc @james_inthe_box @DidierStevens @shadowserver @VirusBulletin

da_667, to random

got mitmproxy working on Windows now as well. Excellent. now, to automate this.

da_667,

in a small tab below, I have a default chrome tab. Every.goddamn key tap is sent to google. This is maddening

video/mp4

da_667, to random

https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/

>"The main_proto_A_QueryDns component resolves domains to IP addresses using the cloudflare-dns[.]com service, which main_proto_X_WebSocketClient uses for resolving C2 domain names."

WHAT DID I FUCKING TELL YOU.

da_667,

Time for me to reiterate why I think DOH is fucking garbage. This is the cliffnotes version:

-If you read the RFC, never once is privacy listed as a goal for the protocol
-Ostensibly, you get some privacy on the first hop, but from there, you have zero guarantees on literally anything. You have promises from various companies, but that doesn't mean jack shit.
-I'd like you to consider that cloudflare doesn't have a good track record of policing abuse of their platforms, they tacitly support white supremecists and terrorists, they've been known to forward abuse requests containing personal information of those who have submitted them to their abusers, and they have zero financial incentive to stop the flow of traffic. THIS INCLUDES MALWARE, THERE IS SO MUCH FUCKING MALWARE USING CLOUDFLARE. They are a default DoH provider choice in the major browsers that support it.
-Transaction ID is always set to zero for DoH requests to improve caching. This is actually written into the protocol. Y'all know why the transaction ID/DNS ID exists, right? This opens up attack paths for man in the middle attacks. Think QUANTUM and PRISM-type bullshit, where the answer to your DNS query is changed but you'll never know.
-The only goal of the protocol was to move DNS resolution to the browser, so that the browser is cognizant of how domains are being resolved. Its anti-adblocking tech.
-Think about who the major players are behind DoH - It was driven by Cloudflare, Mozilla, and Google. and while I like Firefox, they all have financial incentive to see how domain resolution is occuring and ensure ads are delivered to clients. Y'all are aware of google's Web Integrity web DRM shit, right? How much you wanna bet that if it becomes a standard, there will be websites popping up whereby resolution via DoH is required for viewing the content? I wonder why that would be?
-Flow analysis easily reveals which HTTPS traffic is likely to be DoH traffic. You can't hide connection metadata.
-Several tools have been developed to used DoH as C2, and even file storage, if you're brave enough.

da_667, to random

happy concussion sport day.

da_667,

friendly reminder that the NFL doesn't acknowledge any of the health problems associated with repeatedly getting concussions from their sport.

da_667,

happy "we can afford an ad that is probably priced in the millions of dollars for a few seconds of airtime, but we have to cut 5-15% of our staff" day

da_667,

happy "we always have money to dedicate to this worthless fucking stadium that charges 20 dollars for a beer, but fuck if we have money to maintain infrastructure, schools, feed the children, or literally any-fucking-thing else that returns massive dividends" day

  • All
  • Subscribed
  • Moderated
  • Favorites
  • anitta
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • megavids
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • provamag3
  • tester
  • Leos
  • JUstTest
  • All magazines
    •