Notices by Tod Beardsley (todb@infosec.exchange)

so close #CISA.

Welp. Let’s see which way this room goes.

I’m always happy to take an opportunity to save an early-carreer netsec neophyte from the heartache of the totally fake and not real OSI model.

#BSidesSF

l feel like i’m going to be using this a lot

Greetings, Montrealers! I'll be talking about VibeSploitation at NorthSec, May 15 or 16th. More to come!

Salutations, Montréalais! Je parlerai de VibeSploitation à NorthSec, le 15 ou le 16 mai. Plus à venir !

https://nsec.io

There's going to be a lot of confused attackers and scanners over the next couple days.

More: https://www.runzero.com/blog/ingress-nightmare/

now, an \0x27 in this URL feels like a crime against polite society.

https://www.classy.org/event/creative-commons'-open-house-for-an-open-future/e663144

#sxsw2025

Neat

https://en.m.wikipedia.org/wiki/G0v_movement

at an open house with these folks right now at #sxsw2025

more: https://www.classy.org/event/creative-commons'-open-house-for-an-open-future/e663144

On March 12, join @wingz3ro and me as we expose the seedy underbelly of exploits, espionage, and crime on the internet at #SXSW

Also, there will be costumes - we’ve been in a noir mood lately.

https://schedule.sxsw.com/2025/events/PP153751

Archived version of the quoted The Atlantic article is here:

https://archive.ph/2025.02.07-140733/https://www.theatlantic.com/technology/archive/2025/02/elon-musk-doge-security/681600/

Unrelated: If you believe there has been an intrusion in a US government system, you are encouraged to report it at https://cisa.gov/report
https://journa.host/@w7voa/113963205109936094

So check it out. KEV data is now available on GitHub, in the proper cisagov organization. I know other people mirror KEV for their projects, but who can say if they're fiddling with it along the way? With https://github.com/cisagov/kev-data, you can rest assured that it's the Real and True mirror of KEV.

https://cisa.gov/kev is still the actual authoritative source, but this GitHub mirror is a pretty close second.

I posted about this on LinkedIn since that's what people do with work stuff, apparently.

98 KEVs to go until KEV #1337

Hopefully it'll be a good one.

@sjvn and even though nearly everyone believes archive.org is an unmitigated good, I have yet to see a single tech billionaire, of which there are several, step up and just peel off some millions to help out. Not one.

I’m not pirating movies, I’m just training my model.

So this is neat.

1) Some (all?) antispam/counterphishing email scanners are blind to #QRCode content.

2) You can draw working QRCodes with Unicode character sets, thus avoiding an image parser entirely, even if the scanner could process images in the first place.

3) By providing QRCode links, the attacker encourages the victim to use their personal device rather than the workstation, making defensive tracking more complicated.

I think it’s hilarious that a format designed SPECIFICALLY for machine vision is being used to evade machine interpretation.
https://infosec.exchange/@patrickcmiller/113067302631450126

@funes @Rajiv @patrickcmiller not just scans, but each individual port. Plus a bunch of other made up stuff. 45 billion is a really big number of events, per day.

@GossiTheDog @buffaloverflow You might want to double check that assigning CNA.

https://www.cve.org/cverecord?id=CVE-2024-21887

Maybe it’s one issue that has several vectors. Haven’t looked myself yet since I’m on vacation.

But the CVE isn’t issued by Ivanti, technically.

Tomorrow I have to go on a clear liquid diet because i’m getting a colonoscopy because i’m a responsible goddam adult.

Today, I’m eating excellent Texas chili.

I regret nothing.

For that special domain in your life, give the gift of a security.txt. Check out the #CISA blog: https://www.cisa.gov/news-events/news/securitytxt-simple-file-big-value

Amazing. CMG is an ad company that’s ioffering a fake ad service that people already a) believe is actually happening already and b) really, really hate.

Active Listening: where your phone and TV eavesdrop on your convos to target ads at you.

It cannot possibly work the way they’re pitching it, but I love that they’re taking this scam to the next level.

https://www.404media.co/cmg-cox-media-actually-listening-to-phones-smartspeakers-for-ads-marketing/