Infosec Press


Read the latest posts from Infosec Press.

from Sirius

Um tutorial sobre o recurso de criar listas no Mastodon.

O Mastodon oferece um importante recurso de organização dos perfis que você segue, permitindo que você crie listas, que funcionarão como um recorte da sua timeline principal.

Como a plataforma não possui timelines com algoritmos que detectam os seus interesses, e os posts na plataforma obedecem uma ordem estritamente cronológica, o recurso de criação de listas se mostra muito interessante para você não perder os posts de determinado assunto ou de determinados perfis de seu interesse, possibilitando que você navegue pelas notícias ou temas em que você está interessado naquele momento específico.

Com a versão 4.2 do Mastodon, você pode ocultar de sua timeline inicial os perfis que estão em uma lista que você criou, tornando-a menos poluída e lhe propiciando uma melhor experiência, pois você pode seguir centenas de perfis, sem ter a preocupação de ter uma página inicial caótica, em que posts interessantes são perdidos pelo caminho.

Para criar uma lista é muito simples. Vamos usar como exemplo a criação de uma lista cujo tema é “notícias científicas” e vamos ocultar essa lista da linha inicial, supondo que às vezes você só quer entrar e ler as notícias mais recentes do meio científico sem ter que ficar as procurando em meio aos posts dos seus amigos.

Você irá clicar na opção Listas no menu da plataforma, o que te levará para a aba de listas, onde são apresentadas todas as listas que você criou. Na parte de cima, você pode escrever o nome de uma nova lista que deseje criar (neste exemplo vamos criar a lista cujo nome é “Ciência”) e após clicar no botão de +, circulado na imagem, você a terá criado.


Uma vez criada a nova lista Ciência você clicará nela para a editar:


Clique no menu de Mostrar Configurações circulado em verde na imagem abaixo, para exibir as opões de edição, e então clique em Ocultar estes posts da página inicial, caso deseje que os perfis que irá adicionar a essa lista não sejam exibidos em sua timeline inicial.


Finalmente, você precisa seguir os perfis que pretende adicionar à sua lista. Você pode os incluir na lista de duas maneiras: na primeira forma, dentro do menu de opções da lista, conforme a imagem abaixo, você clica em Editar lista, o que abrirá a aba mostrada abaixo, onde você digita o nome do perfil e aperta enter para o localizar, clicando depois no sinal de + para adicionar o perfil à sua lista:


Na segunda forma, você entra diretamente na página do perfil que pretende incluir na lista, clica no ícone de três pontinhos, circulado na imagem abaixo, o que abrirá uma aba de opções, dentre as quais Adicionar ou remover de listas, em que você irá clicar para escolher em que lista deseja incluir o perfil selecionado, clicando em +, conforme está circulado na segunda imagem abaixo.



Pronto, você terá incluído o perfil à lista criada. Você pode adicionar vários perfis temáticos relacionados em uma mesma lista.

Como deve ter notado pelas imagens, é um recurso que utilizo bastante e possuo atualmente oito listas temáticas, nem todas ocultadas da minha linha inicial, visto que algumas uso apenas para focar em posts de determinados perfis que não me incomodarão se forem visualizados também na página inicial.

Espero que sua experiência no Mastodon seja cada vez mais divertida!

#Tutorial #MastoDicas

Leia mais...

from Hyperscale Security

I spent last week at Headquarters which is always great to talk directly with many security colleagues in a short amount of time – and not just in the office, but also dinner and drinks. That always allows for conversations that can go deeper and more passionate – and sometimes more honest – than you get in the day time, let alone when meeting virtually. Especially when you've known each other for years.

Thursday was the local Cybersecurity Awareness Month event, and I was invited for an Executive Q&A on our security strategy and direction. To continue the conversation, I invited those interested to dinner after to close out my week before flying back home. This is how I found myself opposite my oldest friend in the security organization, deeply engaged on one of his favorite topics: open source security.

“But That Stuff is Boring!”

He wanted to talk about protecting against zero days in the most common open source components used in our solutions. Admirable, but aside from the greater risks from known vulnerabilities, how would you do that? Not knowing they exist, such zero days by definition would have slipped through our SAST and DAST scanning. So, are you proposing we run continuous fuzzing tests against such components and dependent libraries, in addition?

We can engage the internal security community (another one of his favorite topics), he replied. They can submit vulnerabilities and pull requests to the maintainers. And we could patch our landscape even before the vulnerability is disclosed.

Wait, you're suggesting we fork the library and deploy a patch, rather than wait for the fix to be released by the maintainers? And then how do we get back on the official version? Do we force all the developer teams to patch twice for a zero day nobody knows about and we have no evidence is exploited in the wild? Why wouldn't we just manage it through the existing known vulnerability management processes with established SLAs, and if necessary deploy a temporary detection or mitigation?

Oh, but that stuff is boring...

Ignoring the Boring Makes Us Vulnerable

We have such a habit in infosec to chase after the esoteric and interesting. It is encouraged through conferences and social media fame. The cybersecurity industry adds to it, whether for marketing reasons or added features without guidance or consideration how to operationalize them but demo well. We like intellectually interesting problems we can solve on our own. But then we shouldn't be surprised when the basics aren't taken care of, and developer teams consider us burdensome and adding irrelevant toil.

I get that it may not be as much fun to chase after teams with reports on alerts or missing evidence for compliance controls, help teams to manage a never ending stream of newly reported vulnerabilities against SLAs, or to improve asset discovery and metadata management, rather than chase after zero days. But the boring basics are what truly reduces the attack surface. Ignoring the boring is what continues to make us vulnerable.

Finding Excitement in the Boring

To solve the big problems in security, we must find excitement in the boring. Let's focus our minds on how we implement and operationalize least-privilege IAM and secrets, how we can make CI/CD pipelines both more secure and efficient for developer teams to allow for greater code quality and higher velocity, and provide secure-by-default infrastructure, platforms and services that enable teams to be more productive without getting in their way. Find the intellectual challenge in security engineering and operations. We must work on the risks we face, not the threats we like.


from Hyperscale Security

Security is a tough discipline. To do it well requires focus, so we don't spin our wheels, spend effort and budget, or get distracted by the latest hype. It is unfortunate, therefore, that we often get caught in dogmas we tell ourselves, but we don't examine whether they are correct or even useful. Here are three such dogmas that are just plain wrong.

1. Defenders Have to be Right All the Time, Attackers Only Once

If this was ever true, it certainly isn't today. A quick look at the MITRE ATT&CK framework makes it very clear that there are many stages in attacks, from reconnaissance to initial access to execution and persistence, just to gain a first foothold in a defender's landscape. Before a threat actor gets to actual data collection and exfiltration, or a ransomware attack, he or she needs to get a lot of things right – all of which could potentially be detected.

A layered defense that presents multiple obstacles also means that the defender may not get it right all the time – a vulnerability in a container, a misconfiguration in the network architecture, an open RDP port – but should still have multiple opportunities to detect malicious activity before the attacker is at your crown jewels. Lateral movement, privilege escalation, creation of rogue resources or user accounts all give opportunities to detect an attack in progress, and as long as an attacker has no access to a KMS may never get to encrypted data or into databases.

The dogma doesn't recognize the advantages of defenders and ignores the obstacles attackers must overcome. Attackers need to be right all the time. Defenders have multiple opportunities to stop them.

2. No Security Through Obscurity

This is often repeated, but as a result prevents us from taking the benefits of obscurity as part of a layered defense. Run an SSH open to the public internet on port 22 and it will be hammered constantly by automated scripts. Run it on a high random port and it will see virtually no traffic. Only very persistent threat actors focused on a particular target victim will scan for all open ports.

And if defenders were diligent enough to run SSH on a high randomly chosen port, logs showing failed logins will present a far more valuable and reliable alert than the noise that comes with SSH on port 22.

3. Zero Trust Network Architecture

This is possibly the most controversial dogma at all, as it seems the entire industry has lost their mind over this. NIST SP 800-207, the relevant Zero Trust standard says:

Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource

So, it correctly starts with the premise that the network cannot be trusted... and yet spends most of the document discussion network controls, trying to re-establish trust in the network.

Trying to fix IAM, application context, and network security all at the same time, by adding a new policy control overlay in the network to implement the user access controls we should already have on application level. But why? Didn't we just declare the network no longer trusted? Especially in a cloud landscape, you may even end up creating network connections that don't need to exist. Why prevent a user access to a resource by network they already don't have access to on application level? The problem is IAM and that is hard enough. We can manage IAM and application context with Workload Identities for service accounts. Why complicate it further by adding the network back in?

Organizations struggle already with the basics. Why set them up for failure with a massive ZTNA implementation? IAM is boring and network security companies have products to sell?

Abandon the Idea that it's Not Good Enough Unless it's Perfect

There is this joke that goes that the only secure computer is one that is locked away in a separate room, does not have mouse, keyboard or screen, has no network connection, and is powered off. This is supposed to be instructive to get the balance of confidentiality and integrity right in relation to availability. It's intended to show that perfect security is not possible. It is not to be taken seriously as reasonable security guidance.

We supposedly moved at least a decade ago to a risk-based approach. However it seems a good portion of our industry continues to look for the perfect, and anything less is not good enough. Is it any surprise that there is such a gulf between security consultants, advisors and policy writers on the one hand and practitioners on the other? Let's abandon our perfect dogmas so we can focus on the actually important security operational problems.


from what

In the wake of his purchase, far-right billionaire Elon Musk has made many awful changes at Twitter. Kneecapping capabilities for viewing, researching, and archiving materials posted on the forum is certainly less immediately harmful than, say, stochastic terrorism against schools & childrens' hospitals, but it's still no good, and requires some stopgaps.

Twitter frequently now seems to block altogether; and even when it is possible to archive a tweet by other means, it is generally only viewable as a single post, devoid of any surrounding context in the form of threads or replies.

One intermittent way to currently get around this limitation is to use the open-source, alternative Twitter front-endNitter”, and specifically Chris McCormick's redirect proxy Twiiit.

The steps I've found useful are as follow:

  • For example, let's say I need to preserve this post along with some of its immediate context:
  • I replace the url's “twitter” domain with “twiiit” – e.g.
  • Before I hit “enter”, I COPY that modified URL. This is because Nitter instances themselves are regularly being blocked by Twitter, or are otherwise unable to dredge up a copy of the post. The “twiiit” re-direct will try various Nitter instances, though; so if the first couple don't function, I simply paste the URL and try again. It only saves a couple of seconds, but they can add up.
  • I find myself redirected to a functional Nitter front-end of the tweet, which includes replies and context, in this case it's this one:
  • I create an archive of that Nitter front-end by using and/or

If I'm trying to preserve a longer thread, I will sometimes archive every fourth or fifth post to ensure that the data is complete via overlapping captures.

As Musk continues to use his fortune in an apparent quest to singlehandedly reinvigorate the embers of the alt-right, it'll remain important to be able to document & preserve some of what is posted on his platform — this will likely require a continual stream of kludgy workarounds by diligent researchers who are much more clever than I am. So, thanks in advance.

P.S. – Nitter instances render timestamps as UTC, which is generally more reliable than the local timestamp which appears when I view the original tweet from the US West coast.


from CatSalad🐈🥗 (D.Burch)


This list only contains accounts for security bsides, events, and conferences found in the fediverse / Mastodon with some post history. I will regular update this post as more events migrate here. For hacker meet-ups and local DEFCON / 2600 groups, please refer to the link below.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)


⸻ Event Info – Call for Papers (#CFP) – #InfoCon – #InfoconDB archive – Security BSides Global

⸻ Online 🌐 – #ComfyCon – D.O. Conference – #PancakesCon

⸻ Canada 🇨🇦

@BSidesCalgary – #BSidesCalgary, AB @BSidesEdmonton – #BSidesEdmonton, AB @BSidesFredericton – BSidesFredericton, NB @BSidesMTL – #BSidesMTL Montreal, QC @BSidesOttawa – #BSidesOttawa, ON @BSidesRegina – #BSidesRegina, SK @BSidesStJohns– #BSidesStJohns, NL @BSidesTO – #BSidesTO Toronto, ON @BSidesVancouver – #BSidesVancouver, BC – #BSidesVI Vancouver Island, BC – #Hackfest Québec City, QC – #BSidesHalifax, NS – #NorthSec Montréal, QC – #PolQc POLAR Conf, QC – #SeQCure Québec, QC – #TheLongCon Winnipeg, MB

⸻ US – Northeast – #BSidesBoston, MA – #BSidesBuffalo, NY – #BSidesCambridge, MA – #BSidesCharm Towson, MD @BSidesCT – #BSidesCT Hamden, CT @BSidesFloodCity – #BSidesFloodCity Johnstown, PA @BSidesHBG – #BSidesHBG Harrisburg, PA – #BSidesNJ ? NJ – #BSidesNYC New York City, NY – #BSidesPhilly Philadelphia, PA – #BSidesPGH Pittsburgh, PA – #BSidesROC Rochester, NY – #HushCon New York City, NY – #JawnCon Philadelphia, PA – #PumpCon Philadelphia, PA – #ShmooCon Washington, DC – #SummerCon Brooklyn, NY

⸻ US – Midwest – #BlueTeamCon Chicago, IL – #BSides312 Chicago, IL @BSidesBloomington – #BSidesBloomington, IN – #BSides_BTown Bloomington, IN – #BSidesBoulder, CO – #BSidesChicago, IL @BSidesColoradoSprings – #BSidesColoradoSprings, CO @BSidesColumbus – #BSidesColumbus, OH – #BSidesDayton, OH – #BSidesDenver, CO @BSidesFtWayne – #BSidesFtWayne, IN – #BSidesKC Kansas City, MO @BSidesMilwaukee – #BSidesMilwaukee, WI @BSidesPeoria – #BSidesPeoria, IL – #BSidesSpfd Springfield, MO – #CircleCityCon Indianapolis, IN – #CypherCon Milwaukee, WI – #THOTCON Chicago, IL – #WWHackinFest Deadwood, SD

⸻ US – West – #BSidesCV Central Valley, CA @BSidesHawaii – #BSidesHawaii Honolulu, HI – #BSidesLA Los Angeles, CA – #BSidesPDX Portland, OR – #BSidesSD San Diego, CA – #BSidesSeattle, WA – #BSidesSF San Francisco, CA – #SOUPS Symposium on Usable Privacy and Security, Anaheim, CA

⸻ US – Southwest

@BSidesAlbuquerque – #BSidesAlbuquerque, NM – #BSidesAustin, TX – #BSidesDFW Dallas-Fort Worth, TX – #BSidesLV Las Vegas, NV – #BSidesRGV Rio Grande Valley, McAllen, TX – #BSidesSATX San Antonio, TX @BSidesSantaFe – #BSidesSantaFe, NM @BSidesTucson – #BSidesTucson, AZ – #CactusCon Mesa, AZ – #DEFCON Las Vegas, NV – #DianaInitiative Las Vegas, NV

⸻ US – Southeast – #BSidesATL Atlanta, GA – #BSidesAugusta, GA @BSidesBirmingham – #BSidesBirmingham, AL – #BSidesCharleston, SC – #BSidesCLT Charlotte, NC @BSidesCHS – #BSidesCHS Charleston, SC – #BSidesCharlotte, NC @BSidesGVL – #BSidesGVL Greenville, SC @BSidesHSV – #BSidesHSV Hunstville, AL @BSidesJAX – #BSidesJAX, Jacksonville, FL @BSidesKC – #BSidesKC Kansas City, MO – #BSidesKnoxville, TN @BSidesNOLA – BSidesNOLA New Orleans, LA @BSidesNoVA – #BSidesNoVA Arlington, VA – #BSidesOrlando, FL @BSidesRoanoke – #BSidesRoanoke, VA – #BSidesRDU Raleigh/Durham, NC – #BSidesSPFD Springfield, MO – #BSidesSTL St. Louis, MO @BSidesStPete – #BSidesStPete St. Petersburg, FL @BSidesTampa – #BSidesTampa, FL – #Cackalacky Con, Raleigh, NC – #CyberwarCon Arlington, VA – #SecurityOnion Con, Augusta, GA

⸻ US – Territories

@BSidesPR – #BSidesPR San Juan, PR 🇵🇷

⸻ Caribbean

@BSidesCaymanIslands – #BSidesCaymanIslands, KY 🇰🇾

⸻ Latin America

@BSidesArgentina – #BSidesArgentina Jujuy, Argentina 🇦🇷 – #BSidesCDMX Mexico City, Mexico 🇲🇽 @BSidesCO – #BSidesCO Bogotá, Colombia 🇨🇴 – #BSidesJoãoPessoa, Brazil 🇧🇷 @BSidesPeru – #BSidesPeru Lima, Peru 🇵🇪 @BSidesPanama – #BSidesPanama Panama City, Panama 🇵🇦 – #BSidesSP Sao Paulo, Brazil 🇧🇷 @BSidesVitória – #BSidesVitória, Brazil 🇧🇷

⸻ Europe 🇪🇺 – #Botconf Nice, FR 🇫🇷 – #BruCON Mechelen, BE 🇧🇪 @BSidesAthens – #BSidesAthens, GR 🇬🇷 @BSidesBUD – #BSidesBUD Budapest, HU 🇭🇺 @BSidesCyprus – #BSidesCyprus Limassol, CY 🇨🇾 @BSidesDublin – #BSidesDublin, IE 🇮🇪 @BSidesKraków~~ – #BSidesKraków, PL 🇵🇱 – #BSidesKbh København, DK 🇩🇰 – #BSidesLisbon, PT 🇵🇹 – #BSidesLjubljana, SI 🇸🇮 @BSidesMilano – #BSidesMilano, IT 🇮🇹 @BSidesOsijek – #BSidesOsijek, HR 🇭🇷 – #BSidesOslo, NO 🇳🇴 @BSidesPrishtina – #BSidesPrishtina, XK 🇽🇰 @BSidesRoma – #BSidesRoma, IT 🇮🇹 – #BSidesReykjavik, IS 🇮🇸 – #BSidesSOF Sofia, BG 🇧🇬 @BSidesTallinn – #BSidesTallinn, EE 🇪🇪 @BSidesTirana – #BSidesTirana, AL 🇦🇱 @BSidesTransylvania – #BSidesTransylvania Cluj-Napoca, RO 🇷🇴 @BSidesUmeå – #BSidesUmeå, SE 🇸🇪 – #BSidesVienna, AT 🇦🇹 – #BSidesZurich, CH 🇨🇭 – #DeepSec Con, Vienna, AT 🇦🇹 – #HackLu, LU 🇱🇺 – Pass the SALT Con, Lille, FR 🇫🇷 – #BSidesItalia IT 🇮🇹 – #TumpiCon Turin area, IT 🇮🇹

⸻ Germany 🇩🇪

@BSidesBerlin – #BSidesBerlin @BSidesFrankfurt – #BSidesFrankfurt am Main – #BSidesMunich @BSidesStuttgart – #BSidesStuttgart – #Elbsides BSides Hamburg – TROOPERS Conference, Heidelberg

⸻ United Kingdom 🇬🇧 – #44CON London 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #SecuriTay Abertay, Dundee, 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @BSidesBasingstoke – #BSidesBasingstoke @BSidesBelfast – #BSidesBelfast – #BSidesBham Birmingham 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesBristol – #BSidesBristol @BSidesCambridge – #BSidesCambridge – #BSidesCheltenham 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesDundee – #BSidesDundee 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @BSidesExeter – #BSidesExeter @BSidesLancashire – #BSidesLancashire – #BSidesLeeds 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesNewcastle – #BSidesNewcastle – #VB2024 VirusBulletin, London 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Africa

@BSidesCapeTown – #BSidesCapeTown, South Africa 🇿🇦 @BSidesNairobi – #BSidesNairobi, Kenya 🇰🇪

⸻ India 🇮🇳

@BSidesAhmedabad – #BSidesAhmedabad – #BSidesBangalore @BSidesChennai – #BSidesChennai @BSidesIndore – #BSidesIndore @BSidesJaipur – #BSidesJaipur – #BSidesOdisha

⸻ Asia

@BSidesMyanmar – #BSidesMyanmar, Myanmar 🇲🇲 @BSidesSG – #BSidesSG Singapore, China 🇨🇳 @BSidesTokyo – #BSidesTokyo, Japan 🇯🇵 @BSidesYerevan – #BSidesYerevan, Armenia 🇦🇲

⸻ Australasia – #BSides_Bne Brisbane, AU 🇦🇺 – #BSidesCanberra, AU 🇦🇺 – #BSidesMelbourne, AU 🇦🇺 – #BSidesPerth, AU 🇦🇺 – #BSidesSydney, AU 🇦🇺 – #CrikeyConAU Brisbane, AU 🇦🇺

⸻ For other events not in the fediverse try: ➡️⁠ ➡️⁠ by Xavier Santolaria

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. :cc_cc:​𝟶 “No Rights Reserved”

⸻ #InfoSec #CyberSecurity #BSides #CatSalad #cc0


from CatSalad🐈🥗 (D.Burch)


This list only contains local 2600, DEFCON, CCC, OWASP, LUG, and InfoSec groups with active fediverse / Mastodon accounts, including languages other than English. As more are created or discovered, I will update this message. For hackerspaces, see the link below.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)


⸻ InfoSec Groups – 2600 Community (Lemmy) – #BHRE (women only) – Chaos Computer Club – #CCC (friendica) – CCC events #cccRegio – Women In Cybersecurity (#WiCyS)

⸻ Canada 🇨🇦 – #DC902 Halifax, NS – OWASP Ottawa

⸻ US – Northeast – 2600, NH – Blacks In Cybersecurity™ (BIC), Washington, DC – #BIC DMV Metro Area, DC – #DC215, Philadelphia, PA – #DC201 North New Jersey – DC201 North NJ – DC201 North NJ – #DC610 Easton, PA – #HackDC Washington, DC – #NYC2600 NY – NYC 2600, NY – OWASP Boston, MA – #Philly2600 Philadelphia, PA – #Phillysec Philadelphia, PA

⸻ US – Midwest – #DC402 Nebraska – #DC608 Madison, WI – DC608 Madison, WI – #DC937 Dayton, OH – #DenverSec Denver, CO – #Lansing2600 Lansing, MI – Rocky Mountain LUG, CO

⸻ US – West – #DC503 Portland, OR – #DC510 Oakland, CA – #DC858 / #DC619 San Diego, CA – #PDX2600 Portland, OR – #RainSec PDX, Portland, OR

⸻ US – Southwest – #ASULUG ASU, AZ – Dallas Hackers Dallas, TX – #DC512, Austin, TX – #PLUG, Phoenix, AZ

⸻ US – Southeast – #DC404 Atlanta, GA – #DC443 Baltimore, MD – #DC540 Nova regional, VA – DC540 Nova regional, VA – #RTP2600 Raleigh, NC

⸻ Europe 🇪🇺 – #2600Malmo 2600 Malmö, SE 🇸🇪 – #2600stockholm Stockholm, SE 🇸🇪 – 2600 Madrid, ES 🇪🇸 – Chaos Amsterdam, NL 🇳🇱 – CCC Wien, Vienna, AT 🇦🇹 – CCC Basel, Muttenz, CH 🇨🇭 – #DC4822 Warsaw, PL 🇵🇱 – #DC9723, Tel-Aviv, IL 🇮🇱 – #LUGOS SI 🇸🇮 – #LUGV Vorarlberg, AT 🇦🇹 – #ULUG Uppsala, SE 🇸🇪

⸻ Germany 🇩🇪 – Chaostreff Amberg Sulzbach – CCC Dresden – CCC Aachen – CCC Darmstadt – CCC Frankfurt – CCC Freiburg – CCC Hamburg – CCC Potsdam – CCC Stuttgart – CCC Wiesbaden – Computer Club Itzehoe – CCC Essen – CCC Berlin – Chaostreff Alzey – Chaostreff Backnang – #ErLUG Erlangen – #Flipdot CCC Erfa-Kreis, Kassel – #Haecksen (Stuttgart, Hamburg, Hannover, Karlsruhe, Leibzig, Göttingen and Berlin) – #Geekfem Hamburg – #KiLUG Haslach im Kinzigtal – LUG Mayen-Koblenz – LUG Nürnberg – LUG Hannover – #LUGOR Oberhausen Rheinland – CCC Munich – OWASP DE – OWASP Karlsruhe

⸻ India 🇮🇳 – #DC9111, Delhi

⸻ United Kingdom 🇬🇧 – 2600 Glasgow 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – Abertay Hackers, Dundee 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – #DC44131 Edinburgh 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – OWASP London 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Australasia – Flinders Cybersecurity Society, Adelaide, AU 🇦🇺 – Linux Australia 🇦🇺 – OWASP Melbourne, AU 🇦🇺 – #PalmyLUG Palmerston North, NZ 🇳🇿

For other groups & meetups not in the fediverse: ➡️⁠ ➡️⁠ ➡️⁠ ➡️⁠

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. cc​𝟶 “No Rights Reserved”

#InfoSec #CyberSecurity #DEFCON #2600 #CCC #OWASP #WomenInCybersecurity #LUG #LinuxUserGroup #CatSalad #cc0


from CatSalad🐈🥗 (D.Burch)


This list contains hackspaces and hacklabs with active fediverse / Mastodon accounts. For monthly group meets, see the post link below. This list will be update as more workshops in the fediverse are discovered.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)


⸻ United States 🇺🇸 – #HackDC Washington, DC – Iffy Books – Philadelphia, PA – #Noisebridge Hackerspace – San Francisco, CA

⸻ Latin America – Laboratório Hacker de Campinas, Brazil 🇧🇷

⸻ Europe 🇪🇺 – #Coredump Hack- & Makerspace, Rapperswil-Jona, CH 🇨🇭 – F-HackLab, Rome, IT 🇮🇹 – #Hackeriet Oslo, NO 🇳🇴 – #Hackstub Strasbourg, FR 🇫🇷 – #HsPsh Hackerspace Pomorze, PL 🇵🇱 – #HsWaw Warsaw, PL 🇵🇱 – #KaouennNoz Rennes, FR 🇫🇷 – #LeBIB Montpellier, FR 🇫🇷 – #HSLodz Hakierspejs Łódź, PL 🇵🇱 – #TampereHacklab FI 🇫🇮

⸻ Austria 🇦🇹 – #DevLol Linz – #Itsyndikat Innsbrucks – #Metalab Vienna – #Realraum Graz – /usr/space, Leobersdorf

⸻ Germany 🇩🇪 – #ACMELabs Bielefeld – #Backspace CCC-Erfa, Bamberg – #BinHacken Hacker- & Makerspace, Bingen – #Bytespeicher Erfurt – #bytewerk Ingolstadt – CCC Cologne – c-base, Berlin – CCC Aachen – CCC Darmstadt – CCC Frankfurt – CCC Freiburg – CCC Hamburg – CCC Wiesbaden – Chaostreff Flensburg – #Chaosdorf Hackspace & CCC Erfa, Düsseldorf – Chaostreff Osnabrück – #Chaotikum Lübeck – Chaostreff Chemnitz – #ClubDiscordia CCC Berlin – #DasLabor Bochum – #Datenburg Bonner – Dezentrale Leipzig – #Eigenbaukombinat Halle, Saale – #Entropia Karlsruhe – #Flipdot Kassel – #Hacklabor Schwerin – #Hackershell 🌐 #Hacksaar Saarbrücken – #Hackzo Coburg – Hackspace Siegen – #Haxko Mayen-Koblenz – Hackerspace Bielefeld – K4 Computergruppe, Nuremberg – #Krautspace Jena – #LeineLab Hannover – #MagLab Magrathea Laboratories, Fulda – #Maschinenraum m18, Weimar – CCC Munich – Freifunk Neanderland, Wülfrath – #Neotopia Göttingen – #Nerdberg Nuernberg – #Netz39 Magdeburg – OpenLab, Augsburg – Offene Werkstatt Norderstedt – #Port39 Stralsund – Raumfahrt, Berlin – #Schaffenburg – #Space47 Duisburg – #Spline Berlin – #Stratum0 Braunschweig – #RaumZeitLabor Mannheim – Temporärhaus, Ulm – Toppoint Hackspace, Kiel – nachtsnochlicht@Turmlabor, Dresden – UN-Hack-Bar, Unna – warpzone, Münster – #WelcomeWerkstatt Hamburg – #Werkraum Zittau – #Westwoodlabs Westerwald – xHain Hack- Makerspace, Berlin – #zLabor Zwickau – Zentrum für Technikkultur Landau

⸻ Netherlands 🇳🇱 – Chaos Amsterdam – #Bitlair Amersfoort – #Hack42 Arnhem – #Hackalot Eindhoven – #Pixelbar Rotterdam – #RevSpace Hague – #TDvenlo Venlo – Technologia Incognita, Amsterdam – #TrrkLab Enschede

⸻ United Kingdom 🇬🇧 – #57n Hacklab, Aberdeen 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – #57North Hacklab, Aberdeen 🏴󠁧󠁢󠁳󠁣󠁴󠁿 – Cheltenham Hackspace 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #EEHackSpace East Essex 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #HackHitchin Hitchin 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – Leigh Hackspace, Manchester 🏴󠁧󠁢󠁥󠁮󠁧󠁿 – #NottingHack Nottingham 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Australasia – Ballarat Hackerspace, AU 🇦🇺

For other hackerspaces not in the fediverse try: ➡️⁠

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. :cc_cc:​𝟶 “No Rights Reserved”

#CCC #ChaosComputerClub #Hacker #Hackspace #Hackerspace #CatSalad #cc0


from CatSalad🐈🥗 (D.Burch)

List of some useful links, news sites, and open web search engines that also provide .Onion service access through Tor :tor:. Each searx site varies on their up time, so it pays to visit the 🗂️⁠SearXNG Index to find alternatives.

📌⁠List of torified fedi instances (ᵃˡˢᵒ🦣ⷨ) 📌⁠List of useful torified sites (ᵃˡˢᵒ🦣ⷨ)

🗃️⁠Archive.Today⁠〰️→🧅⁠archivei… 💻⁠DEFCON Forums⁠→🧅⁠ezdhgsy… 💻⁠DEFCON Home⁠〰️→🧅⁠g7ejphhu… 💻⁠DEFCON Media⁠〰️→🧅⁠m6rqq6k… 🔐⁠⁠→🧅⁠zkaan2x… 🔖⁠⁠〰️〰️→🧅⁠redditorj…★ 📚⁠zLibrary Articles⁠→🧅⁠articles2… 📚⁠zLibrary Books⁠→🧅⁠bookszlib…


🗞️⁠BBC News⁠〰️〰️→🧅⁠bbcnewsd…★ 🗞️⁠DeutscheWelle⁠→🧅⁠dwnewsg…★ 🗞️⁠ProPublica⁠〰️〰️→🧅⁠p53lf57… 🗞️⁠The Guardian⁠〰️→🧅⁠guardian2…

🗂️⁠SearXNG Index⁠→🧅⁠searxspb… 🔍⁠divided-by-zero⁠→🧅⁠f4qfqajs… 🔍⁠⁠〰️〰️→🧅⁠lgmekfn…★ 🔍⁠⁠→🧅⁠4n53nafyi… 🔍⁠⁠〰️→🧅⁠searchvrz… 🔍⁠⁠〰️〰️〰️→🧅⁠privateoz… 🔍⁠⁠〰️〰️→🧅⁠rq2w52k… 🔍⁠⁠〰️〰️→🧅⁠gbat2pb… 🔍⁠⁠→🧅⁠z5vawdo… 🔍⁠thefloatinglab⁠→🧅⁠iziatwmt… 🔍⁠tiekoetter⁠〰️〰️→🧅⁠searx3ao…

⸻ (★ = Supports HTTPS-over-Onion) 🐈🥗

#TorProject #OnionService #OnionServices #Tor #Onion #Privacy #CatSalad


from CatSalad🐈🥗 (D.Burch)


List of fediverse instances that also provide access through .Onion servers using Tor Hidden Services. I will add more as I find them... Well, most of them anyway.

📌⁠List of torified fedi instances (ᵃˡˢᵒ🦣ⷨ) 📌⁠List of useful torified sites (ᵃˡˢᵒ🦣ⷨ)


⁠⛔⁠⁠〰️〰️〰️→🧅⁠alivebrntm… 💻⁠〰️→🧅⁠zpj4sjt4a…★ 💻⁠⁠〰️〰️〰️〰️→🧅⁠iejideks5z…★ 💻⁠⁠→🧅⁠7jaxqg6… ⛔⁠⁠⁠〰️→🧅⁠klktvbm… ⛔⁠⁠⁠〰️〰️〰️→🧅⁠yiynyc2ly…★ 💻⁠⁠〰️→🧅⁠c6usaa6… 💻⁠⁠→🧅⁠octodonic… ⛔⁠⁠⁠〰️→🧅⁠partyonl2… ⛔⁠⁠⁠〰️→🧅⁠nqt42rzz5… 💻⁠〰️〰️→🧅⁠irvqsc5bb… 💻⁠⁠〰️〰️〰️→🧅⁠ak.vernccv… 💻⁠⁠〰️→🧅⁠qm7a3tu…

⸻ (★ = Supports HTTPS-over-Onion) (⛔⁠ = Cloudflared)


#FediTor #TorProject #OnionService #OnionServices #Fedi #Tor #Onion #Privacy #CatSalad


from acrypthash

Incident Response: Scam Attack Against Retail Stores

Yesterday our stores experienced a scam attack via phone call claiming to be from the IT department and wanting to test refunds on high value items in order to get free money. Later in the campaign, they change story to claim they were from a VoIP provider. Unfortunately, one or two stores fell victim, but many others remained vigilant.

As a response, our security team deployed the following: – Created a war room for the few members involved. – Sent out communications to all employees involved (we have internal tools for this) – Used OSINT to investigate the phone number being used (the threat actor was dumb enough to use the same number for all attempts). – Blocked the number through our provider (though changing number is obviously very easy. This was done because it was the only number being used at the time.) – Did EDR scans on all store PCs from people that called in. Side Note – This is where communication with non tech savvy people can be difficult. During the social engineering process, the person at the register is instructed to reach a point in the process where you have to enter a credit card number. Reports from one end user claimed the that cc number was entered in automatically by the threat actor on the phone. They claimed no other assistance was given to access the PC, no mouse movement was performed, just the number entry. This does not make any sense to me. I did the following to investigate, but found zero IoCs: – full EDR scan on the endpoint – PCAP review for any malicious connections – RMM software installations – ELK log review – folder review – confirmed scheduled tasks Nothing substantial was found to show that a threat actor had accessed the PC and entered in the cc number. Personally, I think the end user reporting this claimed it happened this way to protect themselves. Regardless, nothing was found.

Through good communication and best security practices we were able to get this incident under control relatively fast. A big take away from this is going to be ACL build out for the feature that allows for the access of refunds through manual entry. Too many people seem to have access to this feature by default.

There is an obvious pattern that must be brought up so we as analysts and blue teamers can remain vigilant. Threat actors are starting to realize how easy social engineering truly is and the power that comes with it. We must keep our end users aware of these threats and train them to question the true intentions of people when something doesn't feel right. Typically when your gut questions something, you're usually right. For our team, we are going to be working closely with our help desk team over the next few weeks to improve their verification process and social skills to learn when something malicious is happening. Happy Hacking!


from Amy’s tech stuff

start by drawing a n by n grid of points

  ╭─────── n ───────╮
╭ o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
n o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
│ o  o  o  o  o  o  o
╰ o  o  o  o  o  o  o

take the dots on the main diagonal and move them over to the side

  ╭─────── n ───────╮             1
╭    o  o  o  o  o  o             • ╮
│ o     o  o  o  o  o             • │
│ o  o     o  o  o  o             • │
n o  o  o     o  o  o     ==>     • n
│ o  o  o  o     o  o             • │
│ o  o  o  o  o     o             • │
╰ o  o  o  o  o  o                • ╯ 

we can see the points in the diagonal can be arranged into a line of 1 by n points, thus the main square without the diagonal is n²-n

we can also see that the remaining dots are divided up into two mirror images of each other, mirrored along the main diagonal. Since it can be evenly divided into two, it the remainder must be even

  ╭─────── n ───────╮
╭    •  •  •  •  •  •
│ o     •  •  •  •  •
│ o  o     •  •  •  •
n o  o  o     •  •  •
│ o  o  o  o     •  •
│ o  o  o  o  o     •
╰ o  o  o  o  o  o   

We can also slide all the point of one halve towards the other, creating a rectangle

  ╭───── n-1 ────╮
╭ •  •  •  •  •  •
│ o  •  •  •  •  •
│ o  o  •  •  •  •
n o  o  o  •  •  •
│ o  o  o  o  •  •
│ o  o  o  o  o  •
╰ o  o  o  o  o  o

This gives us the factored form of the expression n (n-1)
From this expression we can see that it must always produce an even result as it takes the product of two consecutive numbers, one of them must be even, and the product of two numbers is even if either number is even



from Amy’s tech stuff

I recently came across Veilid, a new network focused on secure communication, similar to TOR, but mixed in with distributed storage and a promise of true decentralization without any blockchains or coins.

Both the website and DefCon talk are a bit lacking in explanation at this moment, with a promise of more documentation coming soon. Looking at the repository however gives slightly more insights.

This guide seems to be the most complete introduction at this point.

Also looking through the slides might also give some more crumbs of detail.

TL:DR; Distributed storage

The network provides two kinds of storage:

Block storage allows to store medium sized chunks of data (up to 1MB) onto the network. These are accessed by their hash and are immutable. Nodes can choose to actively become a provider of a block, and nodes will cash retrieved blocks based on demand
(Note: at this point the block store is not implemented yet but is firmly on the roadmap)

Distributed hash table (Key/Value store) is for smaller chunks of (mostly text) data that can be modified by it's owner. These, as the name implies, are accessed via a key. Nodes can register to be informed of changes.

TL:DR; Networking

Everyone participating in the Network is a node, and all nodes are treated equally. Nodes can choose how much or little traffic they are willing to relay, and how much data to store.

At the start a node reaches out to a bootstrap server with a known address, which tells the nodes what other nodes in the network it can contact. From there the new node asks them for information on more peer in the network. This bootstrap server will usually be the main veilid bootstrap server, but can be your own, especially if you want to create a smaller, isolated network for some reason.
Once the node has info on it's peers it will not need to bootstrap again, unless all known peers stop existing the next time it attempts to join.

Since nodes can change, user identity is given by a public/private keypair which identifies a user and allows them to modify their data.

Routing your traffic by relaying it through other nodes is optional. Every user has a list of routes they can be reached by, which change frequently. These routes can just be the user's node itself it they don't want to receive traffic anonymously or a chain of nodes that lead to the user's node. The same thing applies to sending data. You can either send your data though a route of relays of your choosing to hide where it is coming from, or just send your traffic to the receivers route directly.

Up next: Setting up a node and playing with it



from z0ds3c

Nuclei is a tool that allows you to scan web targets for various vulnerabilities and misconfigurations using predefined templates¹. Here are 10 powerful one-liners that you can use with Nuclei to find interesting and potentially exploitable issues:

  • Scan for all CVEs in a target list: cat targets.txt | nuclei -t cves/ -o results.txt

  • Scan for all exposed panels in a target list: cat targets.txt | nuclei -t exposed-panels/ -o results.txt

  • Scan for all subdomain takeovers in a target list: cat targets.txt | nuclei -t subdomain-takeover/ -o results.txt

  • Scan for all XSS vulnerabilities in a target list: cat targets.txt | nuclei -t xss/ -o results.txt

  • Scan for all SSRF vulnerabilities in a target list: cat targets.txt | nuclei -t ssrf/ -o results.txt

  • Scan for all SQL injection vulnerabilities in a target list: cat targets.txt | nuclei -t sqli/ -o results.txt

  • Scan for all open redirects in a target list: cat targets.txt | nuclei -t redirects/ -o results.txt

  • Scan for all misconfigured CORS policies in a target list: cat targets.txt | nuclei -t cors/ -o results.txt

  • Scan for all prototype pollution vulnerabilities in a target list: cat targets.txt | nuclei -t prototype-pollution/ -o results.txt

  • Scan for all RCE vulnerabilities in a target list: cat targets.txt | nuclei -t rce/ -o results.txt


from z0ds3c

Top 5 Tools for CTFs

Capture the Flag (CTF) competitions are a great way to test and improve your cybersecurity skills. They involve solving a variety of challenges, such as hacking into websites, cracking passwords, and reverse engineering malware.

To be successful in CTFs, it's important to have a good understanding of a variety of cybersecurity topics, as well as the right tools. Here are our top 5 picks for the best CTF tools:

  1. Burp Suite

Burp Suite is a powerful web application security testing tool. It can be used to perform a variety of tasks, including intercepting and modifying HTTP requests and responses, scanning for vulnerabilities, and fuzzing.

  1. Ghidra

Ghidra is a free and open-source reverse engineering tool developed by the National Security Agency (NSA). It can be used to disassemble and analyze machine code, as well as to debug and create software exploits.

  1. Nmap

Nmap is a network mapping and security scanning tool. It can be used to identify all of the devices on a network, as well as the services they are running and the ports they are open on.

  1. SQLMap

SQLMap is an automated SQL injection and database takeover tool. It can be used to exploit SQL injection vulnerabilities in web applications and gain access to underlying databases.

  1. Python

Python is a general-purpose programming language that is widely used in the cybersecurity community. It is a good language for learning and scripting, and it can be used to solve a variety of CTF challenges.

In addition to these tools, it is also important to have a good understanding of the Linux command line and basic networking concepts.

Here are some additional tips for success in CTFs:

Practice regularly. The more CTF challenges you solve, the better you will become at it. Work with a team. CTFs are often more fun and successful when you work with others. Don't be afraid to ask for help. There are many people who are willing to help beginners learn about CTFs and cybersecurity. With the right tools and skills, you can be successful in your next CTF competition!


from JR DePriest

My eyes are open. My eyes are open so I must be awake. What is that sound? What is that clicking sound? A black stick is falling toward my eyes. I see it. But I'm not blinking. My eyes aren't closing. My eyes can't close. The stick moves past. It's alive. Without moving my head. I can't move my head. I see my wife beside me in bed. Reading. “Please help me,” I say. She ignores me. I see the black sticks again. Legs. They are legs. Weaving. Spider legs. I lift my hand to brush them away. My hand doesn't lift. My arm doesn't move. My arms are made of stone, concrete. They will not move. I feel something on my sternum. Heavy. Round. Like a living bowling ball. Directing the spiders on my face. I can hear them. I know their language. But they are whispering. I ask them, “Why are you doing this?” “What are you doing?” The spider on my sternum shifts. The spiders on my face say “Hush.” Spiders don’t have the concept of a “tone of voice”. But. These two spiders spinning the web to cocoon my head. They seem very patronizing. I haven't earned the right to know what they are doing. My eyes close. I am lost in time. It's almost silly when I find out. The spiders are aware of the popularity of Spider-Man. They think that sounds like a good idea. A spider-human hybrid would be wonders for their reputation. I was chosen as one of the test beds for the brightest spider minds. I would not be their final achievement. No. But I would be experimented on. Techniques would be perfected. I was adrift in time. My eyes open and I am free. I stand and see a well-lit living room. I see an indoor swimming pool, in ground. Not large, but exceptionally clean and inviting. I walk forward and feel my body. The limbs are lanky. Extra tissue has been removed or replaced. My skin seems paper thin on my hands. I step into the water of the pool. It's warm. I expected it to be cool, but it's warm. I lower my head into the water and breathe. I can breathe underwater. I feel the water on my head. My hair is short. I see my golden silk house clothes billow in the water. I exit the pool on the other side, using the concrete steps. A little girl, perhaps 10 years old runs up and smiles at me. “I hate it when you go in the water,” she says. “Sometimes you stay down there for 15 minutes!” She's so young that 15 minutes must seem like eternity. “You'll understand when you're older,” I say. I don’t recognize my own voice. I half-remember a lifetime of experience. Decades. It's breakfast time. One of my daughters is cooking breakfast. I can smell the sizzling meat. I feel a warm surge down my legs. I look down and see hundreds of small brown and gray spiders spread out from my pants. I can hear them. Each of them. I know them. Every one of them. Not by name. They don't have names. But we are connected. They know me and I know them. I know what they know and see what they see. But I don’t see it. I just know it. They are going on patrol. They will keep out the vermin. They will be the barrier at the edge of our domain. They will die to protect us. My body sways and my legs carry me to the table. There are other family members already sitting, all female. Women and girls. I am a grandmother, perhaps a great-grandmother. In this house, I am the Mother of All Spiders. I remember for the spiders. They have short lives. To them my mind is vast. My lifespan nigh immortality. I am their computer. I am their incubator. !!!!!!!!!!!!!!!!! The children! My face turns toward the front room. Before I can form a coherent thought. My hands reach down in front of me and grip the floor. My legs bend and crack. My legs reach up behind me and grab the ceiling. My arms bend and crack . My arms reach up above me and grab the ceiling. My throat aches. My mouth opens wide. I rush along the ceiling. Faster than I imagined possible. I burst through the doorway. I see a man. I know him. He has his hand inside his jacket. He's reaching for something. I snarl and a glob of webbing is projected out of my throat at high velocity. It hits the man in the chest. He's knocked backwards and onto the floor. “No need for that,” he says. He pulls out an envelope. He waves it in the air. My legs reach down to the floor. My legs crack and bend. My arms let go of the ceiling. My arms crack and bend. The spinnerets in my throat retract. The two halves of my jaw reconnect themselves. “You didn't knock,” I say. He stands up. He shakes his head. “When the day comes, you will never see me coming.” He hates us. We know. He knows we know. He doesn't care. He waggles the envelope. “Just take it.” I take the envelope. It is addressed to our family. “Mayor thought it'd be funny to have me deliver your invitation.” I open the envelope and start reading. My spiders will keep their eyes on our guest. And my mind is connected to their minds. My mind is connected to their eyes. I read the invitation: cordially invited… demonstration of advances in science and medicine… honored guests… I remember now. We, the spiders and I, decided to collaborate with other scientists. The best spider minds are very young and naïve compared to the best human minds. It made sense. “I hear they're planning to show off something with centipedes,” he says. My children shift uneasily. The man straightens his jacket and makes a sinister finger gun gesture. “Be seeing you,” he says, before leaving of his own accord.

#WhenIDream #Dreams #Dreaming #Dreamlands #Writer #Writing #Writers #WritingCommunity #ShortFiction #Fiction #Paranormal #Spiders #NightTerrors #SleepParaylsis

CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License