Show newer

POV: sprinting after your cat on a video call for work as she tries to eat a ball of lint off the floor

@jerry @rysiek @tweedge let's meet at the Full Moon in the forest to dance and heal, my sisters!

Apparently RIPE Atlas occasionally has delays in calculating your credit balance.

So if you, hypothetically, spent one million credits per day... it might allow you to get into a negative balance.

I work at a ccTLD (.IS), and lately we are seeing a *lot* of new accounts immediately registering multiple domains that all had been registered in the past. I suspect we're not the only ccTLD that sees this.

We know of at least two instances of this being used to take over social media accounts that had e-mails in expired domains set as backup e-mail addresses.

This seems to be organized and well-resourced.

Please double-check you don't use e-mails in any expired domains anywhere.

#InfoSec

@tweedge @jerry :oof:

The whole posture around information security is just generally upside-down, I feel.

Media focuses on blaming scary :hacker_h: :hacker_a: :hacker_c: :hacker_k: :hacker_e: :hacker_r: :hacker_s: for cases of gross incompetence on device vendors' part; LEA is hell-bent on prosecuting security researchers for disclosures; and three-letter agencies weaponize vulnerabilities and then lose cabin pressure, leading to WannaCries and NotPetyas.

Heavy sigh.

* Contact the lawyer - first consult is usually free, but it's mostly so both parties know more about the situation
* CAREFULLY follow their plan going forward, but be warned that any ongoing assistance will almost 100% cost you

In my case, it didn't go further (hooray). If that happens - and you have the means - it seemed a nice gesture to ask to send someone their favorite food/drink or make a charity donation in their name.

Show thread

I'll probably write this up in another post sometime with more info, but just in case anyone else runs into the same situation, here's what to do:

* Shut the fuck up
* Contact the EFF legal desk eff.org/pages/legal-assistance
* If assistance is offered, TAKE IT
* If not, have your inquiry forwarded to the Cooperating Attorneys list
* Verify any lawyer that voices interest in your case can practice in your state & look for relevant case history
continues ...

Show thread

The serious reality of the situation is, even though I did *everything right*, something out of my control almost landed me a federal charge.

I cannot imagine disclosing the same issues if I had less protection for myself. Hacking - even ethical hacking - can have serious, life-ending ramifications.

I applaud the work of the DOJ to start reducing risk for us - I really do. But this scare (and the long history of cudgeling hackers) is a big part of why I remain wary for us all.

Show thread

I cannot convey to you how fantastically ready I am to be investigated for CFAA issues. I've disclosed many vulnerabilities privately, gone public with one, and even consult 1:1 with other researchers working on their first disclosures to help keep them safe & out of trouble.

I'm a cis white man in tech. I have a salaried job and a minor but positive reputation. I have enough savings to fight even a serious legal battle.

And I was still anxious for weeks while preparing to defend myself.

Show thread

So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).

"I HOPE THIS E-MAIL DOES NOT FIND YOU

I HOPE YOUR CHAIR HAS GROWN OVER WITH #MOSS

I HOPE A PLEASANT BUT UNOBSERVED BEAM OF LIGHT HITS YOUR DESK PERFECTLY THROUGH THE COLLAPSED CEILING

I HOPE THE SILENCE IS DEAFENING" Dan Sheeman, art by /u/lombardoink

Every company's earnings reports: consumers are projected to spend less on discretionary spending due to the concerns about a recession *stonks tank*

Me: you know what fuck you I'm upgrading my Roomba predict this assholes

TIL: Xylitol, a lower-calorie plant-derived sugar, is toxic to cats and dogs. Apparently it's sometimes found in peanut butter so hopefully dog owners are aware of this, but as a cat owner I had no idea.

(late night internet browsing binge - not a pet emergency)

Staring in abject horror as a minor filename encoding issue makes numerous S3 clients and providers shit the bed ... while uploading the same files with FileZilla over FTP of all things is 100% working out of the box.

To be honest I had 120% doubted this provider *because* they supported FTP, and even recommended as the primary method of interacting with their services.

I will now be returning to the early 2000s as that is where technology should have stopped.

Say it with me again: Every smart contract has a built in bug bounty program worth 100% of whatever is in the contract.

also thinking about this wonderful phenomenon where people end up doing work for companies for free - moderation, maintaining datasets, writing translations, and so on. Often it's wrapped up in altruistic language, and strictly speaking, they're not wrong that you're helping other people by doing this, but you're also making the company more profitable and valuable and getting very little, often nothing whatsoever, in return

(please ignore huge amounts of grime on the window, idk how the chicks generated that much grime that quickly. it's from the past three days. the window was pretty clean for the entire month prior. how did they do this)

Show thread

Our saga of nesting robins has ended - today, the chicks flew away from the nest. All four survived to adolescence! We're sad to see them go but very proud that the robin family has survived and thrived.

Bonus: the chicks are SO POOFY and CUTE look at how cute they are now

Soup is simmering on the stove and the alarm goes off, so Josh looks his partner dead in the eyes and says "alright, guess I have to go soup-ervise" as he stands up. Deadpan. How does he keep doing this

Show older
Mastodon

Taking the "Twitter" out of "InfoSec Twitter."