In case you missed it, #BSidesCharm 2026 tickets are now on sale!! Go to https://www.eventbrite.com/e/bsidescharm-2026-tickets-1982620739001

We've just launched a revised design for the map! This adds more consistent symbology, and a few new symbols (including power portals), and better rendering of substation detail. This work was done with the help of @Catalogtree.

This is the first phase of the redesign - we'll be doing some more work on the UI of the map which will hopefully be ready soon.

Any feedback is welcome!

One of the two amateur radios on the International Space Station is busted. No SSTV (Slow Scan Television) opportunities for us earth-bound geeks in the near future.

https://www.facebook.com/ARISSIntl

To save you a click-thru to FB:
"After 3 days of troubleshooting the ARISS ops team has determined SSTV Series 30 can not continue.
The ARISS radio in the Service Module used for SSTV is being taken out of service."

https://www.ariss.org/

Do you (or your kid) like checking sports scores - but despise the garish, resource-hogging adverts, sensational headlines about everything besides the games themselves, talking heads, and not-very-subtle steering towards gambling, as present on mainstream sports websites?

https://plaintextsports.com/ is awesome. Thank you, so much, to its creator.
(click through on any game to see a detailed box score - all still in *plain text*)

“Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” -Marcus Ranum, 2007, as cited by TaoSecurity Blog, 2007, and repeated in The Best of TaoSecurity Blog Volume 3, 2020.

@todb - congrats! If you'd be content to bounce radio signals off the ionosphere for awhile, and communicate with operators in places like Mongolia, Bangladesh, and Tuvalu.. consider checking out FT8 and other "weak signal" modes. ~$65 worth of equipment can get you pretty far!

@todb - do it! Ham radio has been for me over the past couple years what infosec started out as, in my earlier years.. a super fun, geeky, knowledge-expanding hobby with a great community.

Another interesting vulnerability found in widespread (moving) infrastructure, using software-defined radio (this originally identified 13 years ago!) :
https://www.tomshardware.com/tech-industry/cyber-security/security-vulnerability-on-u-s-trains-that-let-anyone-activate-the-brakes-on-the-rear-car-was-known-for-13-years-operators-refused-to-fix-the-issue-until-now

"Back when it was first implemented in the late 1980s, it was illegal for anyone else to use the frequencies allocated for this system. So, the system only used the BCH checksum for packet creation. Unfortunately, anyone with an SDR could mimic these packets, allowing them to send false signals to the EoT (End-of-Train) module and its corresponding Head-of-Train (HoT) partner. This would not have been an urgent issue if the EoT had only sent telemetry data. However, the HoT can also issue a brake command to the EoT through this system. Thus, anyone with the hardware (available for less than $500) and know-how can easily issue a brake command without the train driver’s knowledge, potentially compromising the safety of the transport operation."

Read “The Psychology of Money”

On having enough.

#books

We're living in the future! (almost..)

"Relativity Space as a means to support the development of data centers in space. Such data centers, ideally, would be powered by solar panels and be able to radiate heat into the vacuum of space."

https://arstechnica.com/space/2025/05/eric-schmidt-apparently-bought-relativity-space-to-put-data-centers-in-orbit/

We misunderstood the concept of afterlife. What the religious texts meant to say is that the essence of your online life will be preserved as the weights of an LLM that handles airline customer support and prescribes Viagra in a telehealth app.

This is going to be *interesting*... The EU will make vendors liable for bugs:

https://news.risky.biz/risky-biz-news-the-eu-will-make-vendors-liable-for-bugs/

"The new directive extends liability to vendors for software that contains security flaws... includes both physical damage caused by defective or insecure software but also material damage, such as loss of functionality and features, loss of financial assets, and others."

A few more updates added recently: water and sewage treatment plants and reservoirs are now visible on the water layer.

https://openinframap.org/#8.5/51.3266/0.3495/L,W

#OpenStreetMap

Most of life's wisdom can be found in chainsaw manuals

Happy to share that I completed my 10th SANS / GIAC certification today - this one for Industrial Control Systems security. I enjoyed the learning experience, as always.
https://www.giac.org/certifications/global-industrial-cyber-security-professional-gicsp/

Lots of good ICS security resources freely-available from the SANS Institute here: https://www.sans.org/industrial-control-systems-security/

Many infosec folks have been clamoring for this for a long time: vulnerability reporting from AWS!

https://aws.amazon.com/security/vulnerability-reporting/

"The Amazon CNA will issue CVEs that support customers in addressing valid security vulnerabilities"

"Remediation... requires customer action, including making a risk-based decision on handling the remediation (OR customers need to assess possible impact) OR when a valid security vulnerability will become public"

Devil is in the details... but this seems helpful.

Great illustration of how complex and impactful (and therefore contentious) cybersecurity decisions often are in the modern world: https://news.risky.biz/risky-biz-news-sparks-fly-when-lawyers-meet-a-certificate-revocation

"An emergency certificate revocation initiated by DigiCert earlier this week has met a brick wall after the company got sued by one of its customers and several critical infrastructure operators raised safety concerns."

SSTV M1 Image received on 7.171 MHz LSB at 2024-07-19 07:50:14 UTC
#sstv #M1 #7171kHz

This seems like solid innovation by MS, and a potential win for (MS-based) enterprise security:

https://arstechnica.com/security/2024/05/microsoft-plans-to-lock-down-windows-dns-like-never-before-heres-how/

"ZTDNS (zero trust DNS)":
- encrypted and cryptographically authenticated connections between end-user clients and DNS servers
- ability for administrators to tightly restrict the domains these servers will resolve

Also, "ZTDNS does not introduce any novel network protocols"

Granted, it's only now entering "private preview"... but am I being too sanguine about this ?

Great conversation in the "special edition" @riskybusiness podcast last month on supply chain sovereignty & security; government visibility, control & freedom; communism vs capitalism (lol); potential for catastrophic cloud service outages; military doctrines on causing such; etc.

https://risky.biz/S1KSGSPECIAL01/

Fascinating insights from https://cybervillains.com/@alex and https://twitter.com/C_C_Krebs

Looking forward to the next Gray-Stamos-Krebs discussion (which, yes - I know - is already a week old. I'm slow.)