Notices by Jerry 🦙💝🦙 (jerry@infosec.exchange), page 4

@GossiTheDog Also, your sonicwall, fortinet, and palo altos firewalls should be behind a firewall and not exposed to the internet

I get asked a lot lately what the I think people who want to get into cyber security should focus on. My go to answer is incident response, since it seems like the mountains of vibe code and half-assed zero trust architectures is creating galactic scale potential breach energy. Would that be called vibe responders? Or is that for when we figure out how to hand over IR to AI as well?

If you find the fediverse useful, don’t forget to support your instance (assuming they accept support). While the software is free, running instances is far from it. I am glad to be part of the community and want to see it continue on as a viable alternative. Thank you all for being here and I hope you have a good holiday season.

Which firewall vendor will disclose critical vulnerabilities in time to ruin Christmas for many? and why is it probably Fortinet?

I am so honored to have been awarded the first annual infosec.exchange peace prize. 🏆

Adding compromised npm packages to your app like

It’s Friday, which obviously means today is the day to push all your untested vibecode to prod before the weekend, but remember that (at least for those of us in the US), next week is a short week presenting one of the best opportunities for code pushes. 🦃🍂🍃🍁

I guess it’s good that we’re still up so people can complain about all the other stuff being down?

I do feel like MS/Azure, AWS, and Cloudflare need to do a better job of coordinating their outages so some of yall can get some much needed time away from IT

I did not have "new surge of accounts on infosec.exchange due to X bungling their passkey migration" on my bingo card for today

I don't remember the last time I was at a security conference... I'm looking forward to BSides Atlanta on Saturday, where I'll apparently be making a guest appearance in a presentation about the Fediverse. Hopefully, I am not too embarrassing.

@GossiTheDog I’ve seen plenty of romance scam accounts trying to lure people to telegram or other DM, but I hadn’t seen this class of account doing that. I may just not be looking though.

@GossiTheDog there’s about 12,000 of those lately on mastodon.social. I can’t yet tell what the game is, but my best guess is account farming to build and the. sell high follower accounts, like happens on twitter, instagram, and so many others. Little do they know how few people are actually here.

There have been a deeply disappointing number of mastodon account takeovers in the past few weeks used to spam out malicious links in the guise of porn. I’m guessing most or all are abandon accounts, so the owner doesn’t even realize.

Please please please enable two factor authentication on your mastodon accounts regardless of which instance you are on or how sensitive or not you think the stuff you post is.

RE: https://infosec.exchange/@jerry/115407118712223410

The old saying comes to mind: “in theory, there is no difference between theory and practice. In practice, there is.”

@GossiTheDog all the people might be gone, but there would still be plenty of active accounts willing to argue about politics with you.

There’s been an oppressive amount of spam originating from what appears to be compromised mastodon accounts posting links that appear to be porn, but lead to various badness depending on the location, IP address, browser, and operating system of the visitor. Don’t click on tinyurl or other link shortened links promising to, er, satisfy your porn needs. And for the love of $deity, please enable 2fa authentication on your accounts AND stop using the same damn password everywhere. Thank you for your attention in this matter.

I took a trip out on the Sea Screamer yesterday and got some ok dolphin pics. The dolphins love to hop through the wake the boat creates.

Testing image uploads from vivaldi. Please ignore.

Looks like Tropical Storm Jerry is brewing off the coast of Africa 🎉🌀🎉