Updated #radare2 #cheatsheet

Okay, so I did a quick dive into sudo in Windows and here are my initial findings. https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html

The main take away is, writing Rust won't save you from logical bugs :)

I gave #linkedin an honest try, for a year or more, in terms of finding #work. It's a cesspool of #toxicpositivity and fake job postings.

Now I'm asking, with all urgency -- to anyone who has anything #tech to offer, please consider a guy who has:

- 30 yrs of exp
- out of work 20 mo
- 3 kids, one approaching her 1st birthday
- a track record for secure systems
- a month before eviction
- low salary reqs

CV: https://jrlenz.com/files/cv-2023-12.pdf

US citizen | PH resident

#GetFediHired #Remote

Shout out to the Security Research Legal Defense Fund for helping us go public about our train research! We're honored to have been their first grantees.

Without their financial assistance we would've had to crowdfund our legal bills, or even worse, stay quiet about the locks we've found in Impuls trains.

If you're facing legal threats (or even anticipate the possibility of such threats) as the result of security research we definitely recommend reaching out to them.

https://www.securityresearchlegaldefensefund.org/

google has unleashed ungodly AI nightmares beyond my comprehension

so awhile ago, i've set up screen call on my android phone, because it's pretty useful for stopping robocalls from annoying me, since usually they just hang up, or google knows it is just a scam call.

well. i got another call in, but it couldn't get the transcript. so, i played the audio back.

to my fucking horror, GOOGLE IS USING MY OWN VOICE TO ANNOUNCE IT'S PRESENCE AS THE VIRTUAL ASSISTANT.

nowhere, i mean fucking NOWHERE did they ever tell me this was a thing they'd do. in fact, i'm not able to find a single fucking thing about this online!

i don't even have the fucking option set for them to preserve my voice history, the fact they have audio recordings of my voice, and enough of them to make a fucking AI-generated version of my voice, without my god damn consent, is... i don't even know how to put it.

google, i sincerely hope someone burns down all your data centers

GitS is RIGHT NOW, and the laughing man incident is literally today

whoa

https://thelaughingman2024.jp

AnyDesk was popped, with 170,000 advertised users.

They claim their install base is secure, but that the code signing cert was stolen. From the changelog, its clear that they knew this on January 29th but didn't announce until the end of the day on a Friday. Not cool.

Based upon their actions so far, I would recommend all enterprises kill AnyDesk across their fleet using EDR or other means for now until we know more.

https://anydesk.com/en/public-statement
https://anydesk.com/en/changelog/windows

I wanna surface this to my main timeline because it's kinda important to say out loud from time to time:

Businesses do NOT "have to" focus exclusively on their return to shareholders. Not legally, not morally.

That is the misguided OPINION of a 1970 essay by Milton Friedman, and the fact that everyone seemed to just hop on board that opinion is a significant reason why we switched gears into hyper-hell-capitaliam since then.

Push back on this every time you see it.

Given Okta's recent troubles with keeping their network secure, I guess I shouldn't be surprised by this blog post.

Still, a company that supposedly markets and sells security services, you would think they would have a better handle on something as rudimentary as password hashing.

TL;DR- Use SHA-2 or SHA-3 to hash passwords.

🤦🏻

https://auth0.com/blog/hashing-passwords-one-way-road-to-security/

interrupts

🚨 patch your Cisco AnyConnect boxes 🚨

For a 2020 vulnerability. Really.

Lots of ransomware cases coming in for Cisco AnyConnect/ASA recently and finally we know how - CVE-2020-3259

It was a vuln which allowed a CitrixBleed style memory dump, found by a Russian research org now under US sanctions. Ransomware operators have an exploit.

Sadly it looks like many orgs never patched.

https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco-anyconnect-vulnerability-cve-2020-3259

#threatintel

We are planning to release critical security patches for versions 3.5, 4.1, 4.2 and nightly this Thursday, Feb 01, at 15:00 UTC. We encourage server administrators to plan for a timely upgrade to ensure their Mastodon server is protected.

Microsoft is trying to get all email users, including governments, to migrate to their cloud-based solutions. This makes their email cloud _THE_ prime target for nation-state/state sponsored hackers. Yet Microsoft appears to be leaving gaping security holes in the setup of their email services: https://arstechnica.com/security/2024/01/in-major-gaffe-hacked-microsoft-test-account-was-assigned-admin-privileges/

holy shit mozilla has a new issue tracker documenting all of the ways that apple, google, and microsoft purposefully put third party browsers at a disadvantage and is calling for action https://blog.mozilla.org/netpolicy/2024/01/19/platform-tilt/

Just read @pluralistic 's blog post about the difficulty that @2600 is having, both with its publication and producing the #HOPE con. This is tragic - I've never attended HOPE, but I've seen many videos and read so many recaps and articles inspired by it. Support 2600 today!

https://pluralistic.net/2024/01/19/hope-less/#hack-the-planet

https://www.hope.net/
https://store.2600.com/products/tickets-to-hope-xv

iOS vs Android Security

https://patchfriday.com/54/

RIP the man who was the absolute incarnation of XKCD's "one random dude holding up the entire internet". You may never have heard of David Mills, but your entire goddamn world depends on what he did.

https://en.m.wikipedia.org/wiki/David_L._Mills