@mttaggart@infosec.town

mttaggart

@mttaggart@infosec.town

Displaced Philly boy. Threat hunter. Streamer. Educator. Dad. Captain in the fight against #llm insanity. #infosec, #programming #rust, #python, #haskell, and #webapp. #opensource advocate. Cofounder of https://infosec.exchange/@thetaggartinstitute. Made wtfbins.wtf. Not your bro. All opinions my own. #fedi24 #searchable

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mttaggart, to random

I am SO SICK of hearing "people are lazy," as an argument for, well, anything.

I've been on this planet for a minute, and I can think of maybe four people I've ever met who could truly be called lazy.

I know tired people. Sick people. Hurt people and angry people. Fast people, slow people. Scared people and confused people. And yes, many brilliant hardworking people who achieve beyond all expectations.

But most everyone is working hard just to get by. It is no moral failing that they do not have the time nor inclination to care deeply about the thing you do. In fact, thinking so is rather lazy of you.

Also, it makes you kind of an asshole.

Always remember: if everyone around you is an idiot, guess who's the jerk?

mttaggart, to random

I guess Bluesky decided to punt on E2EE for their DMs and the locals are not pleased

mttaggart,

@Viss What a waste of a cool protocol

mttaggart, to random

The writing is on the wall.

Actually it's not writing. It's neon letters directly wired to a fusion reactor.

The internet you knew? It's gone. There is no recovering it. There's too much money and incentive behind the idea of making the entire village into a strip mall run by LLMs. Your gardens are forfeit.

I don't know if a is possible, but even if it isn't, we gotta get to work building the intentional, human web. The one that rejects generative content, the one that verifies humanity through mutual trust, the one that takes privacy and safety of our neighbors as the highest value.

There are many tools available, but united effort must join together around them. Carefully, intentionally, we have to start moving what matters away from the polluted land.

mttaggart,

@smxi The idea that discoverability is achievable at scale in this era is rather fraught. Is an unsolved problem that I believe requires new ways to explore the Internet.

mttaggart, to random

I feel like I'm losing my mind.

Who wants this? Seriously, who?

arstechnica.com/gadgets/2024/05/google-search-adds-web-filter-as-it-pivots-to-ai-focused-search-results/?utm_brand=arstechnica

mttaggart, to random

I wonder if any large enterprise has gone full borderless with something like Tailscale as the primary networking plane.

mttaggart, to random

All this LLM crap, especially the latest from Google, has me really bummed out. I did not sign up for a life of avoiding lies from the literal lying machine being shoved down my throat.

But now, I am apparently forced to fight a war against these things, in defense of whatever is left of fact.

mttaggart,

@johnelamb LinkedIn has this godawful new thing where they have prompts for an article, then they ask people to enrich the components written by an LLM.

And I'm noticing that almost all the replies are LLM-generated.

mttaggart, to random

I want you to read both of these stories, and watch the video in the first one, then tell me that access to human-created information isn't in absolute peril.

I continue to hope for and predict a of the internet that gets those of us who care out of the deluge of generative slurry these advertisers want us to drown in.

arstechnica.com/gadgets/2024/05/google-is-reimagining-search-in-the-gemini-era-with-improved-ai-options/

arstechnica.com/gadgets/2024/05/gmails-ai-powered-email-summaries-can-dig-through-your-inbox-for-you/

mttaggart, to random

We need a name for the group of us who embrace technology, but not needless generative models. Luddites, but for LLMs.

mttaggart,

@Viss Man that sounds like we're 1900s reformers with too-big pants and bad science ideas.

mttaggart, to random

I feel like yesterday's Duo outage was a near-miss asteroid.

We can talk up how clear a response process for something might be, but we know that for every org that has this locked in, there are 10 that don't. A point of failure like MFA, especially one that we've been yelling about being critically necessary, creates its own risk.

hrbrmstr, to random
@hrbrmstr@mastodon.social avatar

@mttaggart @Viss https://www.lawfaremedia.org/article/software-liability-and-insurance

mttaggart,

@Viss @hrbrmstr This is a cool thinkpiece, but I'm fuzzy on why insurers would take on the burden of litigation when they could simply have policies that do not cover things like ransomware in the first place, or at least make it very hard to accept the claim. That's what Lloyd's and others have done.

mttaggart, to random

Tabletop Exercise: The MFA service to which you've hitched your entire enterprise's security experiences a global outage. Remote workers can't log in, the security team can't access tools, and the baddies are just itching for you to flip the switch on MFA.

mttaggart, to random

A Duo outage seems... yeah, just real bad.

downdetector.com/status/duo/

mttaggart,

At this point it'd be crazy to expect an official status page to tell the truth.

mttaggart,

Presumably the dashboard was MFA protected.

mttaggart, to random

Please drop some real regulatory hammers on this industry. And not just hospitals/networks, but medical device manufacturers. What I can't tell you about would terrify you.

therecord.media/cybersecurity-regulations-healthcare-industry-anne-neuberger-rsa

mttaggart, to rust

Late-night tool release!

Introducing entropyscan-rs, a entropy scanner for analyzing files and directories during incident response. Used carefully, this can quickly identify likely malware when not all stages of an attack have been discovered, such as during a web server compromise without adequate logging. Enjoy!

github.com/mttaggart/entropyscan-rs

mttaggart, to random

Credit where it's due: this is excellent reporting by @BleepingComputer. So many lessons we should already have learned in here.

Menelik told BleepingComputer this morning they were able to steal the data after discovering a portal for partners, resellers, and retailers that could be used to look up order information.

Menelik says he could access the portal by registering multiple accounts under fake company names and had access within two days without verification.

"It is very easy to register as a Partner. You just fill an application form," Menelik told BleepingComputer.

This was someone expecting only intended eyes to look at this application, even though it was discoverable on the internet.> Once they gained access to the portal, Menelik told BleepingComputer they had created a program that generated 7-digit service tags and submitted them to the portal page starting in March to scrape the returned information.

As the portal reportedly did not include any rate limiting, the threat actor claims they could harvest the information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts.

So not only did this API have no rate-limiting, it also had no access control to prevent Partner accounts from viewing each others' data.

This is the way Dell does business. How safe do you feel about all your business partners?

www.bleepingcomputer.com/news/security/dell-api-abused-to-steal-49-million-customer-records-in-data-breach/

mttaggart, to random

CISA now has an alternative to AnyRun/Triage! www.cisa.gov/resources-tools/services/malware-next-generation-analysis

mttaggart,

@Viss Every single part of this is downside though. Login.gov is a horrendous apparatus that I'll do anything to avoid.

mttaggart,

@Viss True! You could even imagine some sort of SETI@home situation for automated collection. I mean you could imagine it, then imagine this crowd's hair lighting on fire at the idea of a voluntary fed listener.

mttaggart, to random

Sigh

Listen carefully. You can deplore the US healthcare system without thinking that hospitals getting ransomwared are getting what they deserve.

No patient deserves to be put in jeopardy because of price gouging from pharma, insurers, etc.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • everett
  • InstantRegret
  • thenastyranch
  • magazineikmin
  • khanakhh
  • rosin
  • Youngstown
  • slotface
  • mdbf
  • cisconetworking
  • kavyap
  • cubers
  • DreamBathrooms
  • megavids
  • ngwrru68w68
  • Durango
  • osvaldo12
  • tacticalgear
  • modclub
  • normalnudes
  • Leos
  • ethstaker
  • GTA5RPClips
  • tester
  • anitta
  • provamag3
  • lostlight
  • All magazines
    •