Probably the last CVE indexed before it goes dark should be CVE-2025-DOGE (critical, local privilege escalation vulnerability that leads to malicious code execution and data exfiltration).

@codinghorror

> TikTok would not further my plans of being a US oligarch, I've largely gotten what I want there

~ Elon probably

@briankrebs thank you for your service :blobsalute:

Drop what you are doing and read this incredible story from Wired, if you can. After that, come back here.

https://www.wired.com/story/edward-coristine-tesla-sexy-path-networks-doge/

It mentions that a 19 y/o man who's assisting Musk's team and who has access to sensitive government systems is Edward Coristine. Wired said Coristine, who apparently goes by the nickname "Big Balls," runs a number of companies, including one called Tesla.Sexy LLC

"Tesla.Sexy controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market.While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review."

The really interesting part for me is Coristine's work history at a company called Path Networks, which Wired describes generously as a company "known for hiring reformed black-hat hackers."

"At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn resume. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company."

The founder of Path is a young man named Marshal Webb. I wrote about Webb back in 2016, in a story about a DDoS defense company he co-founded called BackConnect LLC. Working with Doug Madory, we determined that BackConnect had a long history of hijacking Internet address space that it didn't own.

https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/

Incidentally, less than 24 hours after that story ran, my site KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept my site offline for nearly 4 days.

https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

Here's the real story behind why Coristine only worked at Path for a few months. He was fired after Webb accused him of making it known that one of Path's employees was Curtis Gervais, a serial swatter from Canada who was convicted of perpetrating dozens of swattings and bomb threats -- including at least two attempts on our home in 2014. [BTW the aforementioned Eric Taylor was convicted of a separate (successful) swatting against our home in 2013.

https://krebsonsecurity.com/2017/09/canadian-man-gets-9-months-detention-for-serial-swattings-bomb-threats/

https://krebsonsecurity.com/2017/02/men-who-sent-swat-team-heroin-to-my-home-sentenced/

In the screenshot here, we can see Webb replying to a message from Gervais stating that "Edward has been terminated for leaking internal information to the competitors."

Wired cited experts saying it's unlikely Coristine could have passed a security clearance needed to view the sensitive government information he now has access to.

Want to learn more about Path? Check out the website https://pathtruths.com/

@accidentalciso Right? how to get out is the real question.

@evacide Richest man in world seeks free labor

I'm sorry, kiss my what?

Anyone who takes that job by virtue of taking the job is not so bright ... unless they are taking it under your suggestion here, which I fully endorse.

This should be the last Election Day that isn’t a national holiday.

HOW IS THIS NOT ELECTION INTERFERENCE!?

Over the weekend X / Twitter took the @america handle from the original user who registered it

the handle now belongs to Elon Musk and his Super PAC set up to support Donald Trump

https://www.disruptionist.com/p/elon-musk-takes-america-x-handle

Well fuck this. The US does not have "health care", we have insurance care. If we happen to get health benefits, it is only as a byproduct of the insurance care system.

Doing some internal testing against resiliency approaches and I have to say ... it's getting harder to purposely introduce vulns, and that's a good thing

how do i stop holodeck programs from warning me that they use cookies

When the company calls their home appliances "smart", what I hear is:

- they spent money on features I don't care about
- those features will be worse than standalone devices but will drive them out of market (looking at you TVs)
- the appliance is more likely to break
- my data is likely being sold to advertisers
- when the company loses interest in it and cut support, I will need to buy a new device

So no, I don't want "smart" home appliances.

@jack_daniel feel this, the office part at least. And :Hugops: :blobcatheart: on the other part

Secrets management and hygiene (trust relationships and access control) are hard. That's it, that's the toot

@andymckay

> no that wasn’t the question I was asking

> oh sure, but let’s ask it, interrogate it

🤣

@lapt0r right, thought about 'trending' as well in terms of maintainers (not that folks necessarily self-remove when inactive though _looks shamefully away thinking about involvement on WebGoat_)

Fair point on looking at alternatives. More dev friendly to say "here are some potential alternatives" rather than "maybe stop using this, good luck!"

@lapt0r

Agree that repo activity is probably the best signal overall we have at the moment. Of course, that can also be gamed or just not be a great indicator in some cases.

Also thinking about how to make a meaningful signal out of it _at scale_ that gives engineers an indication if dependency X is something they should continue to use or start considering alternatives ... because dependency X poses some risk (availability or otherwise).

Aside from raw numbers of downloads, what do/would you look at in terms of downloads/usage?

Reading, thinking about supply chain security today.

On the topic of 'unmaintained dependencies' ... short of some direct comms or signal, how do you know an OSS project (dependency) is no longer maintained? What signals do you look for aside from maybe latest commit, activity level?

@NPR Oh, the schadenfreude