@flavorjones Impressive! I just paste Japanese into ChatGPT and beg the machine gods for help.

@getajobmike Ugh, but I get it - there must be a bunch of SEO jerks stuffing links into public wiki's.

We’re seeing a steady rise in bots hunting for exposed Docker configs. Take a few seconds and check if any build artifacts are exposed in your current deployment setup.

Do you have thousands of friends worried about the security of your web app?

Of course you do; you just didn’t realize it because they go by the name of OWASP.

OWASP is the Open Web Application Security Project, and they annually publish a Top 10 list of real-world attacks against their member websites in the last year.

We’re taking a similar approach with Wafris, developing practical security tools at scale to help all sites coordinate their web app protection.

We’ve found something weird in reviewing Wafris reports.

In most cases, the IP address making the most requests to a site isn’t a human or a client API but a bot.

Often, they’re just a nuisance that fills your logs with nonsense (SEO bots), but here it was a scraping attempt against the whole site.

I've been doing too much travel to also squeeze in RubyConf this year, but even so I'm still really happy to see so many people excited about the language's possibilities and that love using it to build new things.

What’s even more suspicious than detecting a bot user agent? No user agent.

Vulnerability-scanning scripts will suppress passing the user agent to sneak past filters. Requiring a UA is an easy way to keep some malicious bots out of your system.

@thomasfuchs I always thought the eraser mouse point was underrated - so conveniently positioned.

Terrifying new phishing tactic:

1. Send the message disguised as HR docs

2. Ask the recipient to scan included QR Code

This bypasses many built-in protections and habits folks have for evaluating phishing messages, as server-based link scanners won't pick anything up (and without links, the email is much more likely not to be identified as spam).

I've included a screenshot and blurred the QR code until it doesn't work, but be safe out there.

It’s an easy mistake to dismiss bots as “dumb” because they’re probing for some technology you don’t use and would never be on your site.

But they’re equal-opportunity attackers; here’s a bot we identified with Wafris that was probing for:

- YII PHP Web Framework admin
- VS Code FTP Credentials
- Microsoft Exchange Backups
- Git Credentials
- Python Drupal Configs
- Mac .DS_Store files
- Laravel Telescope requests viewer

Blocking their IPs or networks is a way to cut them off at the knees.

@kellogh I've had some good successes with ChatGPT just asking it to list out all the different potential approaches to a problem (dev and otherwise). It sometimes suprises me with something I hadn't considered

@kellogh Maybe we should call these "Manifestations" instead of "Hallucinations"?

@garrettdimon very cool. Will have to check it out.

I haven't really updated my LinkedIn for a decade or so, so this may be interesting.

Making progress on the Wafris management screens.

@garrettdimon Is everyone looking for jobs?

@u0421793 @Matthewcford - have you read Neal Stephenson's "The Diamond Age" - it prominently has an AI book/media object that functions much like that. You might like it.

@Matthewcford I keep trying to envision what the future is and is it having lots of little AI trained models around to filter out and interact with the world?

Hey Bradley - sincere thanks - this is exactly the type of recommendation that I was hoping to get. I'd tried to dig through some folks followers lists and it was a bit discouraging as there seemed like a lot of people were inactive or had never posted. I understand quite a few people use social media as a read only activity but still.

@garrettdimon is the interest from developers or recruiters?

@benoit I'll try it - just trying to get a sense of pace of conversation and how to find new people who are active.