So, uh, if you see an orb in public, DO NOT PONDER IT, because it's going to steal your biometrics and give them to the worst people in silicon valley:
https://news.artnet.com/art-world/worldcoin-orb-ai-2341500

Due to popular demand, here is a list of the fedi-services that are part of the infosec.* family:
1 - https://infosec.exchange - Glitch-soc fork of Mastodon (this instance does not block threads.net)
2 - https://relay.infosec.exchange - Activitypub relay
3 - https://video.infosec.exchange - Peertube instance (like youtube)
4 - https://infosec.press - WriteFreely blog*
5 - https://pixel.infosec.exchange - Pixelfed instance (like instagram)
6 - https://matrix.infosec.exchange - Synapse (with sliding sync) homeserver*
7 - https://infosec.place - Akkoma instance (like mastodon)
8 - https://infosec.town - iceshrimp instance (like mastodon)
9 - https://infosec.pub - Lemmy instance (like reddit)
10 - https://fedia.io - General interest mbin instance (also like reddit)
11 - https://fedia.social - General interst Iceshrimp instance
12 - https://elk.infosec.exchange - Elk web interface for Mastodon
13 - https://books.infosec.exchange - Bookworym instance (like goodreads)
14 - https://meetups.infosec.exchange (mobilizon)
15 - https://infosec.space - Glitch-soc fork of Mastodon (this instance does
block threads.net)

*indicates the instance authenticates against Infosec.exchange

For 25+ yrs police, military, intel agencies and critical infrastructure around the world have relied on the TETRA radio standard to secure their critical communications. But now Dutch researchers have examined secret algorithms used in TETRA and found something startling -- an intentional backdoor. This and other issues the researchers found would allow malicious actors to decrypt communications and also, in some cases, send malicious communication to radios to affect critical infrastructure or disrupt police operations and more.
https://www.wired.com/story/tetra-radio-encryption-backdoor/

'Zyxel released a security advisory regarding this vulnerability on April 25, 2023. Subsequently, [CISA] added this security flaw to its [KEV] catalog in May.

'Since the publication of the exploit module, there has been a sustained surge in malicious activity... significant increase in attack bursts starting from May... multiple botnets, including Dark.IoT, a variant based on Mirai, as well as another botnet that employs customized DDoS attack methods'.
https://www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771

Once again forced to witness the deepest horrors of our reality

The failure of the Internet to deliver its promise is particularly noticeable when you hunt for repair manuals for a product from the 90s. Used to be, the information would either be there or not there, finable or unfindable.

Now, there are hundreds of algorithmically generated sites claiming to have it just because it appeared in their search logs, generating potemkin village content traps with endless paging, broken-thumbnail named-like-the-file-you-want but actually-just-ebay-photos bullshit

xss is just a loser's rce

🚧 Brute-Forcing One-Time Passwords 🚧

My last two threads discussed the probability of brute-forcing OTPs, how to do it effectively and how to defend against attacks.

Here is an overview of the topics covered:

1. Bernoulli Processes 🧮
https://infosec.exchange/@kpwn/110520985360492457

2. Increasing and Decreasing Probabilities 🤞
https://infosec.exchange/@kpwn/110561329301840527

Here's everything compiled into a blog post 📰
https://kpwn.de/2023/06/brute-forcing-one-time-passwords/

Do you find my content valuable?

🔔 Follow me for more web security content.

🔁 Also, boost this toot to spread the word!

#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #Passwords #OTP #Authentication

Ransomware, but they install an unlicensed copy of Oracle somewhere in your organization and threaten to tell Oracle about it if you don’t pay up.

AI is a lot like fossil fuel industry. Seizing and burning something (in this case, the internet, and more broadly, written-down human knowledge) that was built up over a long time much faster than it could ever be replenished.

It is confirmed that Reddit is forcing subreddits to open again. This is according to /r/antiwork moderators.

#reddit #blackout #redditmigration

"Reddit represents one of the largest data sets of just human beings talking about interesting things," Huffman said. "We are not in the business of giving that away for free."

You and me, we're just data sets. Years of interaction with fellow human beings, building community, sharing insight and creativity…it’s all just data. Data to be mined and monetized.

Huffman's not mad Reddit was scraped for a chatbot. He's mad he wasn't paid for the privilege. It's his data, you see. His. Not yours.

Search engines are useless. Windows is packaging Internet features few asked for. The major public sites are sealed tight to avoid third party tools.

Web 1.0 is back, baby!

No random open source application, I do not want to join your Discord channel for support.

There's this really cool technology called hypertext markup language, and if you use it for your documentation another piece of amazing technology called a search engine can help me find the answer I'm looking for

And the real magic is you only have to answer it once and the answer helps anyone. You don't have to answer the same question every day. This frees you up for more fun development

autoexec.bat (credit: Adam Koford)

US DOJ unseals a 2019 indictment charging two Russians with stealing ~647K BTC in a Mt. Gox hack; one of them is also charged with conspiring to operate BTC-e (Nikhilesh De/CoinDesk)

https://www.coindesk.com/policy/2023/06/09/mt-goxs-hackers-are-2-russian-nationals-us-doj-alleges-in-indictment/
http://www.techmeme.com/230609/p14#a230609p14

Well, I inadvertently discovered a zero-day RCE in acme.sh and got a Chinese CA to shut down overnight: https://github.com/acmesh-official/acme.sh/issues/4659

hey could the criminals who somehow converted an application logic bug in a spam filter to “you have to throw the hardware in a shredder to be sure” please publish their own blog post about this https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/