Notices by Dr. Christopher Kunz (christopherkunz@chaos.social)

@GossiTheDog Total radio silence so far, no statement - not even acknowledgement of my request for comment.

@GossiTheDog Something smells weird. Can I email you about that OCI thing?

@GossiTheDog Ah right, then there's an extra space in that link on medium. The video id reads "375_G9wAff+o" there. Thanks!

@GossiTheDog Interesting. There's however an extra space in the Youtube link in this sentence: "The meeting is viewable here and the transcript is "

@GossiTheDog I was wondering, actually. Where does it say that?

Side note: I have personally seen large ISO27001-certified orgs use this exact method to e-mail sensitive info. It's security theater and checkbox compliance, mimics the practices of credit card companies, mailing cards and PINs separately. However, real-life analogies rarely work, and vice versa. If an adversary has capabilities to exfil _one_ e-mail, they could exfil _all_ e-mails.

I kinda love the edit history on the US DOD's statement about the purported stand-down order.
"There has been no stand-down order whatsoever from that priority, said the official who was granted anonymity to discuss internal decisions." @TheGuardian

@GossiTheDog A couple of hours or day after publication maybe, my screenshot is from november 27.

@GossiTheDog This is a screenshot of the first snapshot for the CVE-2024-49035 advisory on MSRC. MS knew about exploitation from the get-go. Not sure why CISA is picking this up only now, being long patched and whatnot.

Finally, after two weeks, an update to the 2025 Insecurity Appliance Bingo sheet. CVE-2024-22467 is an Auth RCE vulnerability in Ivanti Connect Secure that qualifies for the Bingo scorecard. Current Bingo Card is always at: https://cku.gt/appbingo25

...and here we go: Next entry in our bingo card is CVE-2025-23006 in SonicWall SMA1000.

Thanks, everyone, and remember: Current version lives at https://cku.gt/appbingo25

@GossiTheDog As to be expected, that's from the Qu'ran. Sure al-Anbiya, verse 11-12

@GossiTheDog @badkeys loads of privkeys in the Fortinet leak, from SSH to what appears to be web certs.

@badkeys @GossiTheDog I realized I could just have read the blog instead of asking a lazy question here 😅

@GossiTheDog I read half a VPN password aloud to a victim on the phone, they completed the other half. They're *definitely* legit. They also seem to be mostly cleartext, even those not looking like cleartext?

@GossiTheDog @lawrenceabrams figures. I'll update my news item later if I get the chance. Why a cable customer in Medellin is running pre-release software is another question though... which I'm not going to ask, given the geographic circumstances. ;-)

@GossiTheDog @lawrenceabrams Yes. It's either a pre-release build or the machine was owned before 7.2.2 was installed. The backdoor user exists in the config, so both could be possible.

@lawrenceabrams @GossiTheDog RE #FortiGate leak: I have found the version string "FWF61E-7.2.2-FW-build1327-220914" on one FortiWifi config from Colombia. I'm not sure which build date the first final version had but maybe a pre-release version?

Yeah, sure, why not dismantle the German Federal government, too. We haven't used up our daily contingent of push notifications yet.

As in: The German Chancellor has apparently asked the Federal President to fire the Minister of Finance, Mr. Lindner (Liberals). This means that the coalition of Greens, Liberals and Social Democrats is effectively over.

@jwildeboer It's only 9:30 pm, and the US wednesday is still mighty young. Let's not...

@ryanc Not my favorite, but Swordfish? 23?