For those who mentor: how do you learn about someone’s understanding of power dynamics? And especially: are they likely to abuse power at the detriment of the less powerful? Have any good “interview questions” that help? Especially to identify problems early?

GIF

read image description

ALT

_MG_

@_MG_

Mar 28

Looking for reverse engineering or fuzzing talent? Both

@phLaul

@richinseattle

are now on the market! Crazy to see this kind of talent available.

Quote Tweet

Richard Johnson

@richinseattle

Mar 26

I wanted to give Philippe the spotlight first but I was also laid off two weeks ago. I’m available for fuzzing related contract work and private trainings. I’ll be posting some public online training events soon. I’m also researching AI model fine tuning for security applications twitter.com/richinseattle/…

Show this thread

_MG_

@_MG_

Mar 24

Obviously, a one time audit only goes so far. And it certainly doesn’t guarantee it’s even the same code that is running in production. But it’s a significant improvement towards transparency that nobody else is doing. Of course, China’s involvement increases the need for it.

You are probably seeing lots of cringe from the TikTok Congress hearing… because there’s so much. But check this out. This is some of the best I have seen not just from Congress, but anyone outside of infosec. If TikTok is willing to do these audits, why don’t other companies?

Quote Tweet

pookie

@0xpookie

Mar 24

It sounds like @JayObernolte has had a red team engagement before. youtu.be/uNjG7j6ukpQ?t=

Show this thread

_MG_

@_MG_

Mar 24

I want to see a public script that monitors for checkmark, renames to “no checkmark”, reverts it back (forcing reverify), waits till check is back, repeat. It takes ~1 week for a human to reverify & reapply the check. Mass use of a script would saturate until they change things

Been doing some testing of Twitter Blue this month. Anecdotal, but it feels clear that non-Blue accounts are heavily suppressed. With Blue, it feels a lot like pre-Musk twitter (way more visibility/engagement). The checkmark is super obnoxious, but interestingly it doesn’t… Show more

Good thread on some of the nuance around the TikTok ban topic. But I’m more interested in the post-ban effects. Most parents can’t even successfully ban their kids from using it. This will be fun. Time to prep some “tiktok unbanned” tools for kids to install. 😈

Quote Tweet

Emily Baker-White

@ebakerwhite

Dec 22, 2022

Hey all - here's a quick timeline about how this TikTok spying stuff all went down: In March, I broke the story that TikTok was working on Project Texas, a companywide effort to separate out US user data and limit China-based employees’ access to it. buzzfeednews.com/article/emilyb

Show this thread

_MG_

@_MG_

Mar 22

People have been asking me to sell this design for the last 6 years. There is a list of reasons I haven’t, and the above story is a big one. It’s not exactly hard to make, but I’d rather not help. 🧵7/n

Quote Tweet

_MG_

@_MG_

Oct 6, 2017

Mr Self Destruct v1

Show this thread

0:39

204.8K views

144

This made me laugh. I’m assuming USB A’s notorious 3-or-more-attempts-required saved a different target: “Milton Pérez at Teleamazonas' Quito offices might have set off the USB stick's explosives if he had plugged it into the computer properly,” 🧵6/n

GIF

read image description

ALT

Seems it was a 1cm capsule of RDX that only partially detonated. So that’s why there wasn’t as much damage. Could have been worse! (thanks

@ThomasClaburn

) RDX is one of the most energetic high explosives, so they wanted to do damage. 🧵5/n

GIF

read image description

ALT

Seems it was a 1cm capsule of RDX that only partially detonated. So that’s why there wasn’t as much damage. Could have been worse! (thanks

@ThomasClaburn

) RDX is one of the most energetic high explosives, so they wanted to do damage. 🧵5/n

This is the scene of the exploded drive. Laptop is still functional. No visible damage to anything. Very small field of debris. More firecracker than “military explosive” in terms of damage. 🧵3/n

Here is the guy who plugged it in, Lenin Artieda, getting his hand swabbed for explosives. No visible damage. Could it be worse? YES! If you have a press mail room, you should be scanning all inbound packages. 🧵4/n

So this looks to be one of the unexploded drives. Which indicates a modified brand name thumb drive. Note reads: THE INFORMATION IS GOING TO UNMASK THE CORREISMO. THINK IT'S USEFUL, WE CAN REACH AN AGREEMENT AND I'LL SEND YOU THE SECOND PART. 🧵2/n

I just did some digging into that “USB Bomb” story. So here is a quick thread on what it looked like, the damage it did, and the pretext. 🧵1/n

bbc.com

Journalist opens USB letter bomb in newsroom

Ecuador's government condemns the attack after journalists nationwide are targeted.

160

445

Windows appears to have this problem too!

Quote Tweet

David Buchanan

@David3141593

Mar 21

holy FUCK. Windows Snipping Tool is vulnerable to Acropalypse too. An entirely unrelated codebase. The same exploit script works with minor changes (the pixel format is RGBA not RGB) Tested myself on Windows 11 twitter.com/ProgramMax/sta…

Show this thread

Mr Self Destruct v1

909

1,819

I’m curious to see what this looks like. Guessing it was a larger external drive style.

Quote Tweet

Greg Linares (Mantis)

@Laughing_Mantis

Mar 21

Did you have USB Unabomber in your 2023 bingo? Don't forget to add this to your threat matrix bbc.com/news/world-lat

_MG_

@_MG_

Mar 21

Who’s not going to interact with a message about an appointment they just made? It becomes much easier to phish someone and/or get malware on their device once you can see a portion of their comms. Then you just piggyback an existing communication they are involved with.

Quote Tweet

John Scott-Railton

@jsrailton

Mar 20

2/ @ArtemisSeaford's #Predator spyware targeting was diabolical. She got an "appointment confirmation" text after making a COVID vaccine appointment. It contained her actual appointment details & appeared to come from the #Greek state vaccine agency. Most would have clicked.

Show this thread

In September 2021, Ms. Seaford booked an appointment for a booster shot of the Covid-19 vaccine through the official Greek government vaccination platform.

She got an automated SMS with her appointment details on Sept. 17, just after midnight. Five hours later, at 05:31 a.m., documents show, she received another SMS asking her to confirm the appointment by clicking on a link.

This was the infected link that put Predator in her phone. The details for the vaccination appointment in the infected text message were correct, indicating that someone had reviewed the authentic earlier confirmation and drafted the infected message accordingly.

The sender also appeared to be the state vaccine agency, while the infected URL mimicked that of the vaccination platform.

read image description

ALT

_MG_

@_MG_

Mar 19

Another USB C design failure from AliExpress. $200 worth of ATMega32u4 boards I bought this month. - Does not power up with a C to C cable (no matter rotation) - Powers up with a C to A cable Cause: failure to add any USB C signaling resistors. This will never stop happening…

I see confusion around how this bug works. Summary: after cropping the image, the file size is smaller. Google wrote the new file over the top of the old one without shrinking the file. So the larger original file was left at the end. Nobody noticed for 5+ years because… ???

Yep. Private channels, DMs, etc. Right-click, copy media link. That URL is something anyone can visit. And it keeps working even after you have “deleted” the file from discord. Here is a picture I DM’d to

@NotKorben

just now: cdn.discordapp.com/attachments/10

Quote Tweet

Huh, so every single image ever uploaded to Discord is a public image? I just tried this, and yes if you copy the link of an image sent in a Discord DM, you can open that link anywhere and it shows the image. Even in browsers that have no active Discord login. twitter.com/_MG_/status/16…

Show this thread

_MG_

@_MG_

Mar 18

At a minimum, anyone with a Google Pixel seems like years worth of shared pictures are now exposed to this. Big yikes. Luckily, a lot of services recompress the images.

This Google bug could seriously hurt a lot of people. The default editing tool had a bug that lets you unredact & uncrop all images. Discord is used in this example because they don’t compress images. A good time to remind you: ALL image attachments are public links. Even for… Show more

Quote Tweet

Simon Aarons

@ItsSimonTime

Mar 17

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout!

Show this thread

157

583

While I’m guessing hospital wasn’t using the specific service that Sophos was recommending here, it’s still insane to do this. It’s not hard to check your customer list before posting. It’s also not hard to simply… not do opportunistic ambulance chasing to begin with. 🤦‍♂️

tried saying their product would have stopped this attack on a hospital. Then the hospital responded saying they were using Sophos. It not only didn’t save them, but got in the way. 😂😂😂 🤡 great ambulance chasing

@Sophos

Here is the translation to English:

Quote Tweet

Quentin Kaiser

@qkaiser

Mar 17

You can’t make this shit up. Sophos sales: if the ransomware’d hospital had use Sophos it wouldn’t have happened. Hospital CIO: well we *do* use Sophos.

394

Reliable feeding! Toy motors are still hanging on for now… Now to figure out label application mechanism. I had planned on handling timing & sequencing 100% with cam rings, but this has taken way longer than expected. So I’ll use an arduino for now. Probably shorter legs too.

They need to teach how to do crime in school Step 1: realize how easy it is to do once you know enough Step 2: know how much it costs to not go to prison #2 is much bigger than everyone assumes. Usually much higher than the crime itself pays, even if 95% opsec (most are worse)

Quote Tweet

Joseph Cox

@josephfcox

Mar 15

Interestingly, one of those charged has previously presented himself to us as an independent security researcher. He provided information about the SIM swapping community. Then two years later, he allegedly committed some of these crimes vice.com/en/article/pka

Show this thread

_MG_

@_MG_

Mar 15

Oops. The comparison pic in the last post was a 342 clip sheet from 2 years ago. The sheet from 1 year ago was 650 clips. Today’s is 1085. 🧵8/n

I am incapable of leaving well enough alone. A year later: 650 clips, printed at 57sec per clip was nice. But 1085 clips printed at 43sec per clip is nicer. (67% more clips, 25% faster) Still plenty left to optimize here. 🧵7/n

I still have no idea how this is going to work… if it even will. But I will just keep printing new parts until I run out of ideas I guess.

asked me at what point it makes more sense to pay a shop to label my envelopes. Answer: financially, 4 years ago. I’m just stubborn & DIY everything. But I have a long way to go before I hit Cliff Stoll building a below-house warehouse:

youtube.com

The man with 1,000 Klein Bottles UNDER his house - Numberphile

More Numberphile on Klein Bottles: http://bit.ly/KleinBottlesMore links & stuff in full description below ↓↓↓Science objects with Brady: http://bit.ly/Object...

_MG_

@_MG_

Mar 12

With chip prices 📈, the 📈 inflation hurt even more as the $ evaporated in a bank account while waiting for the next “chip just got stocked. But now!” window. Is the wealthfront account the best choice? I dunno. But it did make some of the pain stop. Tell me if you have better

Everyone’s needs are different, etc. For me, each batch of hardware is like buying a new car that I could never personally afford. It needs to stay liquid, especially with the volatile chip prices/availability or you miss the window.

Will probably delete this later because it feels way too much like shilling for banks, but wanted to share a tip a friend gave me last year. This spreads your $ across a bunch of banks, which also means 8x more FDIC insurance. ($2mil) 4.05% APY (4.55% wealthfront.com/c/affiliates/i… Show more

wealthfront.com

Earn a 0.50% APY boost when you sign up! | Wealthfront

A high-yield account with free transfers and checking features.

Ehhh kinda? I’m realizing that loading in from the bottom will be very unreliable if something like springs are used. I’d have to use a motor to keep consistent pressure. So instead I’m gonna flip it upside down and try gravity feeding instead.

Testing some new envelope colors for the

@MischiefGadgets

products Black on metallic silver Black on smoke gray Metallic silver on black