Me: Your website is broken, here's a screenshot of the inspector that shows the failing request.

Them: Turn off your local Docker service.

True story. 🤦‍♂️

Looking for a few people/instances missing from the migration:

Independent Australia
Dave Donovan
Michelle Pini
Mark David

Mark David cartoon under:

There’s been a lot of discussion about a rule we recently instituted regarding security testing on the infosec.exchange instance. I understand the value or pen testing as much or more than most people, and I’m fully cognizant that pen tests are happening all the time and I’m not getting the report. I get it. But there are now 28,000 people using this service to communicate. I know there are vulnerabilities waiting to be discovered. Finding blog post fodder by fuzzing instances that are already running hot due to explosive growth is not super helpful. But at the same time, I WANT that testing to happen.

As a result, I am going to set up two instances tomorrow that only federate with each other. This is where I’d prefer legitimate security testing be performed. I’ll also be using it as the QA environment to test new updates and settings prior to deploying to the production instance. I’ll moderate signups because I don’t want it accidentally becoming fediverse 2.0 in the ongoing rush for the doors at twitter, but will accept anyone who wants to join, with clear indications that it’s a sandbox and should not be considered safe.

Thanks for patience as we continue to find out way.

Here’s a mini “Blue Team Diaries” story:
Asked by a vendor to stop sending excessive API requests their way, a dev team reached out to us when they couldn’t see any evidence of said requests originating from our environment.

We told them to rotate the API creds. They did. The excessive requests continued. We asked the vendor for source IP addresses. They provided some - we didn’t recognise them.

Further investigation revealed the source IP was actually the IP address of the vendor’s branch office. The requests? They were coming from one of the vendors own developers, who had accidentally left a test running. Evidently, they had a user impersonation feature they were using quite liberally to test in prod.

The vendor subsequently had regrets about raising the issue.
#infosec #dfir #blueteam

@mttaggart i use to think the same thing. Then I switched to a reMarkable and a kindle and realized eInk is the future.

And then we started stuffing stuff on to SBCs like rpis,

And now were back to the fediverse and open hardware is on the horizon, etc...

Hi tech lofi is on the horizon. Its the peoples technology

I figure all my Twitter friends here would appreciate this cartoon by MacLeod. #TwitterRefugee

Udon Noodles with a bulgogi flavored sauce, sesame oil, and furikake

Good sweet flavor, dark soy undertones.
Udon had a little bit of a hard time rehydrating.

Probably won't buy again, but I wouldn't snub it if someone handed me a bowl.

#RamenWeAte #GoodEats #ItTakesTwo

A Russian 0day company increased their payout for Signal to triple the Zerodium rate. What does it mean? I read the 0day price list tea leaves and speculate…

https://grugq.substack.com/p/russian-0day-thirst-traps

One of the most interesting innovations that Twitter gave us which I don't think is appreciated enough is the ability to reference a human being by a single, globally unique identifier

Being able to say "I learned this from @..." or "This project by @... is really cool" is such a neat way to be able to interact with the world

It can be abused too, but I really loved that ability to reference other real humans

We get that on Mastodon too, but only for the people who've moved here so far!

I love all of you and I want nothing but the best for each of you, particularly those on infosec.exchange. I understand that Mastodon isn't Twitter, that DMs aren’t end-to-end encrypted, that we are spread across different instances and it can be hard to find your friends, and that an instance can go away at any time, and that translating posts doesn't work correctly, and there is no native giphy support, and that some instances are overwhelmed and super slow, and that you don't think the federated model can scale to a billion users, or that it doesn't support full text search of every post and account, or that we can't comply with the GDPR, or that we don't support quote tweet style functionality, or that we shouldn't collect IP addresses, and many other things.

The fediverse is a work in progress. I've been here for going on 6 years. In that time, it's come a long, long way. That said, Mastodon is not going to appeal to everyone. The decisions I make are not going to appeal to everyone. No one is forcing you to be here. No one is forcing you to disclose your personal secrets into a network of federated servers running by volunteers and hobbyists. NB: this is not Twitter. It has some similar functionality, but it is not Twitter. Parts of it are better, IMO, and parts are not. The security community is generally among the most skilled and competent IT people the world has to offer. Mastodon is open source. Do you see where I'm going?

I set this instance up a long time ago for reasons I don't even remember. I have poured my soul into this thing because I believe in the importance of this community. I have effectively peaked in my career as a CISO and I and my family live well. I am not running this instance for fame, money, a better job, or anything other than wanting to foster a community of people that can learn from each other and make the world a better place. That's it.

As I've said in several recent interviews, I felt particularly obligated to ensure the security community had a good landing spot in the fediverse as everyone was running for the doors in Twitter. We've grown from 180 active users to about 30000 in the span of 3 weeks. I do not expect everyone to stay. Some will set up their own instances. Some will move to one of the other excellent security focused instances. Some will give up and move to on to some other social media. And that is OK. While I am super excited to see the buzz here, I don't have subscriber targets, engagement targets, retention targets, or anything else. The only metric I hold myself to is whether I think this is serving a useful purpose to the community.

I appreciate all of you, regardless of where you land. Infosec.exchange has been here for a long time and will continue to be here for you.

You’re not the product anymore. You’re a community member in your host’s ad-free server they pay for. There’s no venture capitalist payday coming for them. Everything you do here costs your host a little bit of money. Find out how you can chip in.

"Our great democracies still tend to think that a stupid man is more likely to be honest than a clever man, and our politicians take advantage of this prejudice by pretending to be even more stupid than nature made them."

-Bertrand Russell

Introducing the first alpha release of Mastodon 3.11 for Workgroups!

Available for Windows 95 :BlobhajShock:

Happy to announce that Lost for Words, my wife Ami's new card game, is out now!

https://lostforwords.cards/

It's a game that lets you explore hard-to-translate feelings from around the world, with over 300 words from over 70 languages.

Like the rest of the Pink Tiger Games catalog, I made the website and helped with the visual design and editing. Check it out!

People do not scale.
Culture does not scale.
Relationships do not scale.

*Systems* scale.

You cannot engineer your way around humans, please stop trying

Many commentators are tweeting & tooting that we need to expand the SCOTUS. That is not the answer to everything. Unless you just want a larger Court, not bound by ethics rules, engaging in the kind of behavior described in the NYT piece. What we need are guardrails - an understanding that the Court sits w/i our democracy. Our job us to strengthen it by creating the processes that promote impartiality & insulation from lobbying, not crossing our fingers & hoping for the best.

#Introduction

Hi! I’m Tim Mak, an investigative correspondent for NPR.

Follow along if you’re interested in reading more about holding public figures and organizations accountable!

I’ve spent much of the last year in Ukraine covering the war, and I’m the author of a book on the inner workings of the NRA titled ‘Misfire.’

I’m also a surfer and former Army medic, so expect some posts on that too!

Exactly ten years ago today I wrote this blogpost, in which I advocated for making federated blogs:
https://rys.io/en/92.html

The only way to do that at the time was to use #Friendica or #Diaspora.

This was *before* the #Fediverse, *before* #Mastodon. Before ActivityPub.

Today, there are ActivityPub plugins for major CMSes; websites are starting to federate.

Both Diaspora and Friendica are still around; the latter is now part of the Fediverse, too.

Ideas behind fedi have been around for ages.