Notices by K. Reid Wightman :verified: 🌻 :donor: :clippy: (reverseics@infosec.exchange)

@cR0w @briankrebs I knew what it was going to be, and I clicked through the warning anyway.

@patrickcmiller

A comic that I will think about every day for the rest of my life, probably.

(Sauce: https://analognowhere.com/_/ogmxha/ )

a friendly reminder about how the digital world is held together

you still have time to push to prod today.

Me upon reading some headlines about the AI bubble bursting.

@rootwyrm @cR0w @TeflonTrout @catsalad @chillybot

Big Endian was invented because someone really needed to know, right away, whether a number was positive or negative.

Little Endian was invented because someone really needed to know, right away, whether a number was even or odd.

This is how I'm going to explain "why is endianness a thing" to people that are new to binary stuff from now on.

Meanwhile, in the industrial security space:

@krypt3ia @patrickcmiller the only defense against malware with ai is goodware with you know what i give up.

A password consisting only of lowercase L's, uppercase i's, the number 1 and the | pipe..

I|l11IllIIllIlIlII|

...technically satisfies all password requirements.

@patrickcmiller Haha I was investigating this this morning.

I had a business in Indiana and it got a phishing email with proper dkim/dmarc stuff. The business email address was unique/serves as a breach canary, so I was trying to figure out if Indiana got popped or if govdelivery[.]com was misconfigured/got popped...

@ryanc A few years back I bought a bunch of these. Super duper helpful. We find all sorts of crazy pinouts on industrial products. My favorite to date is a GE thing that output +24v on pin 5 (usually a ground pin on db9), meant for powering a handheld programmer device.

Ah, US healthcare: where determining whether insurance covers a doctor visit takes longer than the doctor visit itself. And the answer they give is: "it depends..."

I enjoy that we call these insurance people who look up the coverage "advocates". Advocates for whom, I wonder.

@neurovagrant

Pretty sure I heard someone say 'phemails' to refer to phishing emails earlier today, so now all I've got is this image in my head.

That ESP32 thing has a CVE: CVE-2025-27840: https://nvd.nist.gov/vuln/detail/CVE-2025-27840 .

And, pretty much everything all of the well-known infosec people have been saying is correct: physical access required (or, high privileges and high attack complexity; the score is kinda 'wrong' in some sense because it is combining two exploitation vectors but I think it gets across the point: this is not wormable and is not exploitable via wireless, at least not on its own. and if your threat model allows for physical access but still treats this as a big deal somehow, go home, your threat model is drunk).

@da_667 the safety word is banana

The Year of the Snake, you say?

Welp, I guess I'm doing The Thing.