What can I add... the job market is kinda abysmal right now. A ton of companies have done substantial layoffs over the last few weeks and a lot of folks at all experience levels are looking all at once in the US.

Cybersecurity is still a substantially more stable space than a lot of other IT fields. My heart breaks for a lot of development roles right now. However, if you have something that is stable but just okay, I'd recommend sticking with it for the next year or so unless you have a solid and guaranteed move. The economy and investment is going to take a while to recover. Also, plan to have to move if you are part of layoffs. Have a resume ready to go, and a safety net of some sort and a plan if you are able to. Take care of your mental health.

If you're a student, I'm really sorry. I graduated during the last recession and I truly understand this is awful. Strongly suggest you target a specific niche and skillset within cybersecurity that is in higher demand and less competitive, and consider moving to something more specific later. Have your resume reviewed by a hiring manager and a professional editor. Participate in networking and in-person community events as much as you can. Meet people. Everything gives you an advantage!

US DOJ unseals a 2019 indictment charging two Russians with stealing ~647K BTC in a Mt. Gox hack; one of them is also charged with conspiring to operate BTC-e (Nikhilesh De/CoinDesk)

https://www.coindesk.com/policy/2023/06/09/mt-goxs-hackers-are-2-russian-nationals-us-doj-alleges-in-indictment/
http://www.techmeme.com/230609/p14#a230609p14

Well, I inadvertently discovered a zero-day RCE in acme.sh and got a Chinese CA to shut down overnight: https://github.com/acmesh-official/acme.sh/issues/4659

Patch for new (old) #moveIT vulnerability out now. No CVE allocated yet. https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023

hey could the criminals who somehow converted an application logic bug in a spam filter to “you have to throw the hardware in a shredder to be sure” please publish their own blog post about this https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/

From a live tweet of the proceedings around the lawyer caught using ChatGPT:

"I thought ChatGPT was a search engine".

It is NOT a search engine. Nor, by the way are the version of it included in Bing or Google's Bard.

Language model-driven chatbots are not suitable for information access.

>>

A little cheeky of PrinterLogic to warn against PrintNightmare vulnerabilities after this savage thrashing on full-disclosure: https://seclists.org/fulldisclosure/2023/May/16

Shodan is only showing ~15 on the internet at least: https://www.shodan.io/search?query=title%3Aprinterlogic

The @runZeroInc query is similar: https://console.runzero.com/inventory/services?search=_asset.protocol%3Ahttp%20protocol%3Ahttp%20%28html.title%3A%3D%22Printer%20Logic%22%20OR%20favicon.ico.image.md5%3A%3Dab2fc8886bfbf3e986f8015539d29736%29

hat tip to @campuscodi for flagging at https://riskybiznews.substack.com/p/risky-biz-news-iranian-hacktivists (and @riskydotbiz for the mention)

At-Bay’s Cyber Research Team has confirmed that AvosLocker is using several vulnerabilities in Veritas's Backup Exec, a popular data backup and recovery software, as a means to launch ransomware attacks.

It marks the second RaaS syndicate to use the vulns to launch ransomware attacks, as ALPHV/BlackCat also has been observed using the flaw as an initial access point

https://www.at-bay.com/articles/avoslocker-adds-veritas-vulnerabilities-to-access-arsenal/

We want your Chrome full chain exploits https://security.googleblog.com/2023/06/announcing-chrome-browser-full-chain.html?m=1

So I caught the recruiting tram again and made more photos for all you dorks 😄

(This is a tram that runs in Budapest that has clear paneling so you can see the inner workings. They use it to recruit engineers and mechanics for public transport.)

#Budapest #trams #tramstodon #PublicTransport

When children are first taught to read/write in your country (or state), what writing style do they use considering both text they write and text they read?

Boosts for reach are appreciated!

Remember the #Gitlab 16.0 vulnerability and the message to patch it asap ?
Well: https://securityonline.info/poc-exploit-released-for-gitlab-cve-2023-2825-vulnerability/
The PoC is here: https://github.com/Occamsec/CVE-2023-2825

Got a new shirt

New: NSO Group is under new ownership after lenders forced a change of control with plans to keep its controversial spyware business going. Lenders have been working with Omri Lavie, a co-founder of NSO, after foreclosing on the parent company. https://www.wsj.com/articles/israeli-cyber-company-nso-group-has-new-ownership-after-u-s-blacklist-a2cda00a

Technology and defense systems giant Rheinmetall AG has been breached by Black Basta.

Rheinmetall has over 27,000 employees and is in 138 countries.

Oh wow, Stalker and Solaris are just on Youtube for free, officially uploaded by Mosfilm, the original production company. They've got a bunch of other Soviet films up there too.

https://www.youtube.com/watch?v=Q3hBLv-HLEc
https://www.youtube.com/watch?v=Z8ZhQPaw4rE

Finally, JavaScript in the browser

What does it say about these products if Google thinks they can't be made to respect privacy laws in the EU and Canada?

Instead of blaming regulators, maybe the industry is seriously dysfunctional?

This is like a car manufacturer claiming that it's impossible for them to make a car with seat belts and a catalytic converter and opting instead not to sell cars in many of the largest markets in the world

That co would obviously and unquestionably be dysfunctional and in terminal decline

Twitter’s encrypted DM feature is technically flawed, opt-in, limited to 1-to-1 text-based messages, restricted to a small user base, and generally inferior in just about every way to encrypted apps like Signal and WhatsApp.

And all for just $8 a month. https://www.wired.com/story/twitter-encrypted-dm-signal-whatsapp/

It turns out you can simply serve a file from a domain to use it as your bsky handle.

So this guy is now S3. All of S3.