kurtseifried

@kurtseifried@infosec.exchange

Chief Innovation Officer https://cloudsecurityalliance.org https://webfinger.io https://gsd.id and #osspodcast

This profile is from a federated server and may be incomplete. Browse more on the original instance.

justin, to random
@justin@holonet.social avatar

“What is ownership?” @molly0xfff asks some fantastic questions and points out that “ownership” means different things to different people. This is a must read.
https://www.citationneeded.news/we-need-to-talk-about-digital-ownership/

kurtseifried,

@justin @molly0xfff Ownership and control are two very different things in the modern world of "everything has software and an Internet connection":

https://opensourcesecurity.io/2023/12/31/episode-409-you-wouldnt-hack-a-train/

@joshbressers and @kurtseifried talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don’t really own anything anymore if you look around. There’s a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It’s sort of a dire conversation, but not all hope is lost.

simplenomad, to random
@simplenomad@rigor-mortis.nmrc.org avatar

My fave part of the SuperBowl was the empty streets. I was able to drive to and from a restaurant to get some take out, there was no traffic and no lines or waiting.

At this point I don't know who won (and I don't care), I know it wasn't played here in Arlington as the route to and from the restaurant went by that atrocious Cowboys eyesore I voted against construction, and in fact I don't even know who was playing.

kurtseifried,

@simplenomad one team gave 110% and really moved the ball towards the thing where you have to move the ball towards. The other team only tried it about 108.6% and did not move the ball towards the thing you have to move it towards as much.

Part of me would say that the CBC covering it as part of the morning news is silly, but in fairness, that’s how I learned who the winner was. I have to say it was a life altering experience. and I’m glad they covered it.

kurtseifried, to random

Episode 415 of the with @kurtseifried and @joshbressers in which we learn that reducing the attack surface too much can reduce security significantly https://opensourcesecurity.io/2024/02/11/episode-415-reducing-attack-surface-for-less-security/ TL;DR: In a truly minimized container nobody can hear your security tools screaming.

kurtseifried, to random

“Chernobyl's Mutant Wolves Appear To Have Developed Resistance To Cancer”

Fantastic.

https://hardware.slashdot.org/story/24/02/11/2058259/chernobyls-mutant-wolves-appear-to-have-developed-resistance-to-cancer?utm_source=feedly1.0mainlinkanon&utm_medium=feed

kurtseifried, to random

The cats chicken flavored toothpaste was, in fact, not delicious.

kurtseifried,

@ohyran one time when I was much younger I drank some cooking brandy because I was out of everything else. Much the same experience I suspect.

briankrebs, to random

I think if I were a movie director or writer I would definitely make the story take place before cell phones. There's like 1000x more plausible plots available when everyone involved doesn't know everything all the time, in real time. It's almost like the demarcation between when the world used candlelight to see and the adoption of the electric lightbulb.

kurtseifried,

@briankrebs also like 90% of horror movies could have been solved with a shotgun in the first 5 minutes.

kurtseifried, to random

has come for your https://www.reddit.com/r/Edmonton/comments/1aniqr4/is_it_just_me_or_does_butter_not_spread_anymore/ TLDR palm oil fed to cows https://en.m.wikipedia.org/wiki/Buttergate

squishymage42, to tech
@squishymage42@dice.camp avatar

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/

Fun reading about how even @pluralistic falls for phishing sometimes thanks to all the enshittification of getting in touch with necessary services making us less likely to catch the red flags.

I've clicked on a few of my office's "phishing tests" which at least gets me more "watch this social engineering info video" even if the videos are so bad that you can't help zone out.

kurtseifried,

@squishymage42 @pluralistic what happens when you get emails and ignore the links and then or later told that they were not fishing emails and that you were supposed to click on that link and do some work? Literally, everybody who gets email for work related purposes gets email with links they’re supposed to click. This is such a farce. If clicking the link and interacting with it, causes your IT to get hacked that’s on your IT not you.

kurtseifried,

@squishymage42 @pluralistic strong disagree. MFA can be done very painflessly. Most places pick 10-20 year old technology that has low usability.

kurtseifried,

@squishymage42 @pluralistic it sounds like you have a terrible IT department that makes bad decisions OR can’t explain them properly, then there is the apparent lack of a feedback mechanism for you to use. I don’t implement any security unless I can clearly explain why to users. A perfect example. When we set up zoom I locked down the screen control feature, because the security controls weren’t very good on it many many years ago. One of our people pointed out, that screen control feature would be perfect for doing internal support, and that there are better controls on it now. So I looked at the controls, and indeed they are better and the ability to lock it down to within the use of our account only as possible and so I enabled it and posted an email internally, thanking her for doing the research and pointing out that it is relatively safe now, resulting in a change that gives us a new capability to better and more easily support users.

That’s what IT supposed to look like in my opinion.

kurtseifried,

@squishymage42 @pluralistic see I would see this as an opportunity to both potentially fix a reasonably common corner case (lots of people work with and in the justice system), and solving it would solve situations for other people (eg their phone runs out of battery or whatever).

kurtseifried, to random

“Pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.”

https://www.canada.ca/en/public-safety-canada/news/2024/02/government-of-canada-hosts-national-summit-on-combatting-auto-theft.html

Called it.

https://opensourcesecurity.io/2022/10/16/episode-345-cheap-hacking-devices-turn-security-upside-down/

kurtseifried, (edited )

@vathpela picking on people buying flipper zero is a lot easier than trying to get the car industry to do something. Witness all the recalls that are delayed because companies deny what’s happening. For example I got a letter saying I should not park my car inside because you know it might catch fire while it’s parked.

kurtseifried,

@haroldgodwinson “The cities suing Kia and Hyundai include New York, Cleveland, San Diego, Milwaukee, Columbus and Seattle.” https://www.reuters.com/legal/hyundai-kia-urge-us-court-reject-cities-tiktok-inspired-theft-lawsuits-2023-09-12/

Which is a perfect example of the different enforcement cultures the US and Canada have. That kind of lawsuit wouldn’t work up here so we have to go the legislation route, and if your choices are picking on a small company or a big auto maker, well, the small company it is.

I wonder if they’ll have a buyback program like they’re still trying to do 4 years later for the firearms prohibition they did back in 2020. They just keep pushing the deadline back… https://www.cbc.ca/amp/1.6992793

kurtseifried,

@haroldgodwinson correct, but with insecure keys and such we have things like “Justice minister's government car stolen for the third time in as many years” https://www.cbc.ca/news/politics/justice-minister-car-stolen-third-time-1.7109562

I can’t help but wonder if the justice minister being directly affected is the reason they care… for a normal person you’re more likely to see a headline like:

“His truck was stolen — twice. Authorities knew where it was. But it still took 17 days to get it back

Tracking technology quickly found the truck. Authorities didn't move quite as fast”

https://www.cbc.ca/news/canada/toronto/stolen-truck-authorities-17-days-retreive-1.7096609

hanno, to random
@hanno@mastodon.social avatar

There's a wild fake story making rounds about a DDoS attack from smart toothbrushes. By now, the company that invented it (Fortinet) says this was "only a hypothetical scenario", and the newspaper that reported it first (Aargauer Zeitung) says it was sold to them like a real thing. I'm gonna say this: It doesn't matter which version is true, in both cases both the newspaper and the company are to blame. Why? This story doesn't even pass a smell test. 🧵

kurtseifried,

@hanno IP over Bluetooth exists, I can’t find a good Google result that lists which platforms and versions support it. I highly doubt a Bluetooth enabled toothbrush would use IP as the transport, because simply put it is unnecessary, the Bluetooth device talks to the app, and the app talks to the mothership.

Now all my smart lightbulbs and my Withings sleepmate, and my Withings thermometer, for example, are Wi-Fi enabled and could totally launch a DOS.

But I think for now a reasonable rule of thumb is that it probably doesn’t have a TCP/IP stack if it doesn’t have Wi-Fi or an ethernet port.

kurtseifried,

@hanno also, it’s important to remember companies are heavily incentivized to get an app on your phone so that they can push notifications and upsell you on stuff, collect your location, data, and so forth.

kurtseifried, (edited ) to infosec

“Half of polled pros say their degree was less than useful for real-world work” only half? https://www.theregister.com/2024/02/07/kaspersky_infosec_cso/

cstross, to random
@cstross@wandering.shop avatar

I understand why Ukraine is deploying this technology but I really hate that it exists in the first place https://euromaidanpress.com/2024/02/07/warfare-historys-first-ukrainian-combat-robot-adjusted-via-uav-engages-russian-positions/

kurtseifried,

@cstross I mean once we had autonomous robot vacuums it really was just a matter of time…

kurtseifried, to random

Is anyone else noticing an increasing trend for websites to NOT have a search bar? (or if they have one they hide it so well you can't find it?). Just going through project management websites (smartsheet, airtable, notion.so, clickup, monday.com, JIRA/Confluence, Asana, Ayanza, Wrike) and only two (smartsheet and Jira/Confluence) have a search bar on the front page.

kurtseifried,

And to be clear I'm not saying these sites have to run their own search, we outsource ours to Google search (it's like $10 a month). I'm also noticing vendors intentionally disabling search in platforms that explicitly support it, like Zendesk knowledge bases with no search bar (seriously... it makes dealing with that vendor so painful).

kurtseifried,

@miah I guess the argument "we're not competent enough to set article permissions so we turned search off entirely" is one way to go, and would fit with the general behavior of this vendor. Sigh. They do publish their sitemap.xml and I realize I can pop that into one of our RAG bot services and search. Wheee.

kurtseifried, to random

Just found a great easter egg in a website search when I typo'ed a word and got no results:

kurtseifried, to random

TIL that filesystems still have stupid limits like directory name sizes:

mkdir(name, mode)
OSError: [Errno 36] File name too long: 'web-content-mirror/data/www.whitehouse.gov/aHR0cHM6Ly93d3cud2hpdGVob3VzZS5nb3YvYnJpZWZpbmctcm9vbS9zdGF0ZW1lbnRzLXJlbGVhc2VzLzIwMjMvMDcvMjEvZmFjdC1zaGVldC1iaWRlbi1oYXJyaXMtYWRtaW5pc3RyYXRpb24tc2VjdXJlcy12b2x1bnRhcnktY29tbWl0bWVudHMtZnJvbS1sZWFkaW5nLWFydGlmaWNpYWwtaW50ZWxsaWdlbmNlLWNvbXBhbmllcy10by1tYW5hZ2UtdGhlLXJpc2tzLXBvc2VkLWJ5LWFpLw=='

Sigh. Back to using SHA512 hashes of the URL. Base64 would have been so much simpler.

kurtseifried,

@NegativeK more to the point I remember why I did sha hashes, deterministic characters and length, by definition anything not a hash could result in a 2k long URL with an even longer query string. Sigh.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • kavyap
  • DreamBathrooms
  • modclub
  • normalnudes
  • ngwrru68w68
  • magazineikmin
  • Durango
  • ethstaker
  • Youngstown
  • rosin
  • slotface
  • InstantRegret
  • everett
  • JUstTest
  • thenastyranch
  • osvaldo12
  • Leos
  • cubers
  • tacticalgear
  • khanakhh
  • mdbf
  • GTA5RPClips
  • anitta
  • provamag3
  • cisconetworking
  • tester
  • lostlight
  • All magazines
    •