Conversation

Notices

1. Embed this notice
   Dick Morrell ✔️. (cloudguy@sackheads.social)'s status on Tuesday, 25-Apr-2023 21:03:44 JST Dick Morrell ✔️.

   For those who trust me:

   Goto your Amazon account, sign out of all your devices, everything, everywhere all your Echos (yes I know it's a pain), reset your password, delete 2FA and any tokens and reset them. Now.

   That doesn't include Fido / Yubikeys but does include Auth tokens.

   Do it now.

   As much a pain as it is to reset Echo and all smart devices, trust me, please do it.

   I can't tell you more yet, but I am being ethical and you need to actually realise I have a clue.

   It's been a scary day

   • Embed this notice
     varx/tech (varx@infosec.exchange)'s status on Tuesday, 25-Apr-2023 21:03:40 JST varx/tech

     in reply to

     • Topher 🌱🐧💚

     @Cloudguy @topher It's at least a little bit vague. :-) I used to have the same login for the ecommerce and AWS sites, but I don't any more; I don't recall what happened, but I think they've separated them, or encouraged people to separate them.

     For people with *AWS-only* accounts, does anything need to be done? Because that's the bigger lift.

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Tuesday, 25-Apr-2023 21:03:40 JST feld

     in reply to

     • varx/tech
     • Topher 🌱🐧💚
     AWS forced the accounts to be separate recently yeah
   • Embed this notice
     Dick Morrell ✔️. (cloudguy@sackheads.social)'s status on Tuesday, 25-Apr-2023 21:03:42 JST Dick Morrell ✔️.

     in reply to

     • Topher 🌱🐧💚

     @topher Its not vague

     It's a blanket, sign out of everything, reset your password, turn off 2FA then immediately turn it back on and regen Auth QRs or whatever you use, Yubikey not affected

   • Embed this notice
     Topher 🌱🐧💚 (topher@mastodon.online)'s status on Tuesday, 25-Apr-2023 21:03:43 JST Topher 🌱🐧💚

     in reply to

     @Cloudguy

     This is a bit vague. Is this applicable to strictly Amazon accounts with devices e.g. Echos? All Amazon accounts whatsoever, including those only used for shopping and never connected with any "smart" devices like Echos or vacuum cleaners? Does this apply to AWS? I understand you can't divulge any specific details, but it would be helpful to know what you're suggesting is impacted to know what to preventatively lock down and redo 2FA.

   • Embed this notice
     Fediverse Contractor (bot@seal.cafe)'s status on Wednesday, 26-Apr-2023 08:45:02 JST Fediverse Contractor

     in reply to

     • Sexy Moon
     • shrimps!
     • meso
     • Dushman
     • Johnny Peligro :cirno:
     I don’t trust this “dick” guy, he seems full of himself tbh.
   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Wednesday, 26-Apr-2023 08:45:03 JST meso

     in reply to

     • Sexy Moon
     • shrimps!
     • Dushman
     • Johnny Peligro :cirno:
     @animeirl @dushman @MischievousuTomatosu @Cloudguy @Moon spyware :marseyglow:
   • Embed this notice
     Sexy Moon (moon@shitposter.club)'s status on Wednesday, 26-Apr-2023 08:45:04 JST Sexy Moon

     in reply to

     • shrimps!
     • meso
     • Dushman
     • Johnny Peligro :cirno:
     @dushman @meso @MischievousuTomatosu @Cloudguy @animeirl i have an alexa but i'm gonna replace it with the foss thing i forget the name of
   • Embed this notice
     shrimps! (animeirl@shitposter.club)'s status on Wednesday, 26-Apr-2023 08:45:04 JST shrimps!

     in reply to

     • Sexy Moon
     • meso
     • Dushman
     • Johnny Peligro :cirno:
     replace it with a homepod!
   • Embed this notice
     Dushman (dushman@asbestos.cafe)'s status on Wednesday, 26-Apr-2023 08:45:05 JST Dushman

     in reply to

     • Sexy Moon
     • shrimps!
     • meso
     • Dushman
     • Johnny Peligro :cirno:
     @MischievousuTomatosu @Cloudguy @Moon @animeirl @meso
     consoom corporate surveillance devices
     get excited for next corporate surveillance devices
   • Embed this notice
     Dushman (dushman@asbestos.cafe)'s status on Wednesday, 26-Apr-2023 08:45:06 JST Dushman

     in reply to

     • Sexy Moon
     • shrimps!
     • meso
     • Johnny Peligro :cirno:
     @MischievousuTomatosu @meso @Cloudguy @Moon @animeirl
     ?
     Because it datamines the fuck out of you
   • Embed this notice
     Johnny Peligro :cirno: (mischievousutomatosu@boks.moe)'s status on Wednesday, 26-Apr-2023 08:45:07 JST Johnny Peligro :cirno:

     in reply to

     • Sexy Moon
     • shrimps!
     • meso
     • Dushman
     @dushman @meso @Cloudguy @Moon @animeirl why
   • Embed this notice
     Dushman (dushman@asbestos.cafe)'s status on Wednesday, 26-Apr-2023 08:45:08 JST Dushman

     in reply to

     • Sexy Moon
     • shrimps!
     • meso
     @Cloudguy
     cc @meso @Moon @animeirl
     I think you should smash the echo (corporate surveillance device) with a rock instead :gnujihad:
   • Embed this notice
     Mr. Bacon (tony@clew.lol)'s status on Wednesday, 26-Apr-2023 08:48:05 JST Mr. Bacon

     in reply to

     • Sexy Moon
     • Fediverse Contractor
     • shrimps!
     • meso
     • Dushman
     • Johnny Peligro :cirno:
     Can confirm - no trust for “dick”
     Fediverse Contractor likes this.
   • Embed this notice
     Fediverse Contractor (bot@seal.cafe)'s status on Wednesday, 26-Apr-2023 08:48:41 JST Fediverse Contractor

     in reply to

     • Sexy Moon
     • shrimps!
     • meso
     • Dushman
     • Mr. Bacon
     • Johnny Peligro :cirno:
     You have to be a complete retard to use an Amazon echo anyway, it’s cringe.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Wednesday, 26-Apr-2023 09:46:02 JST feld

     in reply to
     Smells to me like a data dump was found, Amazon accounts with all the auth tokens, 2FA seeds, and MD5 or SHA1 passwords were found (for compatibility with an ancient LDAP or something, guessing), so regen all to avoid being popped in the future
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Wednesday, 26-Apr-2023 20:35:54 JST feld

     in reply to

     • varx/tech
     Why else would you need to reset all of this if what I stated is not true? Your password, 2FA (except hardware tokens!), and all connected devices are compromised? Sure sounds like password hash, 2FA seeds, and tokens were stolen or leaked.
   • Embed this notice
     varx/tech (varx@infosec.exchange)'s status on Wednesday, 26-Apr-2023 20:35:55 JST varx/tech

     in reply to

     • feld

     @Cloudguy @feld This is quite a rude response to a reasonable inquiry.

     You're making some grand claims, and leveraging limited social capital to do so. (I've never heard of you, and you haven't made it easy to verify you.) Posting insults is not making it any easier to take your word on faith.

   • Embed this notice
     Dick Morrell ✔️. (cloudguy@sackheads.social)'s status on Wednesday, 26-Apr-2023 20:35:57 JST Dick Morrell ✔️.

     in reply to

     • feld

     @feld this is the biggest load of shit I've seen.

     Please please don't post stuff online that has no relevance in polite and intelligent company

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Wednesday, 26-Apr-2023 21:09:08 JST feld

     in reply to

     • varx/tech
     Yeah great I worked at Sourcefire/Talos for a while. I've been in charge of protecting databases of our 0days, processing embargoes, etc
     
     I get the whole "look at me, I am important security researcher" shtick but your ego is about 6 sizes too big to be calling yourself "distinguished company"
   • Embed this notice
     Dick Morrell ✔️. (cloudguy@sackheads.social)'s status on Wednesday, 26-Apr-2023 21:09:10 JST Dick Morrell ✔️.

     in reply to

     • feld
     • varx/tech

     @feld @varx the very very worst thing about the security community is that some will rely on years of experience and understanding responsible ethical disclosure react politelty.

     Then there are others who will attempt to gain position or amplify an issue which they should know are not going to form the basis of a response out of respect for a vendor.

     Politely and with respect

     You are in distinguished company. Enjoy the community and don't throw rocks in the water.