I've also written a script to just revoke Solarwinds compromised certificate github.com/technion/RevokeSola

This SUNBURST situation really blew up. I've written a simulator/demonstration for the evasion workflow. github.com/technion/SUNBURSTsi

lolware.net/2020/09/02/autodis Dumping corporate credentials by compromised an unrelated marketing website.

If you're having a bad day, imagine being the person at Microsoft who can't spell "Hybrid"

Let's not forget telling developers that the "debug a process" privilege is just something they'll never have again. Again, consider doing work on personal, unsecured and unmanaged computers.

Show thread

There's a setting regarding outbound RPC connections. The "secure" sounding option prevents Connect-MSOLService from ever authenticating. Solution of course, from now on people will use personal desktops to logon to Azure as an administrator.

Show thread

There's a Swiftonsecurity thread about messing with security settings doing more harm than good. I have many examples of this. 1) After being forced to implement the CIS benchmarks *exactly*, it was noted that the "Backup files and directories" was now restricted to "Domain Admins" because adding someone was bad. Suddenly a whole backup team were made domain admins in order to do their job.

The whole "some SEO people are legitimate" argument is so similar to the "what if this email really did come from the prince of Nigeria" argument I've actually had with people.

The greatest trick the hacker ever pulled was convincing the victim to disable Windows Defender. By telling them they need to spend on an "upgrade" to a product that disables it.

Building a web scraper is a terrible experience for someone driven on correctness. You can implement a common algorithm and you can spend a lot of time working to get it 100% accurate. Or you can implement a scraper and know fully that it'll magically break next week when the site you scrape updates.

I get that maths has historically used non-latin characters, but can we agree that at some point, using an English word wouldn't kill you?

Me at work: "That's more regex than I ever want to see again"
Me at home: Writes more regex

The original UK NCSC article had much better detail, but I really appreciate this sort of thing hitting mainstream news. It's good seeing stuff you've argued for years getting credibility. theguardian.com/technology/201

Show older

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!