Notices by Royce Williams (tychotithonus@infosec.exchange), page 2

@grumpybozo Part of the less-ethical sales-pressure API is to push social/guilt buttons to incent giving in. You very likely did nothing to trigger it (other than saying no). I wouldn't give it another thought.

@xabean No immediate hits - permuted case and leet for both 'Yealink' and 'YealinkPhone', and appended and prepended all sorts of stuff (all possible 4-char suffixes, etc.) ... nothing so far

@xabean Depending on sensitivity, Hashes.com has a bounty / escrow system (free). Or you could upload it as a 'user list' to HashMob. Or you could let me take a ... crack at it (2x 4090s). :D

Edit: a third option, if you know hashcat and Docker, is to just rent a chunk of GPUs through vast.ai or similar.

@xabean What's in the other /etc/shadow?

@ryanc If I have, I've totally spaced it and it will be as fun as the first time? Link me!

@ryanc Looks great! Subtitles are a nice touch!

@wdormann I even opened a ticket for too-narrow grabbable window edges on the Linux side. The response I got was "we're not changing that, there's a workaround -- hold down the ALT key and right click when you're dragging near that edge". So now I have to remember which OS I'm on every time I need to do this. It's just so ... unnecessary.

@atoponce Yes, exactly! ...for sufficiently obscure and esoteric values of "solve".😅 Most people have never even heard of them.

If they had been universally used from the beginning, CSV wouldn't even be a thing, and plenty of things we do to avoid CSV would also not be things ...

@ryanc

@ryanc Yeah, Definitely pro TSV! When I say CSV out loud, I actually mean TSV in my head. I need to watch that ...

I'll also have to dig up the post where I grieve for the alternate future where we actually used the actual dedicated field and record separator characters built into ASCII. So much avoidable pain.

I know this dates me, but ... 80% of the problems I'm solving with jq are caused by using JSON at all ... when a simpler format would have been fine.

Repeating every verbose field name in each record, when the schema is flat, is often premature "schema might need to be variable someday" optimization.

When the Rapid7 DNS data was freely available, it was distributed as a one-line-per-stanza JSON file. The first thing I'd do after downloading it was convert it to CSV ... which cut its size by 60%.

It's like buying a ten-pound box of individually wrapped grains of rice.

Did you that there's a thing called the "Automatic Billing Update" program (ABU), that enables merchants to get notified of your replacement payment card number before it even shows up in your mailbox?

https://globalnews.ca/news/9763295/little-known-credit-card-program-companies-information/

Yep, you can guess what the bad guys are doing. They're registering as a merchant and then involuntarily signing people up for nonexistent "subscriptions" ... that their support path mysteriously refuses to let you unsubscribe from:

https://malwaretips.com/blogs/vigor-vita-cbd-gummies/

But if you naively report these to your issuer as simply 'fraud', they will just ... issue you a new card. And then the "subscription" will be charged again.

Many issuer support teams seem be totally unaware of this fraud type. You have to explicitly tell them it's a subscription scam, and ask them block that merchant from using ABU to get your new card number. (That card is lost, but at least the evil merchant won't get the next one).

(I found this out the hard way, helping some elderly friends, whose cards kept getting mysteriously "compromised". When I realized that an unexpected charge happened before they had even received the new card ... I knew it wasn't just ordinary skimming or phishing.)

tl;dr When you detect unauthorized charges, ask your issuer to check for ABU and block the entire merchant. Otherwise, you'll be caught in an unending cycle of useless reissuance!

#ABU #fraud

@ryanc @jbaggs @dangoodin
hell hath no fury like a geek scorned ("yeah, but that's not much of a problem in the real world, you're just fearmongering" "oh yeah? let me show you")

@ryanc Also your Levenshtein neighbor! :D

@patrickcmiller It's unclear from the article how they're linked - did the bad Crowdstrike push directly cause the Azure outage? Didn't the Azzure issue show up quite a few hours before the Crowdstrike one started visibly hitting orgs?

@patrickcmiller Huh - the lede is buried in paragraph five:

"Amazon said it would refund customers $2,350 and give them a $300 Amazon credit. It also said it would refund unused, prepaid subscription fees."

@ryanc There's also the house-shoes option, though that's obviously not for everyone!

@ryanc Everybody's a literary critic.

https://en.wikipedia.org/wiki/Purple_prose

@ryanc That's tricky. It's a function both of time, and of the "pressure" of disclosure - the juicier the surprise, the more likely it is to have leaked out into popular culture.

Miraculously, I managed to avoid spoiling The Crying Game for a decade. Ditto Citizen Kane (to Garret's point). But I think that would have been impossible for The Empire Strikes Back, due to the cultural saturation.

In the fediverse, CWs are cheap enough that it's relatively easy to have no time limit on spoiler coverage.

@ryanc Ah, interesting - I somehow managed to miss out on this phenomenon!

@ryanc I think it must have gone over my head, heh 😅