todb

@todb@infosec.exchange

Shmethical #Hacker. #Election Judge. #CVE mucker-abouter. #Metasploit collaborator. #FriendofDeSoto. #Podcaster (see https://defcon.social/@podsothoth and https://friendsofdesoto.social/@hotforteacher).

All subpoenas, warrants, contracts, and other linguistic puzzles should be directed to my attorney, https://defcon.social/@hotdogitsclaire.

I work for CISA, but I post here for me. I am not an official spokesperson for anything (anymore).

Intro: https://infosec.exchange/@todb/109270457002321619

This profile is from a federated server and may be incomplete. Browse more on the original instance.

BleepingComputer, to random

CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.

https://www.bleepingcomputer.com/news/security/cisa-roundcube-email-server-bug-now-exploited-in-attacks/

todb,

@jerry @BleepingComputer it’s an older bug, but it checks out.

josephcox, to random

New: the Taliban took control of the domain "queer.af" (af being the TLD of Afghanistan). With the Taliban now controlling the country, it is taking back domains. This had the effect of killing the queer.af Mastodon instance https://www.404media.co/taliban-shuts-down-queer-af-domain-breaking-mastodon-instance/

todb,

@josephcox the internet, being borderless, is a very weird place to host country-specific TLDs anyway.

Kind of always has been a bad idea.

SecureOwl, to random

Don’t have to worry about compromise of the enterprise remote access VPN used to access the office network if you don’t have an office, just sayin is all

todb,

@SecureOwl Work From Home encourages zero trust design.

Viss, to random
@Viss@mastodon.social avatar

man, i can see why netflix was going to cons doing talks about their queueing pipeline.

this stuff is no joke

todb,

@Viss netflix systems engineering is no joke

todb, to random

@0x00string fysa

https://void.lgbt/objects/4a19a22b-dc4c-41aa-a339-c34f994de9eb

todb,

@0x00string wait is 🧄 supposed to be just for girls licking girls, or is it for a girl on either side of the 👅?

I don’t want to use this emoji incorrectly.

Viss, to random
@Viss@mastodon.social avatar

as a coping mechanism for the sub par nimboperformative atmospheric display today i am treating myself to a burrito the size of a thigh

todb,

@Viss that is an aspirational burrito

todb, to random

Getting to be that time again. Hang out with @greynoise nerds. Will there be an @iagox86 sighting? Who can tell?

https://www.twitch.tv/greynoiseio/schedule

briankrebs, to random

Finally sitting down to compose some thoughts on what we can and probably should do about the swatting problem in the US. I'm finding I have quite a bit to say, and a lot of it involves mythbusting around this issue (e.g. that most of these swatting calls come through 911).

Another example: recent legislation to make swatting specifically a federal offense w/ real jail time for those convicted (introduced by a GOP lawmaker who was swatted). That might feel like a solution, but I doubt it's much of a deterrence for the sim-swatters.

Make it explicitly a federal offense with federal consequences, okay sure. But the feds have prosecuted these cases just fine using existing laws. The problem is, until the feds are aware of swatting incident, it remains effectively a local issue, which means the cops are less likely to investigate because these crimes are generally inter-state crimes They are usually by definition federal crimes for that reason, but they are still mostly dealt with by local authorities and local laws. One way a federal anti-swatting law could help is to require state and local law enforcement to report these crimes as violent crimes to some entity responsible for tracking them as such. Right now, there is no specific designation for swatting, and reporting is only required for federal law enforcement agencies. Reporting also serves an important accountability check on law enforcement responding to these incidents.

todb,

@briankrebs please cover the militarization of police and a pervasive culture of private gun ownership that makes swatting particularly effective in the US.

yes it is a 2nd amendment problem.

jerry, to random

There is a noticeable decline in the number of active users on Infosec.exchange lately. Where are the cool kids hanging out these days?

todb,

@jerry There's a general shift going on to personal pan social media. Private group chats is where the action is at now. I've noticed a significant uptick in my use, anyway, across Signal and private Discords, and my kids basically don't post anywhere outside of group chats.

Turns out, people don't like algorithmic feeds after all.

todb, (edited )

@jerry more like actively discouraging use. You can do private group chats on Mastodon, but it's not culturally acceptable around here. Everyone loses their minds about the lack of E2EE.

I'd be curious about stats around the existence of "private" group chats on infosec.exchange. I had a few going on Twitter pre-2023, but almost all of my DMs here are 1-to-1 (and the jealous, prying eyes of the Masto admins of course, yes I know they're not really private).

jerry, to random

For those wondering, here is the current statement about the Mastodon vulnerability: https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw

todb,

@jerry @EVDHmn

So patch reversers get a two week head start on everyone else.

Meh.

https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw

https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/

todb, to random

The hardest part of test prep is to get re-familiarized with all the lies they tell the kids in cyber school, like the model.

Upside is, I'm pretty sure with a little day-of memorization and some willful self-reprogramming, I'll be able to pass this test on Saturday. I'll be annoyed if I fail by little, or pass by a lot.

todb,

@Viss There's a pay bump with certification. So, not making. Inviting. Ka-ching.

todb,

@Viss shut up shut up don't ruin this for me

todb,

@Viss at least i'm not wasting tax dollars on a CISSP prep class. Just banging through rando sample quizzes on the internet.

todb,

So reviewing terms and definitions the night before my test, and the whole E2EE debacle of 2020 now makes a lot more sense.

The CISSP study material I'm looking at (published in 2022), says that TLS (normal old HTTPS) is E2EE, as distinct from "link layer encryption."

This is so wrong. But I guess I'll believe it for the next 18 hours or so!

todb,

Yay passed the exam. I take back everything i said, it’s an accurate and balanced test that proves baseline understanding of useful cybersecurity concepts.

(but really it is kinda nice to be relieved of imposter syndrome for the next couple hours.)

Also, zero questions presented on WiFi 802.11foo standards. Lucked out there.

todb,

@hrbrmstr I suspend my ridicule until I get that pay bump.

CISSP is infosec payola lol

todb, to random
jerry, to random

Have you ever had levels of anxiety that basically prevent you from doing anything productive?

todb,

@jerry pretty much everyone, near as I can tell. It’s a normal thing. Good luck my dude.

tqbf, to random

It has been described to me as "a perfect movie" and tonight we will know for sure, as I watch, for first time, John Carpenter's "The Thing”.

todb,

@tqbf yo do you want to watch again, but with jokes?

If so, you’re in luck: @masterpancake is riffing it TONIGHT on Twitch. Local Austin comedy gang. Hella fun.

https://hachyderm.io/@masterpancake/111845288159371527

https://twitch.tv/masterpancaketheater

todb, to random

I, humbly, consider myself pretty conversant in the basics of (modern and classical) cryptography and information security.

For most of my career, I've been mystified as to what problem purports to solve.

Has there ever been a case of a DNS-based attack (spoofing, hijacking, transfer, DDoS, etc) that's been thwarted by DNSSEC? Or, in the reverse, has there been an attack that was successful that DNSSEC would have solved?

I don't know what it is, but the upsides of DNSSEC just hasn't clicked in my brain.

todb,

So, example.com helpfully has set up.

I add

50.28.52.163 example.com

to my /etc/hosts file to simulate a DNS spoofing attack. The details of the spoofing shouldn't matter for any practical attack.

My OS and browser are totally cool with taking that defined address as the real "example.com," even though it's not.

So what does DNSSEC do?

todb,

Fun fact: the two largest banks in the US don't seem to be using DNSSEC at all:

➜ ~ dig +dnssec +short chase.com dnskey
➜ ~ dig +dnssec +short example.com dnskey
256 3 13 PSaUY8snD++LwIab0JNMP9zyx2whZOhc3kciM2XOR4gk09wr4uDxWwr3 Zzq84rk30l8fwxI/94QWRIgwZFNaFw==
256 3 13 joM9sPIlr483WIEP5ra1SdYGDRemvZgXUZ3HSZs9EK8GTYti4eTuGkrT L/4NBJOW/9TxpJ9MfrBA0H21hkxvlg==
257 3 13 kXKkvWU3vGYfTJGl3qBd4qhiWp5aRs7YtkCJxD2d+t7KXqwahww5IgJt xJT2yFItlggazyfXqJEVOmMJ3qT0tQ==
DNSKEY 13 2 3600 20240210142404 20240120132540 370 example.com. meGmfZDv50lVnVrucFa+bF7Ymw+X5WU0FXnucZRmskCCKUNqYS8C7Gpq j/u6I6/DJDph/jQaSTkvaCe1LT8Rdg==
➜ ~ dig +dnssec +short boa.com dnskey

➜ ~

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • kavyap
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • InstantRegret
  • GTA5RPClips
  • Youngstown
  • everett
  • slotface
  • rosin
  • osvaldo12
  • mdbf
  • ngwrru68w68
  • JUstTest
  • cubers
  • modclub
  • normalnudes
  • tester
  • khanakhh
  • Durango
  • ethstaker
  • tacticalgear
  • Leos
  • provamag3
  • anitta
  • cisconetworking
  • lostlight
  • All magazines
    •