The author of the 'xz' backdoor commit history and activity shows that they kept office hours mostly. Mon-Fri, every other Saturday, I would imagine some of these would correlate with public holidays as this was clearly not a hobbyist.
Cyber threat intelligence firms need to start releasing their reports as text files instead of PDFs or web pages because it's very hard to trust that you're not going to get a client-side exploit when you click on them... .
A lot of people don't realize that the Chinese company that advertised so much during the super bowl also make the corporate choice to burn some 0day to kick the competition off some phones, and Google caught them.
The root cause of all of the insecurity you are seeing in large enterprise products is that nobody is allowed to test them and publish the results. Hence quality is usually very low.
Can we please, for the love of zeus, just have mitre handle a registry of apt cryptonyms so we don't have to say "cozy bear aka apt 29 aka apt41.4 aka helium"?????????????????
I know this is obvious but the reason ppl are lining up to get horse worm medicine is because we spent 2T USD on war in Afghanistan but my kid's high school can't afford a Bunsen burner.
The whole "We're not going to pay you because of something secret we know you didn't" has always been an abusive clause in the whole bug bounty market and I think it's funny people are just realizing it.
We lose a lot of people from our community to addiction, so this is my reminder than if you buy the non-alcohol INFILTRATE ticket you get a bracelet and people will avoid pressuring you to drink if they see it. Also works at BH/DC/etc.!
The real power of any APT is doing all the boring shit. Testing, writing implants for dumb embedded stuff, installing big stupid enterprise software, documenting all the use cases of your tools, etc.
Starting today, Twitter will preserve JPEGs as they are encoded for upload on Twitter for Web. (Caveat, cannot have EXIF orientation)
For example: the attached photo is actually a guetzli encoded JPEG at 97% quality with no chroma subsampling.
FWIW the hardest part of finding 0day in Enterprise equipment has always been setting that equipment up and configuring it. Hence, most penetration testing companies have a ton of 0day. If this surprises you or alarms you, then ... 1/45
For future authors who are confused: I am not "tanned", I am Peruvian. Here I am editing the first Immunity web page at the original Pilosoft data center in Manhattan in the middle of NYC winter.
People forget that they are also a Turing machine built on a series of tiny gates never meant to do what they are doing. You are also a beautiful exploit.
I think a news article that labels "Jetbrains" a "pathway for Russian hackers" needs to be backed up by something more than just anonymous "officials and executives" who received a brief on an "investigation". I think the company deserves facts and evidence.
Learn whatever you feel compelled to learn. Nobody tells the wildebeest to eat the green grass and nobody can tell a hacker what ancient tomes of lore to read. A good hacker is a dancer of thought, you are not slogging through a curriculum like an accountant.
Every so often when the 15-year-old is playing Microsoft flight simulator I go by and I press a random button on his joystick to simulate what flying a real f35 with their real lowest bidder software stack is like...then I raise his taxes to pay for it.
I put together this handy BINGO CARD for people playing along when reading any new cyber policy paper or attending a talk where bad ideas are likely to be proposed as solutions to all our problems. :)
My prediction is that exploiting memory corruption vulnerabilities in C/C++ code will become a thing of the past in 10 years with hardware support for memory safety, control flow integrity, and sandboxing.
The reason this completely untrue statement keeps appearing is that people want to believe it is true. It would support their theory that using offensive techniques immediately rebounds.
Maybe if the whole first page of Google search was not useless advertising and sponsored posts, it would not be seen as such a huge step up to have ChatGPT just summarize the web for you.
My 15yo is attempting to use nmap on his phone to scan some router while we are out as I heckle him on his use of flags. "Do you want me to ask fyoder and find out how to use this tool?"
It's important to remember that the cyber norms posed by big corporations protect big corporations and not "civilization" as they so humorously propose.
One of the things we did with INFILTRATE that has not been widely adapted yet in conferences is giving people a list of prior reading they can go through if they want to be totally up2date on a particular talk...
It just boggles my mind that Kasaya called this attack incredibly sophisticated when its technologies were invented in the early 2000s and so were the attacks that were used against them.
Hats off to the forward thinking hackers posting tons of broken code in lots of different places for LLMs to parse and remember as suggestions years from now.
signaling:
You sit in a circle with your friends and whisper a top secret sci powerpoint summary into the ear of the person to your right, and they whisper it to the next person in line and then the last person writes it down and it gets printed in the nyt.
People think insurance costs in Florida are high because of fraud or mismanagement or maybe not enough laws or regulation, but the reason is really because the ocean is hot and insurance companies hire scientists.
The ocean says it's June 3 in the tropical Atlantic. ⏰
Anomalies this large aren't supposed to happen, and certainly not for 10 consecutive months with no end in sight.
I do not understand this obsession with not having a program print out naughty things. The more your program is thinking about what not to tell you, the more unreliable and ineffective it is.
After spending just 20 minutes with the
@MistralAI
model, I am shocked by how unsafe it is. It is very rare these days to see a new model so readily reply to even the most malicious instructions. I am super excited about open-source LLMs, but this can't be it!
Examples below 🧵
Special counsel Robert Mueller's office collected more than a trillion bytes of data, largely in Russian, related to indicted Russian individuals and companies' use of social media, prosecutor says
Llama3 70b is a GREAT model. Better than GPT 3.5 by a lot. Better than Claude Haiku. Better than Mixtral 8x22. Better than any open source model, and better than almost all the closed source models. This opens so many doors for natural language processing at scale.
One obvious myopia in the current cyber policy community is that while people are very excited about strike-back on ransomware groups who hit medical facilities you don't see anyone shoveling money into the hospital IT departments to upgrade the Windows 2000 domain controllers...
My 15yo is like "I don't get this. Going to a theater to watch a movie is like going on an airplane to watch a basketball game. Why would you want to do that". This....is a dead industry.
In 1984, Jordan Mechner (
@jmechner
) wrote the classic single-player game Karateka.
In 2018, Charles Mangin (
@option8
) analysed the game and patched it so it became a two-player game.
The patch is only 42 bytes long. Pretty impressive.
#a2
So people have been talking about maintained vs not maintained packages, and I really like this quick Reagent query as an example. There's three hundred and fifty packages in the top 5000 pip packages with no updates since 2020? Perfect for JiaTaning!
Cyber policy ppl: it's worth looking at the history of how exploits are actually written by crews , which this article does very well in the prelude and you don't need a lot of technical depth
😰 XZ backdoor exposes a disturbing truth: the 21M
#Bitcoin
sacred limit is only as strong as the Linux code on which the miner's nodes run.
🎭The foundation of crypto, blockchain consensus, is built on mutable human-made code.
It's time to put crypto 💰 where the crypto mouth is
To be fair, you probably shouldn't participate in a bug bounty program where the rule is that if they already secretly knew about it, but didn't patch it, you don't get paid. :)
I kind of want to teach a class where you take a seemingly worthless bug and then just go through all the different ways it could be used and the scenarios where it could be made very useful. I don't even know what to call that though. CONOPs 101?