Pinned post

So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).

Pinned post

Hey everyone, time. I'm Chris, a small voice in the big world of InfoSec.

You might know me from:
* Helping to break down emerging information about Spring4Shell
* Tracking the impact of pro-Ukraine DDoS attacks
* Trying to figure out why a 2,000-IP botnet was torrenting Ubuntu

I'm going to be microblogging about the research I have in progress before it's as mature as the stuff I mentioned above.

I hope you have fun reading and I look forward to learning from folks here! ^_^

Forgot to post, but did some unexpected debugging of cross-certificates and dusted off some old applied crypto neurons.

In case anyone wants to learn a bit about CA changes, I present a quick writeup on fixing lack of trust between the HARICA root CA in my trust store & a .onion certificate I bought:

Spending literal days debugging what the fuck is going on with my hidden service for the zero (0) people reading my blog with Tor lol

Why am I just now learning that a "general strike" is illegal in the USA? Holy shit the populace is on a tight leash that's so fucked up

(this is not to discount folks who *do* have and publish more nuanced takes, but the eternal battle of "certs bad, get degrees" vs "degrees bad, get certs" is just eurgh)

Show thread

Bad answers about breaking into cybersecurity are too easy to find. Don't know why so many people post what personally worked for them when breaking into cybersecurity and phrase it as universal.

Maybe this is search engines being bad and promoting "definite" answers over more nuanced takes - but no matter the reason, folks trying to break in to cybersecurity are underserved by the highest profile & most marketed & most accessible answers :/

Paul Slocum, software developer who has been curating, conserving, and selling digital art since 2006 wrote an excellent and extensive survey of the effects and problems in the takeover of networked culture by creepto-capital.

He couldn't find a suitable publication for his critical perspective which speaks volumes about the state of media institutions which made a name and raise funding precisely promoting the opposite values to those of blockchain culture and now are totally integrated and participating in the cultural and economic distortion described by Paul.

Do read and share widely.

agitprop + dealing with spam 

problem: I get invited to Whatsapp crypto spam groups all the time 😔
opportunity: finally, an audience for my insufferable shit!

The building anxiety of being in your team meeting, feeling an itch in your throat, and scrambling to find the mute button among all your open windows before you cough loudly into the mic

i feel like the more i walk around seattle the more likely an AWS person is going to pop out of nowhere and hand me an AWS Managed NAT Gateway bill

You grow up in a different culture than the rest of your team? Cool! You'll see some things a little differently, and that leads to better decisions overall.

It's also just more fun to work with people who aren't all alike. I feel really sorry for people who want their whole team to be just like them. How boring…

Show thread

Spent like five hours diagnosing certificate issues yesterday, which I wasn't planning on doing, then another three writing up how others can avoid spending hours on that issue ;-;

My intern starts tomorrow.

*attempting to unwind aggressively*

And yes, I was supposed to be relaxing, but then I had a bunch of timeouts with my hidden service, so I had to go fix it and discovered this along the way

Show thread

Switched my hidden service to a single-onion service - the load time is ~halved without compromising reader anonymity. Very cool to have this as an option with Tor!

(read: it's my personal blog, so therefore *my* privacy was never a concern to begin with - YMMV)

Show older

Taking the "Twitter" out of "InfoSec Twitter."