Tumgik
Visit Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Fun Fact
The total number of visits Tumblr.com received during January 2021 is 327 million.
#infosec community
cypheroxide · 5 months
Text
Staying Relevant: Balancing Learning and Life as an Ethical Hacker
Have you experienced burnout while trying to develop your skills and you just don't have the time to do everything? Finding balance is the key to improving your skills in a healthy way. In this article, I explore healthy habits to grow without burning out
You’ve heard it before – cybersecurity is a field that evolves at a blindingly fast pace. The tools, techniques, and technologies threatening networks transform rapidly. As an ethical hacker, your skills can become obsolete within months if you aren’t continuously upgrading your knowledge. Point #4 on our hacker roadmap deals with knowing the latest and greatest when it comes to the state of…
Tumblr media
View On WordPress
#burnout#certifications#conference#continuous learning#Cyber Security#cybersecurity education#cybersecurity skills#Ethical Hacking#hacker skills#infosec community#leadership#learning plan#maintaining balance#microlearning#Penetration Testing#pentesting methodologies#personal development#podcast#red team operations#security news#security policies#security tools#time management#trends#vulnerability assessments#work-life balance
1 note · View note
nando161mando · 26 days
Text
How can animals live in a cage?
#How can animals live in a cage?#freespeech#global communication#righttoassembly#unfucktheplanet#infosec#animal rights#animalrights#alf#animalliberation#animal liberation front#animal abuse#animal cruelty#animal rescue#ausgov#politas#auspol#tasgov#taspol#australia#fuck neoliberals#neoliberal capitalism#anthony albanese#albanese government#econotego#animals#animal#class war#antifa#antifascist
5 notes · View notes
rabbirubiez · 1 year
Photo
Tumblr media
The 7 Most Notorious Hacking Groups #cyberattacks #CyberAttack #tech #infosec #CyberSec #cybersecurity #Hacked #Hacking #community (at Cyber Security Summit) https://www.instagram.com/p/CoSFGrQuD97/?igshid=NGJjMDIxMWI=
#cyberattacks#cyberattack#tech#infosec#cybersec#cybersecurity#hacked#hacking#community
0 notes
stuffforthestash · 2 months
Text
Modern Academic AU pt2
Originally started because Professor Raphael got stuck in my head and I had (foolishly) hoped if I wrote down some thoughts, that would be the end of it 🫠
Part 1 and Part 3 ------------------------------ Minthara - School of Law. Used to be a high profile defense lawyer but was barred from practice under questionable circumstances, so now she teaches courses on criminal procedure and domestic violence litigation. Male students are actively warned against taking any of her classes. Elminster - Liberal Arts Dean. Has been in the position forever and is something of a legend at this point. He's Gale's mentor and long time family friend, and he delights in showing up unannounced to Prof. Dekarios's lectures. The two of them have a longstanding tradition of leaving surprise pranks in each others offices. Rolan - English department. Newly upgraded from adjunct instructor to junior full time staff, he's been assigned the special hell of having to teach the general ed. introductory writing courses that none of the other faculty want to deal with. He hates it and thinks it's a complete waste of his talents, but is determined to stick through it long enough to get that research grant. Alfira - School of Theater & Music. Teaches vocal technique and musicality at every level. She's also the faculty coordinator for multiple on-campus performance groups, directs the university chorale and composes all their arrangements, is herself in a local acapella group, AND does community arts & outreach programs for kids.
Gortash - Newly appointed Dean of Information Studies. He's brilliant, he talks big about new frontiers in infosec and grand designs in the future potential of AI... and is already under investigation by the ethics board for misappropriation of university funds. Ketheric - VP of Alumni and he's been with the university longer than Elminster. Nobody knows why he hasn't just retired yet, despite how much he seems to hate his job. Orin - School of Fine Art. She "teaches" a course on performative art. It's weird and extremely uncomfortable for everyone involved, but for some reason people keep enrolling. Durge - Fine Art Dep't Chair. The deeply disturbing nature of his personal art aside, he's actually good at his job as both the chair and an instructor. Mostly teaches anatomy and live model studio courses. Ulder - VP of Public Affairs. He's a great public face for the university, everybody loves him... except the son he refuses to acknowledge after a falling out years ago. Mizora - Human resources admin. Loves her job because it gives her power over other people. Is more likely to be the source of an HR complaint than the one who actually solves the problem. Thaniel (as requested!) - Also HR. He's the one you hope gets assigned to whatever you need because he's great at it. Is also the only one who can reliably get in touch with Halsin; it's not well known that he can, so he'll usually agree to help those who figure out to ask him.
------------------------------
This started going long, so it looks like I'll be doing a third (and probably final?) installment to cover Dammon, Zevlor, Wulbren, Aylin & Isobel, and any other requests!
#bg3#baldurs gate 3#minthara#elminster#rolan#alfira#enver gortash#ketheric thorm#orin the red#durge#mizora#ulder ravengard#thaniel
49 notes · View notes
Text
Delegating trust is really, really, really hard (infosec edition)
Tumblr media
CORRECTION: A previous version of this thread reported that Trustcor has the same officers as Packet Forensics; they do not; they have the same officers as Measurement Systems. I regret the error.
I’ve got trust issues. We all do. Some infosec pros go so far as to say “trust no one,” a philosophy more formally known as “Zero Trust,” that holds that certain elements of your security should never be delegated to any third party.
The problem is, it’s trust all the way down. Say you maintain your own cryptographic keys on your own device. How do you know the software you use to store those keys is trustworthy? Well, maybe you audit the source-code and compile it yourself.
But how do you know your compiler is trustworthy? When Unix/C co-creator Ken Thompson received the Turing Prize, he either admitted or joked that he had hidden back doors in the compiler he’d written, which was used to compile all of the other compilers:
https://pluralistic.net/2022/10/11/rene-descartes-was-a-drunken-fart/#trusting-trust
OK, say you whittle your own compiler out of a whole log that you felled yourself in an old growth forest that no human had set foot in for a thousand years. How about your hardware? Back in 2018, Bloomberg published a blockbuster story claiming that the server infrastructure of the biggest cloud companies had been compromised with tiny hardware interception devices:
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
The authors claimed to have verified their story in every conceivable way. The companies whose servers were said to have been compromised rejected the entire story. Four years later, we still don’t know who was right.
How do we trust the Bloomberg reporters? How do we trust Apple? If we ask a regulator to investigate their claims, how do we trust the regulator? Hell, how do we trust our senses? And even if we trust our senses, how do we trust our reason? I had a lurid, bizarre nightmare last night where the most surreal events seemed perfectly reasonable (tldr: I was mugged by invisible monsters while trying to order a paloma at the DNA Lounge, who stole my phone and then a bicycle I had rented from the bartender).
If you can’t trust your senses, your reason, the authorities, your hardware, your software, your compiler, or third-party service-providers, well, shit, that’s pretty frightening, isn’t it (paging R. Descartes to a white courtesy phone)?
There’s a joke about physicists, that all of their reasoning begins with something they know isn’t true: “Assume a perfectly spherical cow of uniform density on a frictionless surface…” The world of information security has a lot of these assumptions, and they get us into trouble.
Take internet data privacy and integrity — that is, ensuring that when you send some data to someone else, the data arrives unchanged and no one except that person can read that data. In the earliest days of the internet, we operated on the assumption that the major threat here was technical: our routers and wires might corrupt or lose the data on the way.
The solution was the ingenious system of packet-switching error-correction, a complex system that allowed the sender to verify that the recipient had gotten all the parts of their transmission and resend the parts that disappeared en route.
This took care of integrity, but not privacy. We mostly just pretended that sysadmins, sysops, network engineers, and other people who could peek at our data “on the wire” wouldn’t, even though we knew that, at least some of the time, this was going on. The fact that the people who provided communications infrastructure had a sense of duty and mission didn’t mean they wouldn’t spy on us — sometimes, that was why they peeked, just to be sure that we weren’t planning to mess up “their” network.
The internet always carried “sensitive” information — love letters, private discussions of health issues, political plans — but it wasn’t until investors set their sights on commerce that the issue of data privacy came to the fore. The rise of online financial transactions goosed the fringe world of cryptography into the mainstream of internet development.
This gave rise to an epic, three-sided battle, between civil libertarians, spies, and business-people. For years, the civil liberties people had battled the spy agencies over “strong encryption” (more properly called “working encryption” or just “encryption”).
The spy agencies insisted that civilization would collapse if they couldn’t wiretap any and every message traversing the internet, and maintained that they would neither abuse this facility, nor would they screw up and let someone else do so (“trust us,” they said).
The business world wanted to be able to secure their customers’ data, at least to the extent that an insurer would bail them out if they leaked it; and they wanted to actually secure their own data from rivals and insider threats.
Businesses lacked the technological sophistication to evaluate the spy agencies’ claims that there was such a thing as encryption that would keep their data secure from “bad guys” but would fail completely whenever a “good guy” wanted to peek at it.
In a bid to educate them on this score, EFF co-founder John Gilmore built a $250,000 computer that could break the (already broken) cryptography the NSA and other spy agencies claimed businesses could rely on, in just a couple hours. The message of this DES Cracker was that anyone with $250,000 will be able to break into the communications of any American business:
https://cryptome.org/jya/des-cracker.htm
Fun fact: John got tired of the bar-fridge-sized DES Cracker cluttering up his garage and he sent it to my house for safekeeping; it’s in my office next to my desk in LA. If I ever move to the UK, I’ll have to leave it behind because it’s (probably) still illegal to export.
The deadlock might have never been broken but for a key lawsuit: Cindy Cohn (now EFF’s executive director) won the Bernstein case, which established that publishing cryptographic source-code was protected by the First Amendment:
https://www.eff.org/cases/bernstein-v-us-dept-justice
With cryptography legalized, browser vendors set about securing the data-layer in earnest, expanding and formalizing the “public key infrastructure” (PKI) in browsers. Here’s how that works: your browser ships with a list of cryptographic keys from trusted “certificate authorities.” These are entities that are trusted to issue “certificates” to web-hosts, which are used to wrap up their messages to you.
When you open a connection to “https://foo.com," Foo sends you a stream of data that is encrypted with a key identified as belonging to “foo.com” (this key is Foo’s “certificate” — it certifies that the user of this key is Foo, Inc). That certificate is, in turn, signed by a “Certificate Authority.”
Any Certificate Authority can sign any certificate — your browser ships with a long list of these CAs, and if any one of them certifies that the bearer is “Foo.com,” that server can send your browser “secure” traffic and it will dutifully display the data with all assurances that it arrived from one of Foo, Inc’s servers.
This means that you are trusting all of the Certificate Authorities that come with your browser, and you’re also trusting the company that made your browser to choose good Certificate Authorities. This is a lot of trust. If any of those CAs betrays your trust and issues a bad cert, it can be used to reveal, copy, and alter the data you send and receive from a server that presents that certificate.
You’d hope that certificate authorities would be very prudent, cautious and transparent — and that browser vendors would go to great lengths to verify that they were. There are PKI models for this: for example, the “DNS root keys” that control the internet’s domain-name service are updated via a formal, livestreamed ceremony:
https://www.cloudflare.com/dns/dnssec/root-signing-ceremony/
There are 14 people entrusted to perform this ceremony, and at least three must be present at each performance. The keys are stored at two facilities, and the attendees need to show government ID to enter them (is the government that issued the ID trustworthy? Do you trust the guards to verify it? Ugh, my head hurts).
Further access to the facility is controlled by biometric locks (do you trust the lock maker? How about the person who registers the permitted handprints?). Everyone puts a wet signature in a logbook. A staffer has their retina scanned and presents a smartcard.
Then the staffer opens a safe that has a “tamper proof” (read: “tamper resistant”) hardware module whose manufacturer is trusted (why?) not to have made mistakes or inserted a back-door. A special laptop (also trusted) is needed to activate the safe’s hardware module. The laptop “has no battery, hard disk, or even a clock backup battery, and thus can’t store state once it’s unplugged.” Or, at least, the people in charge of it claim that it doesn’t and can’t.
The ceremony continues: the safe yields a USB stick and a DVD. Each of the trusted officials hands over a smart card that they trust and keep in a safe deposit box in a tamper-evident bag. The special laptop is booted from the trusted DVD and mounts the trusted USB stick. The trusted cards are used to sign three months worth of keys, and these are the basis for the next quarter’s worth of secure DNS queries.
All of this is published, videoed, livestreamed, etc. It’s a real “defense in depth” situation where you’d need a very big conspiracy to subvert all the parts of the system that need to work in order to steal underlying secrets. Yes, bottom line, you’re still trusting people, but in part you’re trusting them not to be able to all keep a secret from the rest of us.
The process for determining which CAs are trusted by your browser is a lot less transparent and, judging from experience, a lot less thorough. Many of these CAs have proven to be manifestly untrustworthy over the years. There was Diginotar, a Dutch CA whose bad security practices left it vulnerable to a hack-attack:
https://en.wikipedia.org/wiki/DigiNotar
Some people say it was Iranian government hackers, who used its signing keys to forge certificates and spy on Iranian dissidents, who are liable to arrest, torture and execution. Other people say it was the NSA pretending to be Iranian government hackers:
https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html
In 2015, the China Internet Network Information Center was used to issue fake Google certificates, which gave hackers the power to intercept and take over Google accounts and devices linked to them (e.g. Android devices):
https://thenextweb.com/news/google-to-drop-chinas-cnnic-root-certificate-authority-after-trust-breach
In 2019, the UAE cyber-arms dealer Darkmatter — an aggressive recruiter of American ex-spies — applied to become a trusted Certificate Authority, but was denied:
https://www.reuters.com/investigates/special-report/usa-spying-raven/
Browser PKI is very brittle. By design, any of the trusted CAs can compromise every site on the internet. An early attempt to address this was “certificate pinning,” whereby browsers shipped with a database of which CAs were authorized to issue certificates for major internet companies. That meant that even though your browser trusted Crazy Joe’s Discount House of Certification to issue certs for any site online, it also knew that Google didn’t use Crazy Joe, and any google.com certs that Crazy Joe issued would be rejected.
But pinning has a scale problem: there are billions of websites and many of them change CAs from time to time, which means that every browser now needs a massive database of CA-site pin-pairs, and a means to trust the updates that site owners submit to browsers with new information about which CAs can issue their certificates.
Pinning was a stopgap. It was succeeded by a radically different approach: surveillance, not prevention. That surveillance tool is Certificate Transparency (CT), a system designed to quickly and publicly catch untrustworthy CAs that issue bad certificates:
https://www.nature.com/articles/491325a
Here’s how Certificate Transparency works: every time your browser receives a certificate, it makes and signs a tiny fingerprint of that certificate, recording the date, time, and issuing CA, as well as proof that the CA signed the certificate with its private key. Every few minutes, your browser packages up all these little fingerprints and fires them off to one or more of about a dozen public logs:
https://certificate.transparency.dev/logs/
These logs use a cool cryptographic technology called Merkle trees that make them tamper-evident: that means that if some alters the log (say, to remove or forge evidence of a bad cert), everyone who’s got a copy of any of the log’s previous entries can tell that the alteration took place.
Merkle Trees are super efficient. A modest server can easily host the eight billion or so CT records that exist to date. Anyone can monitor any of these public logs, checking to see whether a CA they don’t recognize has issued a certificate for their own domain, and then prove that the CA has betrayed its mission.
CT works. It’s how we learned that Symantec engaged in incredibly reckless behavior: as part of their test-suite for verifying a new certificate-issuing server, they would issue fake Google certificates. These were supposed to be destroyed after creation, but at least one leaked and showed up in the CT log:
https://arstechnica.com/information-technology/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
It wasn’t just Google — Symantec had issued tens of thousands of bad certs. Worse: Symantec was responsible for more than a third of the web’s certificates. We had operated on the blithe assumption that Symantec was a trustworthy entity — a perfectly spherical cow of uniform density — but on inspection it was proved to be a sloppy, reckless mess.
After the Symantec scandal, browser vendors cleaned house — they ditched Symantec from browsers’ roots of trust. A lot of us assumed that this scandal would also trigger a re-evaluation of how CAs demonstrated that they were worth of inclusion in a browser’s default list of trusted entities.
If that happened, it wasn’t enough.
Yesterday, the Washington Post’s Joseph Menn published an in-depth investigation into Trustcor, a certificate authority that is trusted by default by Safari, Chrome and Firefox:
https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/
Menn’s report is alarming. Working from reports from University of Calgary privacy researcher Joel Reardon and UC Berkeley security researcher Serge Egelman, Menn presented a laundry list of profoundly disturbing problems with Trustcor:
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/etbBho-VBQAJ
First, there’s an apparent connection to Packet Forensics, a high-tech arms dealer that sells surveillance equipment to the US government. One of Trustcor’s partners is a holding company managed by Packet Forensics spokesman Raymond Saulino.
If Trustcor is working with (or part of) Packet Forensics, it could issue fake certificates for any internet site that Packet Forensics could use to capture, read and modify traffic between that site and any browser. One of Menn’s sources claimed that Packet Forensics “used TrustCor’s certificate process and its email service, MsgSafe, to intercept communications and help the U.S. government.”
Trustcor denies this, as did the general counsel for Packet Forensics.
Should we trust either of them? It’s hard to understand why we would. Take Trustcor: as mentioned, it has a “private” email service called “Msgsafe,” that claims to offer end-to-end encrypted email. But it is not encrypted end-to-end — it sends copies of its users’ private keys to Trustcor, allowing the company (or anyone who hacks the company) to intercept its email.
It’s hard to avoid the conclusion that Trustcor is making an intentionally deceptive statement about how its security products work, or it lacks the basic technical capacity to understand how those products should work. You’d hope that either of those would disqualify Trustcor from being trusted by default by billions of browsers.
It’s worse than that, though: there are so many red flags about Trustcor beyond the defects in Msgsafe. Menn found that that company’s website identified two named personnel, both supposed founders. One of those men was dead. The other one’s Linkedin profile has him departing the company in 2019.
The company lists two phone numbers. One is out of service. The other goes to unmonitored voicemail. The company’s address is a UPS Store in Toronto. Trustcor’s security audits are performed by the “Princeton Audit Group” whose address is a private residence in Princeton, NJ.
A company spokesperson named Rachel McPherson publicly responded to Menn’s article and Reardon and Egelman’s report with a bizarre, rambling message:
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/X_6OFLGfBQAJ
In it, McPherson insinuates that Reardon and Egelman are just trying to drum up business for a small security research business they run called Appsecure. She says that Msgsafe’s defects aren’t germane to Trustcor’s Certificate Authority business, instead exhorting the researchers to make “positive suggestions for improving that product suite.”
As to the company’s registration, she makes a difficult-to-follow claim that the irregularities are due to using the same Panamanian law-firm as Packet Forensics, says that she needs to investigate some missing paperwork, and makes vague claims about “insurance impersonation” and “potential for foul play.”
Certificate Authorities have one job: to be very, very, very careful. The parts of Menn’s story and Reardon and Egelman’s report that aren’t disputed are, to my mind, enough to disqualify them from inclusion in browsers’ root of trust.
But the disputed parts — which I personally believe, based on my trust in Menn, which comes from his decades of careful and excellent reporting — are even worse.
For example, Menn makes an excellent case that Packet Forensics is not credible. In 2007, a company called Vostrom Holdings applied for permission for Packet Forensics to do business in Virginia as “Measurement Systems.” Measurement Systems, in turn, tricked app vendors into bundling spyware into their apps, which gathered location data that Measurement Systems sold to private and government customers. Measurement Systems’ data included the identities of 10,000,000 users of Muslim prayer apps.
Packet Forensics denies that it owns Measurement Systems, which doesn’t explain why Vostrom Holdings asked the state of Virginia to let it do business as Measurement Systems. Vostrom also owns the domain “Trustcor.co,” which directed to Trustcor’s main site. Trustcor’s “president, agents and holding-company partners” are identical to those of Measurement Systems.
One of the holding companies listed in both Trustcor and Measurement Systems’ ownership structures is Frigate Bay Holdings. This March, Raymond Saulino — the one-time Packet Forensics spokesman — filed papers in Wyoming identifying himself as manager of Frigate Bay Holdings.
Neither Menn nor Reardon and Egelman claim that Packet Forensics has obtained fake certificates from Trustcor to help its customers spy on their targets, something that McPherson stresses in her reply. However, Menn’s source claims that this is happening.
These companies are so opaque and obscure that it might be impossible to ever find out what’s really going on, and that’s the point. For the web to have privacy, the Certificate Authorities that hold the (literal) keys to that privacy must be totally transparent. We can’t assume that they are perfectly spherical cows of uniform density.
In a reply to Reardon and Egelman’s report, Mozilla’s Kathleen Wilson asked a series of excellent, probing followup questions for Trustcor, with the promise that if Trustcor failed to respond quickly and satisfactorily, it would be purged from Firefox’s root of trust:
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/WJXUELicBQAJ
Which is exactly what you’d hope a browser vendor would do when one of its default Certificate Authorities was credibly called into question. But that still leaves an important question: how did Trustcor, who marketed a defective security product, whose corporate ownership is irregular and opaque with a seeming connection to a cyber-arms-dealer, end up in our browsers’ root of trust to begin with?
Formally, the process for inclusion in the root of trust is quite good. It’s a two-year vetting process that includes an external audit:
https://wiki.mozilla.org/CA/Application_Process
But Daniel Schwalbe, CISO of Domain Tools, told Menn that this process was not closely watched, claiming “With enough money, you or I could become a trusted root certificate authority.” Menn’s unnamed Packet Forensics source claimed that most of the vetting process was self-certified — that is, would-be CAs merely had to promise they were doing the right thing.
Remember, Trustcor isn’t just in Firefox’s root of trust — it’s in the roots of trust for Chrome (Google) and Safari (Apple). All the major browser vendors were supposed to investigate this company and none of them disqualified it, despite all the vivid red flags.
Worse, Reardon and Egelman say they notified all three companies about the problems with Trustcor seven months ago, but didn’t hear back until they published their findings publicly on Tuesday.
There are 169 root certificate authorities in Firefox, and comparable numbers in the other major browsers. It’s inconceivable that you could personally investigate each of these and determine whether you want to trust it. We rely on the big browser vendors to do that work for us. We start with: “Assume the browser vendors are careful and diligent when it comes to trusting companies on our behalf.” We assume that these messy, irregular companies are perfectly spherical cows of uniform density on a frictionless surface.
The problem of trust is everywhere. Vaccine deniers say they don’t trust the pharma companies not to kill them for money, and don’t trust the FDA to hold them to account. Unless you have a PhD in virology, cell biology and epidemiology, you can’t verify the claims of vaccine safety. Even if you have those qualifications, you’re trusting that the study data in journals isn’t forged.
I trust vaccines — I’ve been jabbed five times now — but I don’t think it’s unreasonable to doubt either Big Pharma or its regulators. A decade ago, my chronic pain specialist told me I should take regular doses of powerful opioids, and pooh-poohed my safety and addiction concerns. He told me that pharma companies like Purdue and regulators like the FDA had re-evaluated the safety of opioids and now deemed them far safer.
I “did my own research” and concluded that this was wrong. I concluded that the FDA had been captured by a monopolistic and rapacious pharma sector that was complicit in waves of mass-death that produced billions in profits for the Sackler family and other opioid crime-bosses.
I was an “opioid denier.” I was right. The failure of the pharma companies to act in good faith, and the failure of the regulator to hold them to account is a disaster that has consequences beyond the mountain of overdose deaths. There’s a direct line from that failure to vaccine denial, and another to the subsequent cruel denial of pain meds to people who desperately need them.
Today, learning that the CA-vetting process I’d blithely assumed was careful and sober-sided is so slapdash that a company without a working phone or a valid physical address could be trusted by billions of browsers, I feel like I did when I decided not to fill my opioid prescription.
I feel like I’m on the precipice of a great, epistemological void. I can’t “do my own research” for everything. I have to delegate my trust. But when the companies and institutions I rely on to be prudent (not infallible, mind, just prudent) fail this way, it makes me want to delete all the certificates in my browser.
Which would, of course, make the web wildly insecure.
Unless it’s already that insecure.
Ugh.
Image:
Curt Smith (modified)
https://commons.wikimedia.org/wiki/File:Sand_castle,_Cannon_Beach.jpg
CC BY 2.0:
https://creativecommons.org/licenses/by/2.0/deed.en
[Image ID: An animated gif of a sand-castle that is melting into the rising tide; through the course of the animation, the castle gradually fills up with a Matrix-style 'code waterfall' effect.]
#pluralistic
350 notes · View notes
parallaxia · 3 months
Text
I get that "hackers aren't cool irl" is the "don't do drugs, kids" speech of the infosec community but it's true tbh. No one with the skills to have a profitable career in a field they enjoy is forfeiting that on purpose. Most of these people are unemployable because they're antisocial losers who often have criminal records unrelated to hacking. The other thing you have to understand is that what's impressive to laypeople doesn't necessarily correlate with what actually takes a lot of talent to pull off. Everyone has heard of the guy who made thousands of random printers across the world print "SUBSCRIBE TO PEWDIEPIE." No one has heard of the guy who cracked Blu-Ray encryption. Yet the difference in skill between those two hacks is the difference between being an RN and being a neurosurgeon.
#infosec#hacking
9 notes · View notes
solarpunkcast · 1 year
Note
i’ve got issues with perfectionism due to my ✨many neurodivergencies✨, which makes being a leftist tricky sometimes, because my brain is telling me that if i’m not the best at infosec in the world, i am a failure. do you know any quotes or anything that might be a nice thing to fall back on when being a leftist is tiring? like a “if the situation was hopeless they wouldn’t need propaganda” sorta deal?
okay well the first thing is that whether you're a leftist or not, whether you ignore it or not, capitalism is an ongoing class war. so this is as much of a state of becoming/being as it is learning; what that means is your awareness is as much of an asset as your knowledge is. like most things in life, there is not an endpoint--so you cannot frame this as a goal to cross off or even a checklist to follow. it is a part of you that you will carry around. because at its core, your leftism needs to come from kindness, empathy, and love. there is no justice without these things. there will be no true liberation without these things.
“if the situation was hopeless they wouldn’t need propaganda” is like the tip of that idea: while true, it ignores the underlying fact that that Propaganda requires billions on billions of dollars to even function. Every. Single Year. There is quite literally no limit to the amount of money that capitalists would spend on anticommunist and revisionist propaganda in order to stop us from agitating against them. Nothing they wouldn't do to prevent actual, lasting change from happening.
In a way, that's fucking pathetic! How shitty of an existence that must be. They even understand how precarious their position is... we don't really see coverage about this, but the aristocrats and capitalists have admitted they're scared--especially about a climate collapse that would unequivocally destroy their power structures for good. They've lived with this fear, passed it down through the generations even. How fucking pathetic is that? To curse your entire ancestry with this fear because you refuse to share? Reductive maybe, but down at the core that's what it really is right? An absolute refusal to commune with the rest of us human beings, to the detriment of our lives and everything else on this planet. That and their arbitrary system that tells themselves they're superior and special.
Living under it is fucking terrifying though, which is why leftists, revolutionaries, and other radicals have always come together through the arts and oratory, as well as celebrations of community, culture, and shared history.
There is no comprehensive list I could give you on quotes or speeches to read, nor music to listen to. I've been digging around for a couple hours now and I'm not even sure what examples to provide. There is a ton, like truly a TON of stuff out there to help. My suggestion would be to dig into your country's history of leftists, its revolutionary speeches and music, its folk music, its art and agitprop first. Then save those and come back to them whenever you need them.
If you live in the US, this would be figures like Angela Davis, Ursula K Le Guin, Eugene Debs, James Baldwin, Pete Seeger, Bill Haywood, Fred Hampton, the IWW, Murray Bookchin, David Graeber, Cesar Chavez...
Learn about the historical figures who had their leftism whitewashed like Martin Luther King Jr, Helen Keller, Harry Belafonte, Paul Robeson, Jane Fonda, Albert Einstein...
Cultivating a love for humanity as a whole instead of fostering misanthrophy is also a big thing to help combat exhaustion and burnout. I have a #humans are good actually tag that I use to help with this myself. Even reading up on anthropology can help! Cases like Shanidar I teaches us that community support and care is what helped us survive, not the individualism that capitalism preaches.
This has already been pretty long so I'll leave you with my two favorite quotes on this subject, from Angela Davis and Ursula K Le Guin respectively:
“You have to act as if it were possible to radically transform the world. And you have to do it all the time.”
"You cannot buy the Revolution. You cannot make the Revolution. You can only be the Revolution. It is in your spirit, or it is nowhere."
#asked#answered#microwave-gremlin#p/s#intro to leftism#long post
35 notes · View notes
untitledgoosegay · 5 months
Text
revolutions are real. they have happened. they are possible.
and:
revolutions require infrastructure. they require the ability to coordinate, maneuver, and supply large groups of people, without alerting the hegemonic power. that means time, that means travel, that means secure communication networks and infosec traditions. they require shared norms and practices around resistance -- here i'm thinking about taking a long time rummaging through your bag during a ticket check to give people dodging fare a chance to escape. It's a good practice, and not one I'd heard of before a few days ago!
currently, in the US, we don't have those on remotely the required scale.
but we do have them. we had them in the first wave of BLM marches, and again in Portland in 2019 (and elsewhere, but I was in Portland); we have them at Standing Rock and Stop Cop City. protestors in the US traded tactics and advice with protestors in the Middle East throughout the 2010s -- and that's just the case I know of. American resistance has been systematically hamstrung via (ongoing) programs of ideological poisoning and assassinations (think of how many Black BLM leaders were murdered), but it exists.
the infrastructure can be built, but it has to be built
sitting around jacking off about guillotines and eating the rich does not build shit.
#and i am talking a big game here because im a clinically depressed neet#& i have no goddamn idea where to even begin putting my money where my mouth is as far as community organizing is concerned#but listen: i stand by what i said#bird original
5 notes · View notes
Note
Okay so this is a random question but I’m curious. If the sanders sides gymrat au had pride outfits, what would they look like? You can go into much detail as you want. This is just something that popped into my head
Good question (especially since I'm not actually the most fashion oriented, pffft)... hmmm.
Roman
Cis Man
Aromantic (Bellusromantic) Gay
Probably the most flaming of the group - but it’s stiff competition with his brother and Janus. So. Much. (Food-safe/bio-degradable/hypoallergenic) Glitter. In fact the three make that part of things an actual competition, things get as hilariously heated as one may expect. Also can be seen with a rainbow ball gag on his person, sometimes wearing it, courtesy of Jan. Of course.
Remus
Transmasc Nonbinary (AFAB)
Polyamorous Gay (Bellusexual) Ace
He will look like he crawled out of a waste bin a bunch of unicorns threw up inside. He will look like the most genderfucked punk he possibly can. He will be the most disgusting about the PDA with Virgil possible (up for interpretation there, but it will also be kinky.)
Janus
Genderfluid (AMAB)
Aroflux Pan
Would probably have to hope he’s saved up a lot spoons, but damn it. They will go all out and be the most extravagant femme domme at the scene. Yes, they will parade Roman around with at least a collar. Thank fuck they’re rich enough to afford make-up artists who can work with their skin sensitivities. (Why yes, I’m still completely not over that Dimitrescu-inspired photo shoot, glad you asked.)
Virgil
Gender-Questioning (AMAB)
Polyamorous Biromantic Demi
He's kinda stealth about it. His favorite color scheme is purple anyways. He’s more out and proud in selective situations (the gym crew, queer-friendly joints like the gym they go to, and Pride events.) It’s more because security in numbers and his baseline anxiety issues under other circumstances (doesn’t want to get harassed at the Wendy’s over it). He does get those butterflies hanging out with Remus during these events.
Patton
Cis Man
Panromantic Gay
He'd probably be a bit over the top with the "wearing your faith on your sleeve" spiel. Esp given how much of the queer community has trauma from the Christian apparatus... but he will LOUDLY roast the likes of a certain Baptist Church that starts with a W and ends with an O. So he tries to rep the parts of [the] religion that isn't Completely Awful. (And given his past as a combat medic - he also regularly signs on as one of the medical volunteer staff at events/protests.)
Logan
Trans Man
Polyamorous Aroace
I think he'd be the most understated about it, wearing his usual attire with a few pins on his shirt (like the sketch I drew of the guy.) He's proud but just isn't "in your face" about it. (More just his mode of comfortable expression than pulling respectability nonsense over it. He is a software and infosec specialist... he has his ways of doing The Activism.)
#sanders sides#roman sanders#remus sanders#janus sanders#virgil sanders#patton sanders#logan sanders#religion /#(mentioned IDs mostly to influence the flags and color-schemes in their get-ups)#(look... i'm a simple person and i absolutely ADORED how gd extra roman + remus + janus's skirt looks were man)#(remus is def sporting a torn-up tutu)
9 notes · View notes
loving-n0t-heyting · 2 years
Text
Been pondering a mildly grimdark Wizardy AU. Features so far:
Magic has no “inertia”: once its caster stops casting it (such as at death), an enchantment ceases without warning
The entire history of a given wizards spellwork is best understood as a single, holistic unit. Even the casting and subsequent un-casting of a spell they “reverse” persist in this un-atomistic whole. The whole of the spell can be transferred to another wizard, but only in whole, joining it to their old spell
The bigger and more elaborate a wizards total spell to date, the more powerful magic they can perform. Thus gain magical ability outstrips gain in knowledge; exponential wizard vs linear fighter
Spellwork can be cast jointly but at the cost of distributing the newly joined total spell of the co-casters across them in such a way that either dying wrecks the spell as a whole (in such a way as to psychically injure the survivor) and requires joint consent for transfer
The natural incentive structure is thus against cooperation and towards individual hegemonic accumulation; power can more easily be unified than divided, and an inability to smoothly transition from it begets strong dependence on older magical infrastructure
The accumulation of this infrastructure over time makes it exceptionally prone to technical debt and thus difficult to imitate
The natural endgames for a civilisation are thus a single nigh-omnipotent global wizard-emperor or the monopolising wizard with the Big Spell kept barely alive as a sort of omelas child in a perfectly insulated environment as one in a lineage of magic slaves like smbc!superman
Either way, such a civilisation is doomed to instantaneous total collapse at some one unpredictable moment once the reigning wizard emperor/slave kicks the bucket by chance without having transferred to a successor
Given the incredible misanthropic tendency of wizardry as a social force, magic comes with a built-in deterrent: every wizard upon ascending to magehood must consent to some vaguely horrible afterlife
Wizards, indeed, can never be communed with after death by magic; they are Elsewhere
Spoilers: this doesn’t really deter much
For this reason state officials and other persons privy to highly sensitive information are frequently required to accept wizardry as a sort of anti-seance infosec measure after death
Departed souls are uniquely unhelpful in describing the nature of their current existence: they generally insist on discussing only the events of their past life, on which they dwell with increasingly deranged fervour as they persist in the afterlife
Departed souls all eventually become inaccessible, like wizards, and are never available for communion again. The moment of first inaccessibility for a given soul is random and obeys a half-life of around 20y
25 notes · View notes
cybergeeksposts · 8 months
Text
Google warns infoseccers: Beware of North Korean spies sliding into your DMs
In the ever-evolving landscape of cybersecurity threats, vigilance remains paramount. Recent reports from Google's Threat Analysis Group (TAG) have unveiled concerning activities involving suspected North Korean-backed hackers. These malicious actors are once again setting their sights on the infosec community, employing familiar tactics and some intriguing new tools.
The Social Engineering Approach
Just as they did in 2021, suspected North Korean agents are employing social engineering tactics to infiltrate the infosec community. They initiate contact through social media platforms, building trust and rapport with potential targets before moving communication to secure services like Signal or WhatsApp. This method allows them to establish a seemingly legitimate connection before launching their cyberattacks.
A Dangerous Payload
Once a relationship is established, the threat actors send a malicious file containing at least one zero-day vulnerability in a popular software package. While Google did not disclose the affected vendor, they assured the public that efforts are underway to deploy a patch. This technique is a stark reminder of the persistent threat posed by zero-day vulnerabilities, which can catch even the most prepared organizations off guard.
The malicious file includes shellcode that collects information from compromised systems and sends it back to command-and-control (C2) servers. This shellcode shares similarities with previous North Korean exploits, indicating a potentially organized and well-equipped threat actor.
A Disturbing Discovery
In addition to the established tactics, Google's TAG uncovered an unsettling development - a standalone tool for Windows named "dbgsymbol." This tool initially appears benign, designed to download debugging symbol information from various sources. Such information is invaluable for debugging software or conducting vulnerability research.
However, there's a dark twist to this tool. It possesses the capability to download and execute arbitrary code from an attacker-controlled domain. This feature raises the stakes significantly, as it can be leveraged to deliver devastating malware payloads.
Staying Safe in a Dangerous Landscape
Given the potential risks, it's crucial for anyone who may have downloaded or run dbgsymbol to take immediate action. Google recommends ensuring your system is in a known clean state, which may require a full reinstallation of the operating system. This precaution is necessary to prevent any hidden malware from compromising your system further.
source- https://www.theregister.com/2023/09/11/infosec_roundup/
#software engineering#branding
1 note · View note
hackernewsrobot · 1 year
Text
Why the infosec community is ahead of the curve and rationalists and nihilists
https://ioc.exchange/@invisv/109740474201888576 Comments
4 notes · View notes
hackgit · 1 year
Text
[Media] ​​LoRa-AX25-IP-Network
​​LoRa-AX25-IP-Network Utilising inexpensive wireless modules and open source software to form networks over long distances using AX25 and IP networking in the unlicensed ISM bands, without reliance on a centralised service provider. • Privacy minded individuals • People living under oppressive governments • Remote communities • Natural Disaster areas • Testing low bandwidth applications eg, COAP ROHC • Testing Decentralised apps like scuttlebutt.nz and tox.chat https://github.com/dmahony/LoRa-AX25-IP-Network #cybersecurity #infosec #privacy
Tumblr media
#cybersecurity#infosec#infosecurity#pentesting#bugbounty#hacking#hackers
2 notes · View notes
kalilinux4u · 2 years
Photo
Tumblr media
Researchers have discovered a new security flaw in UNISOC's chipset that can be used to disrupt smartphone radio communications through a malformed packet. Read details: https://t.co/Hn1pBdVu5E #infosec #cybersecrity #hacking (via Twitter https://twitter.com/TheHackersNews/status/1532303588558393344)
#EthicalHacking KaliLinux Security Hacking
2 notes · View notes
gisblogs203658 · 22 days
Text
Navigating the Cybersecurity Landscape: Protecting Our Digital World 🛡️
Hey everyone! Today, let's dive into the crucial topic of cybersecurity and explore how we can safeguard our digital assets and privacy in an increasingly connected world. 🔒
Cybersecurity refers to the practice of protecting computers, networks, and data from unauthorized access, cyberattacks, and malicious threats. As we rely more on digital technologies for work, communication, and entertainment, the importance of cybersecurity cannot be overstated. From securing personal devices and online accounts to defending critical infrastructure and businesses, cybersecurity plays a vital role in ensuring trust, safety, and resilience in our digital ecosystem. 🌐
Here are some key aspects and practices of cybersecurity:
Risk Management: Cybersecurity involves identifying, assessing, and mitigating risks to prevent potential security breaches and data compromises.
Multi-Layered Defense: Effective cybersecurity strategies employ multiple layers of protection, including firewalls, antivirus software, encryption, and intrusion detection systems.
User Awareness: Educating users about cybersecurity best practices, such as strong password management and recognizing phishing attempts, is essential for preventing cyber threats.
Incident Response: Rapid response and incident handling protocols are critical for minimizing the impact of cyberattacks and restoring normal operations.
Compliance and Regulations: Cybersecurity standards and regulations ensure organizations adhere to security guidelines and protect sensitive information.
Let's prioritize cybersecurity awareness and resilience in our digital lives! Are you interested in learning more about cybersecurity or have tips to share for staying safe online? Join the conversation below! 🛡️💬
Using hashtags to connect with cybersecurity advocates: #Cybersecurity #InfoSec #DataProtection #Privacy #CyberAware #ITSecurity #OnlineSafety #CyberDefense #DigitalSecurity #StaySafeOnline 🔐
0 notes
otiskeene · 1 month
Text
HYAS Launches Free Intelligence Feed
Tumblr media
HYAS Infosec recently introduced the HYAS Insight Intel Feed, a complimentary feature of their threat intelligence solution HYAS Insight. This resource equips organizations with valuable information to safeguard against cyber threats. By utilizing a variety of data sources, including exclusive, private, and commercial datasets, HYAS empowers security teams to detect, mitigate, and defend against cyber threats effectively.
The HYAS Insight Intel Feed focuses on providing concentrated intelligence on specific malware families and their associated infrastructure. This enables security teams to promptly identify and respond to threats. It offers valuable information on IP addresses, domains, and other infrastructure used by threat actors. By leveraging this information, organizations can enhance their security measures and minimize risks.
The feed caters to various use cases, such as enriching intelligence for programs like SOAR, TIP, and threat intel management. It also provides real-time IOC/observables for detection and blocklisting, aids in SIEM event correlation and analysis, and improves SOC teams' triage process, incident response, and threat hunting.
HYAS is committed to safeguarding organizations and addressing intelligence challenges by detecting adversary infrastructure and abnormal communication patterns. Their solutions transform metadata into actionable threat intelligence, granting organizations visibility into potential threats and protective DNS to neutralize malware.
Read More - https://www.techdogs.com/tech-news/business-wire/hyas-launches-free-intelligence-feed
#HYASInfosec#NetworkSecurity#Cyberattacks#ThreatIntelligence#CyberThreatIntelligence
0 notes
Last Seen Blogs
admiralgeneraldictator
Greatdictators Stupid Doodles
kanaunfinished
KaNa
tealoatmeal01
Untitled
cheeringandwaving
Cheering & Waving Press
karlvn
Karl