Notices by BrianKrebs (briankrebs@infosec.exchange)

I guess these geniuses missed the first memo. Time to post this at the source (LinkedIn)

I'm going to keep calling out companies that offer to pay me to repost stuff on my site. Especially the AI-backed ones, which seem unusually aggressive in this PR tactic. Who knows, maybe they'll stop sending them to me at least (not holding my breath).

A very kind and thoughtful person took me up on the idea and sent me this. It warms my revenge heart.

@cR0w @reverseics wow. never seen ascii goatse before

OMGOMGOMGOMG

https://www.reddit.com/r/AirForce/comments/1pie3px/plastered_all_over_the_pentagon_today/?chainedPosts=t3_1pijkwc

I'm told that ordinarily you are blocked from seeing the login page if you're "outside" the DoW network, but that anyone can get past this by using Google VPN (e.g. the one built into a Pixel phone). I don't have either of these and am wondering if someone can verify? Thanks in advance.

Pete Hegseth is urging members of the military to embrace GenAI.mil, a "secure generative AI platform for every member of the Department of War." I'm sure this will be fine.

"I expect every member of the Department to log in, learn it, and incorporate it into your workflows immediately. AI should be in your battle rhythm every single day. It should be your teammate. By mastering this tool, we will outpace our adversaries. The power is now in your hands."

I wonder who came up with their logo, which looks like a worm invading the Pentagon.

Hey Windows (ab)users: It's Patch Tuesday again! Patch 'em if you got 'em.

https://krebsonsecurity.com/2025/12/microsoft-patch-tuesday-december-2025-edition/

#patchtuesday

...and you're wasting even more of your life posting about your regrets at the Nazi bar. Still, they probably need to hear it most. Points for partial awakening. Hey, at least you made good money doing it, right?

"I wasted 8 years of my life in crypto"

"Over time however, I felt like I have lost my purpose in crypto. The initial siren songs of crypto’s transformative powers waned after working in the space full-time. I was disillusioned by my target customers and who I was really building for. I completely misunderstood what the actual users of crypto are v.s. just propaganda. Crypto purports that it helps decentralize the financial system, which I completely bought into, but in reality, it’s just a speculation and a gambling hyper-system that’s really just a mirror of what the economy is now."

"The reality hit me like a fucking truck. I am NOT building a new financial system. I built a casino. A casino that does not call itself a casino, but it is the biggest, online, multi-player 24/7 casino our generation has ever concocted. Some part of me wants me to feel proud that I contributed at least my 20s building this casino out. Another part of me literally feels like I wasted my entire 20s in this space. I wasted my life on this, but at least I made good money from it."

https://x.com/kenchangh/status/1994854381267947640

via Hackernews. It really is comical the lengths to which companies will go to avoid being contacted by their customers.

What the fuck is a ‘fuck off contact page?’

"A “fuck off contact page” is what a company throws together when they actually don’t want anyone to contact them at all. They are usually found on the websites of million or billion dollar companies, likely Software-as-a-service (SaaS) companies that are trying to reduce the amount of money they spend on support by carefully hiding the real support channels behind login walls. These companies tend to offer multiple tiers of support, with enterprise customers having a customer success manager who they can call on this ancient device we call phones, whereas the lower-paying customers may have to wrangle various in-app ticket mechanisms. If you solve your own problem by reading the knowledge base, then this is a win for the company. They don’t want to hear from you, they want you to fuck off."

https://www.nicchan.me/blog/the-f-off-contact-page/

The CEO of The Onion set the publication's goal for 2026 to have more subscribers than The Washington Post. At the rate the latter is going, that won't take long.

"For reasons we don't like or understand, our work has become increasingly important."

"Look, we're an independent company, we don't use AI to write headlines and make art, and we're one of roughly three publications who are up for the fight. Unlike other places, The Onion is quadrupling down on being a pain in the ass, politically. Are you?

https://www.linkedin.com/posts/ben-collins-28263a52_its-been-a-big-year-for-us-at-the-onion-ugcPost-7400218696058810368-7nVB?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAAliaMB3BQO-WOS-eUh-XU4HAd5h8pTzkI

Scoopy, new, by me:

Meet Rey, the Admin of 'Scattered Lapsus$ Hunters'

"A prolific cybercriminal group that calls itself "Scattered LAPSUS$ Hunters" made headlines regularly this year by stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for "Rey," the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father."

https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/

I always wince a little when I see graphs and charts on the homepage of some news outlet, but this one was really well done and conveyed a lot of interesting and timely information in very few words.

https://www.washingtonpost.com/business/2025/11/24/sp500-stock-market-tech-nvidia/

All the best techpocalypse stories start with a heavy dose of hubris and irony. I've always thought that if I ever got around to writing a fiction novel, it would probably involve IoT, like a nationwide blackout caused by an army of "smart" light bulbs gone rogue or something. But even that seems like a quaint plot device in an era when it's more likely you'll have mass power outages because people can't pay their electrical bills anymore because AI.

https://www.washingtonpost.com/business/2025/11/24/power-shutoffs-surge-electric-bills/

New, by me: Is your Android TV streaming box part of a botnet?

"On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers."

The story looks closely at what Superbox is, how it operates, and what it appears to do on the sly. Spoiler: A Censys researcher found that installing the apps that allow these channels to stream enrolls the user's IP in a residential proxy service, and that these devices include powerful network discovery and remote access tools like Tcpdump and Netcat.

Overall, the Superbox is just one brand in an ocean of no-name Android-based TV boxes that are widely available and that either come pre-infected with malware or require malicious apps to use.

https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/

Social engineering -- the art of tricking people into doing stupid shit -- has always been the most reliable way to hack anything. Now with AI browsers and agentic this and that, we've actually built social engineering into the code. So it can be used to trick others but also trick itself. Brilliant!

Was destroying everyone in Halo with abandon as per usual when I really felt like the haptics had kicked up quite a bit. Then I realized it was my watch vibrating from getting about 1000 Signal requests. Yes, distributed denial-of-Signal is a thing.

#krebsisveryrevenge

I'm proud that my Senator Mark Warner (D-Va) is consistently one of the smartest voices on cybersecurity in Congress. Warner took to the Senate floor today to warn about political purges at the FBI, and the apparent collapse of U.S. cyber defenses under this administration.

"I intend to continue making these speeches… for as long as it takes… because the stakes for our national security are too high to let this pattern go unchallenged."

"Since my remarks in September, we’ve seen not restraint, but an escalation… an escalation of political retaliation, of the hollowing out of expertise, and of the outright manipulation of intelligence. We are watching, in real time, an administration strip away the guardrails that have protected this country for generations."

https://ciosenus.app.box.com/s/l3ta2boj1no8mklr37fb74zbj42jmntx/file/2052327683905

One aspect of this I can't stop thinking about is the example and precedent set by this administration when Musk took over and started joining all these federal databases that had previously been kept separate for about 100+ reasons over time.

Kind of secondary to those alarming developments was the fact that all of the safeguards we put in place to ensure Security 101 things like "need to know access" and audibility were just tossed out the window, and really haven't been observed by this administration since. It's as if the entirety of what they teach you in Security 101, 201, 301, etc, is just a suggestion.

Also, where THE FUCK did this data go? Who has it? How can anyone be sure who does? Is it still being used? How will it be used going forward?

I have quite a few projects I'm super excited to publish in the coming weeks. But honestly, the main thing that's consuming my brain cycles story-wise is a year-end piece about just how badly this administration has fscked our cybers in so many ways.

This won't be a polemical soliloquy. I intend to document all of the specific actions this administration has taken that appear to weaken, redirect, or fully castrate our cyber capabilities. Your assistance would be appreciated (and possibly noted).