Ah, the classic millennial dilemma: Will I need these the second I dispose of them?

@tinker looking forward to the follow up 🙌 I’ve been using long sleeve UPF shirts for a while in summer but still need the hat so a similar sweatshirt would be nice!

@tinker have any links of ones you like? 🥹

To put this into context, one of the world's wealthiest companies storing some of America's most sensitive data was hacked with relative ease because the company couldn't be bothered to switch on a basic security feature for its employees' logging in.

https://techcrunch.com/2024/04/30/uhg-change-healthcare-ransomware-compromised-credentials-mfa/

If you read between the lines on the JetBrains and Rapid7 story, you'll see that JetBrains decided to cut Rapid7 out of the loop on Feb 23, but told Rapid7 that they're "still investigating" on Mar 1.

However you feel about PoCs, technical details, disclosure, etc., it's super inappropriate to lie to researchers who disclosed this to you responsibly about what your plans are.

Refs:

• https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
• https://blog.jetbrains.com/teamcity/2024/03/our-approach-addressing-recently-discovered-vulnerabilities-in-teamcity-on-premises/

someone sub-blogged infosec exchange so I’ll sub-post right back at them: no, I don’t come home from my job of auditing software 8 hours a day and then sit down and start auditing the software underlying every website I happen to personally use, I write novels, draw art and compose music

I’m happy someone DID audit it and DID find a bug to fix!, I think their technical work on this is good!, but I wouldn’t want to have to work with someone who feels I’m personally responsible for there being a bug in a website I’m an end user on just because I’m a professional firmware security reviewer

I was being facetious with this image, but also making a point - I've seen lots of angles to ransomware, from tracking groups to being a victim to working with victims and everything in between.

Almost all of the ransomware operators are just doing the same things, with the same tools, usually copy and pasted.

AI isn't the problem.

Civil society is suffering, in part due to Western government's refusal to take meaningful action on ransomware. It needs a serious response.

@GossiTheDog

Happy #810NICLEDay to all those who celebrate🫡

@haubles @renchap @Mastodon @devs And drink water y’all it’s hot out there 🧊

@kris @tinker

It's probably obvious to most of you, but a big difference between the commercial social media platforms and the fediverse is that as those commercial platform grow, they get additional revenue from ads, from selling personal information, and otherwise monetizing their users. While that is turning out to not actually pay the bills for them, in the fediverse, just about every instance is run by volunteers and funded by donations or out of the volunteers' pockets. It's a labor of love and a hope for a better future. When traffic grows, we need to expand our capacity.

That is why I am asking, if you are able, please consider donating to the instance you on to help keep the fediverse ecosystem going. Typically the /about web page will have details on how to donate.

Note: I am well aware that many of you are not in a financial position to donate - and that is OK. We are here to serve you as well. Donations are completely optional.

Ad blockers are also cybersecurity. Say it with me.

They reduce malvertising, watering hole attacks, and general malicious script execution. It’s not all about you, ad firms.

.@blacktraffic Great question!

Here are some reasons why #RainbowTables are obsolete for #password #cracking:

In any given password database, 92-98% of the passwords are going to be created by highly predictable humans (as opposed to being randomly generated.) Because of this, modern password cracking is heavily optimized for exploiting the human element of password creation, concentrating on probabilistc methods that achieve the largest plaintext yield in the least amount of time. As such, modern password cracking tools and techniques have evolved to become highly dynamic, requiring agility, flexibility, and scalability.

This is evident when looking at how #Hashcat has evolved over the last decade. Hashcat used to be heavily optimized for raw speed, but today it is optimized for maximum flexibilty (plus, lite, and cpu merged into a single code base, dropped the 15-character limit, introduced pure kernels, brain, and slow candidate mode, etc.) This need for dynamicity is also why we largely still use GPUs today, rather than having moved on to devices with potentially higher throughput, such as FPGAs or even ASICs.

With this in mind, it's rather easy to see that rainbow tables are the antithesis of modern password cracking. Rainbow tables are static, rigid, and not at all scalable. They directly compete with unordered incremental brute force, which in the context of modern password cracking, is largely viewed a last resort and generally only useful for finding randonly-generated passwords (although, can also be useful in identifying new patterns that rules and hybrid attacks failed to crack.) They also do not scale. If you have a handful of hashes, rainbow tables will likely be faster than brute forcing on GPU. But if you are working with even a modestly large hash set, rainbow tables will be slower than just performing brute force on GPU, even if you are using GPU rainbow tables.

Overall, rainbow tables are an optimization for an edge case: cracking a small amount of hashes of an algorithm for which we have tables, within the length and character sets for which we have tables, that fall within that 2-8% of hashes that we cannot crack with probabilistic methods. And even then, most people who are #security conscious enough to use use random passwords aren't going to make them only 8 or 9 characters long, so the percentage of those passwords that will actually be found in your tables will be much lower.

The questions you have to ask yourself: is that worth the disk space and the bandwidth to download and store rainbow tables, and do you really care about that 2-8%, keeping in mind that only a small percentage of that is going to fall within the tables you have? If the answer is "yes", then continue to use rainbow tables. However, the for the vast majority of us, the answer for the past 11 years has been a resounding "no." And that's why rainbow tables are, by and large, a relic of a bygone era.

With that said, rainbow tables do still have some utility outside of #passwords. For instance, cracking DES or A5/1 #encryption. There's also the cousin of rainbow tables, lossy hash tables (LHTs), which have some utility as well for things like old Microsoft Office and Adobe Acrobat encryption keys.

#infosec #hacking

I’ve said it before, but I need to say again that I take it personally when community conferences choose a fun or familiar location over one that is safe for their LGBTQIA+ and even women attendees at a time of historic, concerted legislative and criminal attacks against us. It tells me absolutely all I need to know about your leadership and care for the diverse cybersecurity community. There are plenty of affordable venues in places that aren’t banning emergency healthcare and harassing people for using the bathroom.

i hope one day computers can feel pain, because they deserve it

@tychotithonus medical records software and all the associated issues is such an underrated pain point for patients

I'm #hiring a #vulnerability #research leader who's able to work U.S. ET time zones. Zero-day research, n-day analysis, exploit dev, plus media and internal leadership. You get to work with @iagox86 and @stephenfewer, and you'll collaborate with folks like @zeroSteiner and @ChristiaanB https://careers.rapid7.com/jobs/principal-security-researcher-vulnerability-research-united-states

Just published a big pile of #research I did this past winter! Protocol #reverseengineering, #heapoverflow, #stackoverflow, #authbypass - lots of cool stuff. If you think this sounds cool, be sure to check out my #NorthSec talk in May :)

Here are some links:

• The blog post with all the details: https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed/
• Implementation of their protocol (with PoC scripts): https://github.com/rbowes-r7/libneptune
• Metasploit PR: https://github.com/rapid7/metasploit-framework/pull/17832

If you're running #RocketSoftware's UniData or UniVerse suites, which are usually a back-end thing, you need to patch ASAP!

We won.

It's the biggest settlement of its kind in the history of Philadelphia, and we made them give back their military equipment to the feds.

But, it's not enough.

Time to organize and ban the use of these weapons against civilians, permanently.

https://www.inquirer.com/news/philadelphia/philadelphia-lawsuit-settlement-police-response-2020-protests-20230320.html