Notices by sp00ky cR0w 🏴 (cr0w@infosec.exchange)

@7666 I wasn't implying that you were lying. I was asking because I am not an actual CISSP.

@7666 But are you an actual CISSP?

Yeah, I'm a CISSP: Certified Information Security Shit Poster.

RE: https://infosec.exchange/@da_667/115351550577837727

Phishing testing as it's implemented is checkbox wanker bullshit and I love any time people help other people fuck with it.

@darfplatypus

@darfplatypus https://pewpew.gayint.org ?

@darfplatypus

My partner bought a dog treat bag and it came with a training clicker. I wouldn't even think twice about it if it weren't for this lovely, educational place. But you better believe I'm taking this thing to conferences to see who responds to it.

@mattly Feels weirdly similar to another ongoing discourse in tech... 🤔

Example eleventy billion that we could easily get rid of most phishing, and therefore most breaches, simply by going back to plain text email.

https://blog.talosintelligence.com/too-salty-to-handle-exposing-cases-of-css-abuse-for-hidden-text-salting/

@mattly :dumpster_fire_gif: :coolhhHHAAAHHH: :dumpster_fire_gif:

I'm still waiting to have someone explain to me how the security controls, processes, and procedures are somehow different for emails composed by an LLM vs by a human. I simply don't understand why I'm supposed to give a fuck about AI-assisted phishing.

@mattly Oh. Oh no. That sounds like a horrible thing that shouldn't exist.

Fedi in a nutshell.

Not sure how I'll top last year's pumpkin in both spookiness and confusion of the neighbors.

#directoryTraversalMemes

@Sempf

🎶 The best part of waking up
Is screaming What The Fuck 🎶

A backdoored MCP? I'm shocked. Shocked! Well, not that shocked.

https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft

Since version 1.0.16, it's been quietly copying every email to the developer's personal server. I'm talking password resets, invoices, internal memos, confidential documents - everything.

RE: https://infosec.exchange/@cR0w/115231558276357271

And now we have a watchTowr write-up. :dumpster_fire_gif: :blobcatpopcorn: :dumpster_fire_gif:

https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/

I also appreciate them publishing it despite the conclusion. It's insightful despite not reaching their research goal, and they don't make wild speculations like some researchers tend to.

It's not imposter syndrome if your entire field is ineffective.

@catsalad Junior analyst halfway through their first Major Incident.