HTTP/1 Must Die: The Desync Endgame will mark a personal milestone - my tenth presentation at Black Hat USA! Feels like yesterday I stepped on stage to present Server-Side Template Injection and introduced {{7*7}}. Never thought I'd make it this far, let's see what the next ten years hold!
dercraig
Keyboard-Cowboy & Samurai. Vice President. c3noc. Interested in DDoS & Security.
I published a #book on DDoS attacks and defense: https://ddos-book.com
dercraig boosted:
So the UK Met Office is inviting people to suggest up to 5 names for storms. And apparently lots of people have been suggesting "Storm Bigoil", along with BP, Equinor, Exxon & Shell... This is obviously appalling & definitely not to be emulated via this link:
https://www.metoffice.gov.uk/forms/name-our-storms-call-for-names
![Screenshot of form on the UK Met Office website.
Text reads: "You can provide up to 5 storm names in the boxes below.
Storm Name: [a user has filled this in with "BigOil"]
Storm Name (optional): [filled in with BP]
Storm Name (optional): [filled in with Equinor]
Storm Name (optional): [filled in with Exxon]
Storm Name (optional): [filled in with Shell]](https://files.mastodon.social/cache/media_attachments/files/114/748/465/690/706/845/original/74b4591b9c10cbd5.jpg)
dercraig boosted:
Mein Freund und Kollege Fefe lässt Grüße aus dem Krankenhaus ausrichten, wo er sich nach einem Schlaganfall auf dem Weg der Genesung befindet.
dercraig boosted:
https://github.com/thilokru/PixelFlutFileTransferProtocol At #gpn23 we have successfully sent files over #pixelflut . It is very slow.
dercraig boosted:
If you think it can’t happen here, remember that it already did. In 1942 soldiers came with rifles to our home and ordered us out. They put us in internment camps. Most of us were citizens.
dercraig boosted:
It is 2000. I'm 18 years old. They say my job won't survive quantum computing (IBM is really close).
It is 2005. I'm 23 years old. They say my job won't survive visual IDEs.
It is 2010. I'm 28 years old. They say my job won't survive smartphones.
It is 2015. I'm 33 years old. They say my job won't survive web3.
It is 2020. I'm 38 years old. They say my job won't survive AI.
It is 2025. I'm 43 years old. They say my job won't survive quantum computing.
dercraig boosted:
Inspired by Google's move to remove @organicmaps from the Playstore without warning, I finally decided to move my > 3,000 Google Maps saved places to Organic Maps. To facilitate doing this for others' benefit, I made a quick webpage to convert your Google Maps GeoJSON data to GPX and KMZ files that render well in Organic Maps.
https://rudokemper.github.io/google-maps-places-to-organic-maps/
@tbaldauf What a letdown!
dercraig boosted:
Generative KI versaut mir das @ct_Magazin
Seit einiger Zeit findet man in c't weniger Nerd-Illustrationen und auch seltener die traditionell albern gestellten Aufmacherfotos mit Redakteuren statt Fotomodels.
Stattdessen heißt es nun "Bild: KI, Collage c't". Die KI-Bilder sind... okay. Hinnehmbar. Gut genug. Meh. Aber mehr auch nicht.
Da abonniert man seit Jahrzehnten ein Magazin, weil es Inhalte und Haltung über bloßes Füllmaterial stellt und dabei seine Autoren bekanntermaßen vernünftig behandelt. Und nun signalisiert der Verlag dem Leser, dass Gebrauchs-Illustration und -Fotografie für die Redaktion kein Geld mehr wert sind, denn die generative KI macht es ja preiswerter. Somit weiß ich: Für die Redaktion sind Aufmacherbilder nur Füllmaterial, wo es sich nicht lohnt, jemand für sein (foto)grafisches Handwerk zu beauftragen.
Wenn Inhalte also nur Füllmaterial sind, muss ich nun das gleiche langfristig für Texte in der c't erwarten. Denn parallel "experimentiert" man schon mit KI-generierten Texten in der Rubrik "Techstage", sorry, "bestenlisten" im Heise Newsticker.
dercraig boosted:
Arbeitsministerin Bas will „mafiöse Strukturen beim Bürgergeld“ zerschlagen. Aber es geht nicht um Gerechtigkeit. Es geht darum, das Bild zu zementieren:
Wer wenig hat, betrügt. Wer viel hat, verdient. „Missbrauch beim Bürgergeld“? Betrifft laut Bundesagentur unter 3 % der Fälle. Und selbst da geht’s meist um Bagatellen: falsche Angaben zu Mitbewohner*innen, vergessene Minijobs, verspätete Meldungen. Und oben?
Steuerhinterziehung kostet den Staat jährlich mindestens 100 Milliarden Euro! Aber keine Generaldebatte über strukturelle Kriminalität der Oberschicht. Keine Sanktionen. Keine Umerziehungskampagne.
Das komplette Interview findet ihr hier:
https://youtu.be/eabGvGXervk?si=-bUIrtO9lE3rSCJ-
Danke @jacobinmag_de und @matthiasubl
dercraig boosted:
oh ho ho
disney suing over copyright
https://www.axios.com/2025/06/11/disney-nbcu-midjourney-copyright
dercraig boosted:
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!
🚀 My new #DDoS book "DDoS: Understanding Real-Life Attacks and Mitigation Strategies" is now also available as an eBook! 🎉
Check it out here: https://ddos-book.com/
I’ve packed in everything I’ve learned from defending major German government sites against groups like Anonymous, Killnet, and NoName057(16).
It covers mitigations against #AI #crawlers and many other defenses for all network layers.
If you find it useful, I’d love it if you could boost and share to help more people defend themselves. ❤️
Thank you! 🙏
#DDoSProtection #NetworkSecurity #DDoS #RealWorldDefense #InfoSec #CyberSecurity #eBook #book
@pinkflawd is that ptrace injection? I am not sure, but maybe this helps? https://packetstorm.news/files/id/30639/
@rami Ticketing is especially hard, but I agree. Solutions like Berghain or Anubis are the way to go!
dercraig boosted:
Twitter's new encrypted DM system stores your private key material on Twitter-owned services, protected with nothing more than a 4-digit PIN. If hostile, or if legally compelled to, Twitter could easily decrypt all your messages. It's also MITMable and doesn't secure metadata. Use Signal.
dercraig boosted:
Apparently the STUN server coturn is currently being used in a reflection attack to DDoS some OVH servers. Check your config if you use it, Hetzner has apparently disabled hundreds of servers running it already.
Probably best to turn it off until the reason/problem is found, the reflection attack seems to be happening even with configured secrets.
Here's some people who ran into the issue: https://github.com/coturn/coturn/issues/1687
@osm_tech Do you guys want a free copy of my book on DDoS attacks and mitigation? https://buchshop.bod.de/ddos-understanding-real-life-attacks-and-mitigation-strategies-stefan-behte-9783819226212 For now just print, but eBook will be available in 1-2 weeks according to my publisher. 😊 #ddos #ddosattack
dercraig boosted:
BGP handling bug causes widespread internet routing instability
On May 20th 2025 a BGP message was propagated that triggered some surprising (to many) behaviors with two major BGP implementations that are often used for carrying internet traffic.
In a new blog post, I will dissect what that message was, and my thoughts on how it happened:
https://blog.benjojo.co.uk/post/bgp-attr-40-junos-arista-session-reset-incident
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst