Infosec Press


Read the latest posts from Infosec Press.

from Tai Lam on a Bike

The 2021 edition of the DJ Ripper is an aluminum bike. (There is a 2022 edition, but I think the blue variant of that model, which is set to black, doesn't look as good as the steel finish of the 2021 model.)

I had no idea what I was getting myself into, as I had only my steel adult bike from Target in high school as baseline for my bike experience.

The following are a loose collection of observations I've noticed from riding bikes. Also, when you are invited to test ride someone else's bike, or given bikes to borrow for a moment; you start to experience the differences between different bikes — much like driving different cars.

For now, we'll focus on aluminum bikes. (Maybe this will be true on other aluminum bikes — I won't find out until I can test others.)

At first, I thought that the sound of the brakes gave the DJ Ripper a similar sound to restorative brakes on a car or an e-bike. However, it took me almost 9 months to realize that the sound was because aluminum bikes will sound more hollow compared to steel bikes. For context, steel is the most basic alloy for bikes. Literally every “low” end bike in Target and similar department stores will be made of steel. You need to visit bike shops in order to see different base alloys, such as aluminum and titanium.

The downside to an aluminum bike is that they are more likely to be blown over in the wind.

Also, if there was a bike I would be leery of attempting to put a rear rack on, then this would be it. Not only is this still a bike life bike. It's be a bit unfair to ask a bike made for bike life to easily put on a rear rack for panniers and tag along bike trailers, and the weight distribution of already putting on multiple bike packs inside of the frame triangle and a handlebar bag is already poor and unbalanced.

(So, when compared to most other bikes, the geometry is tweaked for SE Bike models, which is a company known to make bikes broadly speaking for doing wheelies and combos. The DJ Ripper is not exactly the best model to do wheelies and combos on, but then again this bike really can't do most of those idiosyncratic things most SE Bikes are known for, such as being able to put on rear wheelie pegs.)

I'm still discovering what the experience of riding bikes made of aluminum alloys.


from Tai Lam on a Bike

I am not sure about the origin of this video of a cluster of daddy long legs, called by those who study arachnids (which includes spiders, but daddy long legs are not spiders), but this video of such an aggregate being disturbed has been known since at least 2015.

I first saw a clip of this on Tumblr, back when I had too much time in high school and early undergrad.

Daddy long legs are from the order Opiliones.

This clip seems to be from an episode of the show Outrageous Acts of Science, which was on the Science Channel.

So, not lost media, but social media isn't exactly the best medium to detail sources of information.

I decided to put this here, as this deals a bit with nature and the outdoors. There are daddy long legs around in New England, but I don't think they gather to make aggregates, like in Mexico.


from Tai Lam in Science

I made a résumé in LaTeX when I needed to apply for a job about 2 years ago, and it was not great. While it served its purpose, I wasn't happy with it when it came to long-term code upkeep. (I can't remember the source of the template for my first “real” résumé.) The template I chose at the time had weird quirks, and I told myself I'd tried to get a simpler template the next time I needed to make a CV/résumé.

Well, I got my head start on a maintainable résumé now. Better start now, while I have the time to properly component test everything.

I was sort of reminded of myself, back when I was writing my undergraduate research paper. I chose a previously created and known LaTeX environment for pseudocode. Initially, I believed the one I had chosen the environment that was easiest to use, but then it turned out that it didn't break over page breaks at all. I ended up manually creating page breaks in LaTeX to match the actual printed output in a WYSIWYG, which is not in line with the WYSIWYM mindset of LaTeX. (I will make sure that doesn't happen the next time I write a scientific paper.)

So, what's the difference? Armed with only my GrapheneOS phone, DuckDuckGo, and the Cromite browser; I only sifted through the first page of results.

First, I found an article from Baeldung, which is a website I've gotten some helpful Linux and programming related tips from. However, I found the final result to be like the New Age templates on Typst, which really just look like a very polished Microsoft Office résumé that most people would make (which isn't bad, but I really wanted to still use Computer Modern). Also, I'm not a fan of the numeric bar numbers for each skill you have. I've learned quite a number of (surprisingly) useful bits of knowledge from video games, but the numeric RPG-style skill tree progression isn't one of them.

Thanks for explaining each part of the LaTeX template, though.

Second, I found an article on LaTeX Tutorial about a minimalistic CV/résumé. It was getting closer to what I wanted (part of which included not moving too far away from the default Computer Modern font.

However, it changed the majority of the text (or at least used a non-default font type almost immediately in the preamble).

Maybe I would've chosen this if I was making this for my first real job outside of undergrad studies, but I felt I could do better.

The third and last was a CV/résumé template posted onto GitHub in October 2016.

As they say in vintage carnival contexts that are inspired by something out of Cuphead:

We have a winner!

This is the LaTeX file for the CV (with its corresponding PDF) and this is the LaTeX file for the résumé (with its corresponding PDF).

The last file needed is the style file.

I'm not sure why I was so successful now, compared to when I was finishing my undergrad studies — but I'll take it.


from 📰wrzlbrmpft's cyberlights💥

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

News For All

🍪 Linksys-Router senden wohl WLAN-Passwörter an US-Server security research – zwei getestete Routermodelle übermitteln wohl sensible Daten an einen Server in den USA.

🍏 Apple warns iPhone users in 98 countries of spyware attacks warning – Apple warns iPhone users globally about targeted mercenary spyware attacks, emphasizing privacy and ongoing threat notifications.

🎓 ‘Serious hacker attack’ forces Frankfurt university to shut down IT systems cyberattack – Frankfurt University of Applied Sciences faces a hacker attack, leading to a total IT system shutdown, impacting services and communication.

‼️ Scammers double-dip by offering help to recover from scams warning – Scammers target victims of previous scams with fake offers to recover lost money, posing as trusted entities and requesting upfront fees or sensitive information, with the most vulnerable being victims over 65 years old.

🏃‍♂️ Gadgetbridge: Smartwatches/Fitness-Tracker datenschutzfreundlich nutzen – Teil 1 privacy – Gadgetbridge ist eine datenschutzfreundliche Open-Source-App für Android, die es ermöglicht, Smartwatches und Fitness-Tracker unabhängig von den herstellereigenen Apps zu verwenden, um die volle Kontrolle über persönliche Daten zu behalten und lokale Speicherung zu gewährleisten.

🔮 Avast released a decryptor for DoNex Ransomware and its predecessors security news – Avast developed a decryptor for the DoNex ransomware family due to a cryptographic flaw, allowing victims to recover files for free since March 2024.

🐻 Apple removed 25 VPN apps from the App Store in Russia privacy – Apple removed 25 VPN apps from the Russian App Store due to government requests, part of Russia's control over internet access, leading to bypass difficulty for users.

🎫 The Ticketmaster Hack Is Becoming a Logistical Nightmare for Fans and Brokers data breach – A hacking group released data allowing the creation of over 38,000 concert tickets, posing a potential logistical nightmare for Ticketmaster, venues, fans, brokers, and resale platforms. The hack can lead to issues such as duplicated tickets for sold seats and legitimate buyers being denied entry.

🥓 More than 31M email addresses exposed following Neiman Marcus data breach data breach – Neiman Marcus data breach exposed over 31 million customer email addresses, affecting 64,472 individuals with leaked names, addresses, and more sold by threat actors.

🤖 US, international authorities seize Russian AI bot farm cybercrime – U.S. authorities seized Russian AI bot farm domains linked to RT, accusing operatives of using Meliorator software to create social media personas and spread disinformation primarily aimed at U.S. politics.

🪛 Google’s dark web monitoring service will soon be free for all users security news – Google's dark web monitoring service, previously exclusive to Google One subscribers, will be free for all Google account holders starting soon, providing a combined solution to protect online presence.

🕵️ Hacktivists release two gigabytes of Heritage Foundation data data breach – The hacktivist group SiegedSec released two gigabytes of data from the Heritage Foundation in response to their Project 2025 initiative, claiming they wanted to expose supporters of the conservative think tank; however, Heritage denies being hacked, stating the data was from a publicly accessible archive.

📰 How disinformation from a Russian AI spam farm ended up on top of Google search results security research – A piece of Russian disinformation about Ukrainian president's wife buying a luxury car spread rapidly online, originating from a fake French website and promoted by pro-Kremlin accounts.

🦍 Scammers harness AI and deepfakes to sell bogus ‘miracle cures’ on Meta platforms security news – Artificial intelligence and deepfake videos fuel health-related scam campaigns on Meta platforms, promoting fake 'miracle cures' endorsed by celebrities and bogus medical experts, targeting millions of users worldwide, based on research by Bitdefender Labs.

🙊 Spear phishing techniques in mass phishing: a new trend security news – An increasing trend shows elements of spear phishing being incorporated into regular mass phishing campaigns, with sophisticated email design, personalized details, and imitation of HR notifications, showcasing a shift in attackers' techniques and an escalation in decentralized attacks.

🦹 RansomHub Ransomware – What You Need To Know cybercrime – RansomHub, a Ransomware-as-a-Service group, exploits a vulnerability in the email servers and has quickly risen as a significant threat.

📱 You can now protect your high-risk Google account with just your phone privacy – Google's Advanced Protection Program now allows high-risk users to enroll using a single phone-based passkey.

📞 AT&T breach leaked call and text records from ‘nearly all’ wireless customers data breach – accessed through a third-party cloud platform.

Some More, For the Curious

🔦 Shelltorch Explained: Multiple Vulnerabilities in Pytorch Model Server (Torchserve) (CVSS 9.9, CVSS 9.8) Walkthrough hacking writeup – Shelltorch exposes critical vulnerabilities in PyTorch TorchServe, allowing remote code execution and unauthorized server access.

⚠️ CVE-2024-4577 Exploits in the Wild One Day After Disclosure security research – Exploitation of PHP vulnerability CVE-2024-4577 for remote code execution with malicious PHP code, emphasizing swift patching and monitoring.

🧑‍🦯 CISA broke into a US federal agency, and no one noticed for a full 5 months security news – CISA red team exercise uncovers security flaws at US federal agency, lasting undetected for five months.

🌐 Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO security news – NATO faces cyber threats from state-sponsored actors, hacktivists, and cybercriminals, impacting espionage, disruptive attacks, and disinformation campaigns targeting critical infrastructure and political entities.

🦷 Developing and prioritizing a detection engineering backlog based on MITRE ATT&CK security research – Exploring the prioritization of MITRE ATT&CK techniques for detection in Security Operation Centers, Threat Intelligence, and Incident Response. Emphasizing source evaluation, technique relevance, and optimizing detection logic development.

☢️ New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere security news – A new attack named Blast RADIUS exploits the 30-year-old RADIUS protocol due to its continued use of MD5, despite known vulnerabilities, allowing adversaries to gain admin access to various networks; the attack has led to a coordinated response from vendors.

🗞️ Chinese cyber agency accused of 'false and baseless' claims about US interfering in Volt Typhoon research security news – China's cybersecurity agency inaccurately claimed a U.S. threat intelligence company succumbed to U.S. influence, mischaracterizing the company's report on Dark Power ransomware, leading to pushback and accusations of false representation and manipulation from Western organizations.

📧 Exim vulnerability affecting 1.5M servers lets attackers attach malicious files vulnerability – 1.5 million servers with Exim mail agent are vulnerable to delivering malicious executable attachments due to a critical CVE-2024-39929, prompting urgent updates to address the security issue.

🪰 Palo Alto Networks fixed a critical bug in the Expedition tool vulnerability – Palo Alto Networks fixed an admin account takeover bug in its Expedition tool and addressed multiple other vulnerabilities impacting its products.

🔍 The president ordered a board to probe a massive Russian cyberattack. It never did. security news – Despite a directive to investigate the SolarWinds attack, the Cyber Safety Review Board did not conduct the investigation, raising concerns about government accountability and cybersecurity oversight.

💰 Wallets tied to CDK ransom group received $25 million two days after attack cybercrime – CDK Global paid over $25 million in ransom following a ransomware attack, with most of the funds going through a complex money laundering process involving multiple exchanges.

📅 DDoSecrets Mirrors Wikileaks Data After Assange Plea Deal security news – DDoSecrets mirrored Wikileaks data to preserve transparency and ensure data availability, following Julian Assange's plea deal.

🏭 Critical infrastructure organizations want CISA to dial back cyber reporting security news – Critical infrastructure organizations request scaled-back cyber reporting to CISA, expressing concerns over definitions, reporting entities resource burden.

🏁 Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine security research – JFrog Security Research prevented a potential severe supply chain attack by detecting and reporting a leaked access token compromising Python infrastructure.

7️⃣ The Stark Truth Behind the Resurgence of Russia’s Fin7 cybercrime – The notorious Fin7 cybercrime group reemerges, setting up thousands of malicious sites targeting various brands for phishing attacks.

CISA Corner

🦿 People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action security research – APT40 compromises organization networks via multiple access vectors with enumeration, web shells, and exfiltration of sensitive data, leading to targeted threat actor investigation.

🛡️ CISA Adds Three Known Exploited Vulnerabilities to Catalog vulnerability – CISA lists three actively exploited vulnerabilities: Rejetto HTTP File Server flaw, Windows Hyper-V privilege escalation issue, and Windows MSHTML platform spoofing flaw.

CISA Releases Seven Industrial Control Systems Advisories CISA Releases Twenty-one Industrial Control Systems Advisories Adobe Releases Security Updates for Multiple Products Microsoft Releases July 2024 Security Updates Citrix Releases Security Updates for Multiple Products

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.


from Kevin Neely's Security Notes

Creating a Michelin menu with Generative AI

We've been watching season three of The Bear and it is totally nuts, filled with drama and psychology, and human relationships, and –when they can get around to it– cooking food. This is a fantastic series, and as foodies, you can imagine that my wife and I really enjoy it. The series is intense, following a classically-trained, at the top of his game chef as he “drops down” from a fancy restaurant to a steak sandwich shop and works back toward where he was before.

That’s not a spoiler, it’s the premise. And this isn’t a review, it was just something in my mind as I experimented with this new tool called LobeChat, which is an interface to #genAI inference servers such as #OpenAI’s #chatGPT, #Claude, and nearly any other commercial or #opensource system you can imagine. I'm tweaking a #homelab hosted genAI inference server and this post is about experimenting with [Ollama]() and a Lobe chat front end for easy access. I haven’t formed a final opinion on this setup at this time, but the #LobeChat front end allows for the quick switching between inference servers and their hosted models. While not being super easy to configure, once it works, the whole thing looks very easy for someone, i.e. a roommate or a spouse, to flip between models -even in the same conversation.

So let’s look at some results. Of course, the results are about the models themselves, but the point here is that LobeChat made it easy to switch between them as I continued to develop the conversation.

First prompt

This was with ChatGPT (4o, I think). I needed something to test that an integration was working. We had just watched The Bear so this is what I came up with:

as fast as you can, what's the best restaurant dinner menu with wine pairing that could win a Michelin 3 star award?


Crafting a Michelin 3-star worthy dinner menu with wine pairings involves high-quality ingredients, exquisite preparation, and a thoughtful combination of flavors. Here’s a conceptual menu that could impress:

Amuse-Bouche:Oyster with Champagne FoamWine Pairing: Champagne Brut

Appetizer:Seared Scallops with Cauliflower Puree and CaviarWine Pairing: Chablis, Premier Cru

Soup:Cream of White Asparagus with Truffle OilWine Pairing: Viognier

Fish Course:Poached Turbot with Fennel and Citrus Beurre BlancWine Pairing: Pouilly-Fumé

Main Course:Roasted Duck Breast with Plum Sauce, Parsnip Mash, and Seasonal VegetablesWine Pairing: Pinot Noir, preferably from Burgundy

Cheese Course:A Selection of Artisan Cheeses with HoneycombWine Pairing: Vintage Port

Dessert:Chocolate Lava Cake with Raspberry Coulis and Homemade Vanilla Bean Ice CreamWine Pairing: Recioto della Valpolicella

Mignardises:Petit Fours and Truffles

This menu balances rich flavors with delicate preparation, offering a progression of dishes that showcase both technique and creativity. Each wine pairing is chosen to enhance the flavors of the dishes, aiming to create a harmonious dining experience that could captivate both critics and diners alike.


Not a bad first response, especially since I was just checking to see if the system worked.

Prompt 2: Get ChatGPT to refine it

That was pretty boring. I’m thinking early 90s fancy dining at best, but I wasn’t eating fancy back then and assume it was all shoulder pads, tuna steaks, and cocaine. Continuing with ChatGPT, I posed the following in an attempt to refine our menu (in retrospect, I was generous with the stars):

That's an incredibly boring menu. At best 2 stars. And that's in a region that is not known for its gastronomical excellence


Creating a truly innovative and Michelin 3-star worthy menu certainly demands a more avant-garde approach, pushing culinary boundaries with unique combinations and exceptional techniques. Let's elevate the original concept to something more daring and creative:

Amuse-Bouche:Nitro-frozen Lime and Ginger Pearls with Micro BasilWine Pairing: Small-batch Sake

First Course:King Crab Tartare with Avocado Mousse, Mango Gel, and Edible FlowersWine Pairing: Albariño

Second Course:Foie Gras Au Torchon with Saffron Pear Compote and Brioche CrispWine Pairing: Sauternes

Fish Course:Butter-Poached Monkfish with Leek Ash, Sea Beans, and a Lemon Verbena EmulsionWine Pairing: White Burgundy

Intermezzo:Cucumber and Elderflower Sorbet

Main Course:Sous-vide Venison Loin with Black Garlic Purée, Wild Mushrooms, and a Juniper Berry ReductionWine Pairing: Barolo

Cheese Course:A Selection of Aged Cheeses with a Fig and Walnut TapenadeWine Pairing: Aged Madeira

Dessert:Deconstructed Passion Fruit Tart with Coconut Foam, Crystallized Ginger, and Meringue ShardsWine Pairing: Late Harvest Riesling

Petit Fours:Matcha Green Tea Macarons, Raspberry Pâte de Fruit

This revised menu introduces more complex techniques and unusual ingredients, aiming to surprise and delight with every course. Wine pairings are carefully selected to complement and enhance these adventurous flavors, providing a sophisticated and memorable dining experience.


Not bad! It would be nice if the wines were more than broad regions, however, I do appreciate the ‘ñ’ in Albariño. There’s nothing particularly innovative here; the fancy-sounding “Foie Gras Au Torchon with Saffron Pear Compote and Brioche Crisp” is a Thomas Keller recipe, so at least we’re pulling from the top now that I asked it to up its game.

Prompt 3: Let's try a different model

Not only am I using a different model at this point, llama3:instruct, but I am going to specify a food critic in order to change the menu.


One more try: let's make a menu that would knock even James Beard out of his chair because it's so good


You are absolutely right! That menu, while technically sound, lacks the daring, innovation, and personal touch needed to truly impress Michelin inspectors and earn those coveted three stars. It plays it too safe, relying on classic pairings and predictable dishes.

To push towards that 3-star level, we need to think outside the box:

  • Ingredient Focus: Instead of “seasonal vegetables,” source hyper-local, unique produce with a story. Maybe a heirloom tomato variety grown in volcanic soil, or foraged mushrooms with a distinct flavor profile.
  • Deconstruction & Fusion: Take classic elements and reimagine them. A deconstructed apple pie might involve caramelized apple spheres, crumble as a powder, and a cider foam. Fusion could bring Japanese umami to the duck dish, or Indian spices to the scallops.
  • Unexpected Textures: Play with contrasts – crunchy, creamy, smooth, airy. Think smoked paprika meringue alongside the chocolate lava cake, or a black truffle “soil” under the turbot.

Wine Pairings Should Be Equally Bold: * Instead of a basic Chablis, consider an obscure producer from the Côte de Beaune known for mineral-driven wines.
* The Pinot Noir could be a lesser-known region with unique terroir, like Slovenia's Primorska. * Experiment with natural wines, or even sake pairings that complement specific dishes.

The Presentation Matters:

Plating should be artistic, telling a story through the arrangement of colors, textures, and shapes. It’s about creating an immersive experience for the diner.

A Michelin-worthy menu isn't just about taste; it's about pushing boundaries, showcasing creativity, and offering a truly unforgettable journey through flavor.


This is less of a menu than some advice for the aspiring chef. Let’s try something different.

Prompt 4: Let's go for Three Stars!

I felt like this was the time to go for the gusto, let's see how a different model would respond, but also with all the history behind it.


I asked: > One more try: let's make a menu that would knock even James Beard out of his chair because it's so good

While it's not a crazily-innovative menu, it has some classic touches of a what an American, Michelin-starred menu would look like, and

Response with gemma2

You want to blow James Beard away? This isn't about ingredients, it's about experience.

The Menu: A Symphony in Five Acts

  • Act I: Awakening – Smoked Salmon “Caviar” with Beetroot Foam, Rye Crisp, and a single drop of Ossetra Caviar.

    • Pairing: Dry Riesling from Germany's Mosel Valley, expressing its slate minerality alongside the salmon's richness.
  • Act II: Earth & Sky – Roasted Quail “Confit” with Black Truffle Jus, Heirloom Carrot “Clouds,” and a dusting of Micro Thyme.

    • Pairing: Oregon Pinot Noir, showcasing earthy notes that harmonize with the truffle while its bright acidity cuts through the richness.
  • Act III: Fire's Dance – Charred Octopus with Smoked Paprika Aioli, Caramelized Onion Jam, and a drizzle of Chili Infused Olive Oil.

    • Pairing: Spanish Albariño, crisp and mineral-driven, its citrus notes complementing the octopus while balancing the smoky paprika.
  • Act IV: Ocean's Bounty – Pan-Seared Sea Scallops with Saffron Risotto “Foam,” Dulse Crisp, and a single Pearl Oyster.

    • Pairing: Chablis Premier Cru, its intense minerality mirroring the scallops' brininess, while subtle citrus notes elevate the saffron risotto.
  • Act V: Sweet Serenade – Deconstructed Peach Cobbler with Lavender Honey Ice Cream, Toasted Almond Brittle, and a hint of Rosemary Extract.

    • Pairing: Late Harvest Gewürztraminer from Alsace, its floral aroma echoing the lavender, while its sweetness complements the peach cobbler's richness.

The Experience:

  • Each course is plated as a miniature work of art, using contrasting colors, textures, and temperatures.
  • The dining room itself is a sensory experience, with soft lighting, calming music, and subtle aromas that enhance each dish.
  • Service is impeccable, with knowledgeable staff guiding guests through the tasting menu and explaining the inspiration behind each course.

This is not just food; it's a journey for the senses, a story told through flavor and texture, leaving James Beard speechless (and perhaps, slightly envious).


Wow, what a different response! This one could actually be a menu, with the wines having robust and specific descriptions. I especially like how the wines are sourced from all over the globe, really picking best of breed in the selections. As good as the wines are, however, the food does not look 3-star level to me. The dishes sound really nice, and there’s a fair bit of molecular gastronomy in there. However, aside from the poetic nature of the menu, I’m not sure this is a top-tier menu for a chef to execute.

Still, most of these items are good enough for a fake restaurant. If this was to show up in a video game or a novel, I think most people would accept it and move on.


from 📰wrzlbrmpft's cyberlights💥

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

News For All

🚨 Hijacked: How hacked YouTube channels spread scams and malware cybercrime – Cybercriminals hijack YouTube channels to spread scams and malware, targeting viewers and content creators.

🚓 Police allege 'evil twin' in-flight Wi-Fi used to steal info cybercrime – Australian man charged for creating fake in-flight Wi-Fi network to steal credentials; AFP warns against using public Wi-Fi without precautions.

📹 San Francisco app livestreams local bars to draw more patrons privacy – 2Night app allows livestreaming of SF bars, raising privacy concerns and backlash from patrons and venue owners.

🏥 LockBit claims cyberattack on Croatia’s largest hospital security news – LockBit ransomware gang targets Croatia's largest hospital; patient data compromised, impacting emergency services and hospital operations.

⚠️ 3 million iOS and macOS apps were exposed to potent supply-chain attacks vulnerability – Vulnerabilities in CocoaPods server exposed 3 million iOS and macOS apps to code injection attacks for a decade.

🔑 The End of Passwords? Embrace the Future with Passkeys. security news – Passkeys offer enhanced security and privacy, along with convenience, as a passwordless authentication solution.

🕵️ Fiverr Freelancers Offer to Dox Anyone With Powerful U.S. Data Tool security news – Fiverr freelancers offer doxing services with access to data tool TLOxp

📡 UN urges Russia to ‘immediately’ cease interference in European satellites security news – UN condemns Russian satellite interference, calls for immediate cessation of harmful actions affecting European countries' GPS signals and TV programs.

🪼 Polish government investigates Russia-linked cyberattack on state news agency security news – Suspicion of Russian involvement in cyberattack on Polish state news agency; aimed at spreading disinformation before European Parliament election.

🎒 Alabama Department of Education stops ransomware attack but confirms data stolen data breach – Alabama Department of Education halts ransomware attack but confirms data breach, potential exposure of student and employee information.

🔍 Google: AI Potentially Breaking Reality Is a Feature Not a Bug security research – Google researchers co-author a paper detailing real harm caused by generative AI misuse, which can distort reality by producing deceptive content without violating terms of service. It highlights the need for collaboration to address this issue.

⛓️ New ransomware group uses phone calls to pressure victims, researchers say cybercrime – New ransomware group Volcano Demon uses phone calls to intimidate victims, threatens to expose data if ransom is not paid. The group employs a double extortion technique and remains a challenge to track.

🔥 Traeger smokes security bugs threatening grillers' hard work vulnerability – Traeger grills vulnerable to high-severity flaw allowing remote attackers to control temperature or shutdown grill; exploitation could ruin cooking.

☘️ OpenAI’s ChatGPT Mac app was storing conversations in plain text security news – OpenAI's ChatGPT Mac app stored conversations in plain text; fixed after demonstration, highlighting a potential privacy concern.

☎️ Twilio alerts Authy two-factor app users that ‘threat actors’ have their phone numbers security news – Twilio alerts Authy users of phone number leak, warns of phishing attacks. Previous breach affects 163 Twilio and 93 Authy accounts, leading to the unauthorized registration of additional devices.

🛣️ Europol says mobile roaming tech is hampering crimefighters security news – Europol is concerned about SMS home routing that hampers criminal investigations due to privacy-enhancing technologies, specifically service-level encryption, enabling suspects to maintain communication privacy within their home network while roaming.

🥷 Hackers stole OpenAI secrets in a 2023 security breach security news – OpenAI faced a security breach in 2023, compromising internal discussions but not source code or customer data. Concerns about AI security and possible cyber espionage linked to nation-state actors raised.

Some More, For the Curious

⛔ Qualys Security Blog security news – Qualys blog faced unauthorized spam content, investigated, no impact on customer data, production environment, or data exfiltration.

🌠 Like Shooting Phish in a Barrel security research – Article explores techniques to bypass email link crawlers used by security gateways, including parsers, CAPTCHAs, redirects, browser fingerprinting, and ASN blocking.

🤕 Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769 warning – Threat actors exploit CVE-2024-0769 in D-Link DIR-859 routers for information disclosure. GreyNoise observes attackers collecting account details.

⚔️ Sanctioned and exposed, Predator spyware maker group has gone awfully quiet security news – The Predator spyware group, Intellexa, shows decreased activity post sanctions. Observers suggest impact on operations, but caution about potential retooling.

🔒 Emergency patches now available for Juniper Networks routers vulnerability – Emergency patches released for Juniper Networks routers to fix critical authentication bypass vulnerability (CVE-2024-2973). Users urged to apply patches promptly.

😓 TeamViewer: Hackers copied employee directory data and encrypted passwords data breach – TeamViewer breach linked to Russian government-backed APT29; employee directory data and encrypted passwords stolen.

🦇 Exposing FakeBat loader: distribution methods and adversary infrastructure security research – Sekoia presents FakeBat loader distribution using malvertising, software impersonation, fake browser updates, and social engineering schemes.

🍳 Vulnerabilities in PanelView Plus devices could lead to remote code execution vulnerability – Microsoft discovered and disclosed RCE and DoS vulnerabilities in Rockwell Automation PanelView Plus devices.

🥅 Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers security research – Recorded Future used infostealer logs to detect consumers of child sexual abuse material on the dark web, aiding law enforcement.

🫅 “RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux vulnerability – Critical OpenSSH vulnerability CVE-2024-6387 allows remote code execution with root system rights on Linux based on glibc systems, leading to full system compromise.

🩹 Splunk fixed tens of flaws in Splunk Enterprise and Cloud Platform vulnerability – Splunk fixes 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including high-severity flaws like Remote Code Execution.

💔 Secret Network Access Broker x999xx – Krebs on Security cybercrime – Russian hacker x999xx, a known access broker, trades network access, databases, and stolen data; identified. Acknowledges identity when reached by email and denies interest in harming healthcare institutions. Operates freely in Russia.

🗃️ Attack Cases Against HTTP File Server (HFS) (CVE-2024-23692) security research – A remote execution vulnerability in HTTP File Server (HFS) was used to exploit user systems, install malware, and establish malicious backdoors.

🌍 Europol and pals band together in Cobalt Strike disruption security news – Europol conducted a week-long operation named Operation Morpheus, disrupting nearly 600 IP addresses linked to illegal copies of Cobalt Strike.

😸 Kimsuky Group’s New Backdoor Appears (HappyDoor) security research

🤖 New Golang Zergeca Botnet appeared in the threat landscape malware – New Golang-based Zergeca Botnet emerges, capable of DDoS attacks and additional functionalities like scanning and reverse shell.

🥧 Supply Chain Attack: Censys detected 384,773 hosts still embedding a polyfill JS script linking to the malicious domain security research – Censys identifies hosts still linking to the malicious domain, affecting major platforms and websites.

🪶 Apache fixed a source code disclosure flaw in Apache HTTP Server vulnerability – Apache fixed a source code disclosure vulnerability (CVE-2024-39884) in Apache HTTP Server, urging users to upgrade promptly.

CISA Corner

🏭 CISA Releases Seven Industrial Control Systems Advisories vulnerability – Johnson Controls, mySCADA, ICONICS, Mitsubishi Electric

🛜 Juniper Networks Releases Security Bulletin for Junos OS: SRX Series vulnerability – Juniper Networks issued a security bulletin for Junos OS: SRX Series to fix a vulnerability leading to denial-of-service.

⚠️ CISA Adds One Known Exploited Vulnerability to Catalog – Cisco NX-OS warning – CISA added a known exploited vulnerability (CVE-2024-20399) to its catalog, emphasizing the risks and need for prompt mitigation.

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.


from Tai Lam in Science

Ever since Jitsi required signing into an account (from Google, Microsoft, or GitHub) in August 2023, things haven't been the same.

Techlore made a video about this situation when it happened in 2023.

There was suggestion that Jitsi (or any relatively wide spread used service, for that matter) that has never been capitalized on: using SimpleLogin as a single-sign on (SSO) service.

Taking a look at its documentation, this seems possible. However, I don't have experience deploying server software like this; so I can't say for sure how well this all works. However, everything else from SimpleLogin seems to be solid, as its work overall was good enough for Proton Tech to acquire SimpleLogin back in April 2022.

(Also SimpleLogin's documentation site needs to enable the option to change the UI color theme from light to dark — I know this is possible for MkDocs in almost every other instance of MkDocs I've encountered.)

I'm really hoping more services allow SSO via SimpleLogin, as I'd be ok with signing into Jitsi with SimpleLogin.


from Tai Lam on a Bike

My biking group is especially interested in DEI (diversity, equity, and inclusion) – though TBH we're already busy enough on the daily that this is sort of a back burner item.

Unironically, I was sort of peeved the whole month of May 2024, as May is Bay State Bike Month in Massachusetts, and I was sort of unintentionally agitated by others even before May started.

I had a time conflict with this year's Bay State Bike Month Kick Off, and everyone from my group was probably looking me strange for not going into Somerville on April 28th for an objectively amazing opportunity to engage in traditional professional networking, but actually good (unlike those for physics or electronics manufacturing). (Keep in mind that the actual kick-off wasn't even within May the calendar month proper.)

They meant well, (but not to self-gratuitously toot my own horn) but little do they realize that sometimes at certain moments, such as during this time conflict, I am literally the smallest and weakest link keeping our organization together, much like in that XKCD comic about software dependencies.

Anyways, the whole month of May passes by. Only when it's in June do I accidentally stumble upon MassBike's current YouTube channel and randomly watch MassBike's kickoff webinar (which was later uploaded onto YouTube), which actually was on May 1st of this year (as far as I can tell).

Marley Blonsky from All Bodies on Bikes lead the webinar. I actually learned a lot about how to run a bike ride in general.

I learned that in our usual stomping grounds for our rides that we usually don't see many hills, but that's not true in general for the state of MA. We can also be more precise on how we define (or, at least attempt to qualitatively describe) how fast a ride is, as well as decide how/why we should drop riders. (We do drop riders, but it's usually very self-apparent that this should happen and that there is a ride marshal who can help those who are dropped to find their way back.)

Lastly, we can always hone in our quality of having the ride marshals work in unison. I never considered having multiple ride sweeps a sane idea until Marley said this is a practice that has been used in rides she's been on. I toyed around with this idea, but in a philosophical way or as a mental exercise. Logistically, it can be tough for us to even have enough marshals to keep the rider-to-marshal ratio low enough, but even these high level descriptions or pointers on how to bike marshal were very helpful. Also, other than special rides, we usually keep way below 50 riders, including the marshals.

(Honestly, people should write about this topic more often and talk about it more often, because the audience who needs to hear about these tips and tricks aren't obtaining enough of this content.)

There were even mentions of topics that weren't even discussed, such as making cycling caps fit hairstyles not historically included in biking (such as dreads).

Anyways, I guess it's too late to order this year's T-shirt, right? (I wish this was a rhetorical question.) Anything that reminds me of the yellow of Utopia Series 1 brings me strange joy.

Here are some links of other items shown/mentioned during the MassBike webinar:

  • All Bodies on Bikes short film
    • Vimeo, the objectively higher quality video way
    • YouTube, the more common way
  • “Ride Buddies Ep. 4 – Marley Blonsky and Shequaya Bailey” on YouTube
    • Wait, Ride with GPS runs a YouTube show?
  • Maintenance Phase podcast episode on BMI

from Tai Lam in Science

I have to use Slack for part of my volunteering life. I have at least figured out a way to live with Slack on desktop with Ferdium.

Ferdium is open-source and has its code on GitHub. It somehow uses Ferdium recipes for Ferdium to be a Swiss Army knife of a desktop application. Some services Ferdium supports include services I wouldn't use due to native and first-party clients or better third-party clients, such as Bitwarden (which has native clients) and Proton Mail (my uninformed opinion is that I trust ElectronMail as a Proton Mail-specific application more with software security than Ferdium that is a catch-all client for many services).

It would be interesting to get some of these services working, such as Snapchat, Discord, and TikTok, but that's for another time. (Also Discord and TikTok would probably work if I didn't use a VPN for more than 95% of the time and Tor for the last 5% of the time.)

The full list of recipes can be browsed through on GitHub. (Sorry, there isn't a better way to browse all available Ferdium recipes, as of July 2024.)

So, Ferdium works great with Slack. On one hand, no one seems to be talking about using Ferdium as an open-source client for Slack. On the other hand, every other purpose-built open-source desktop client for Slack seems to have stopped any development around 2020. I know that Ferdium is, in very rough terms, basically acting like a browser and letting users sign into Slack via that method. However, Ferdium has let me use Slack more easily on desktop in a manner that is more bearable than installing Slack's proprietary client from the AUR. I would not be using Slack as much as I need to without Ferdium — I would rather unlock Ferdium with a local password than to have to explicitly remember to use the “sign in with password” method when I log into Slack via browser.

(Except for very rare occasions, I almost use private browsing mode all the time so that I don't stay signed in, so previously I used to log in and go through Slack's TOTP-based 2FA every time I needed to check Slack. Slack's e-mail notifications are also not very reliable and don't catch everything that happens.)

Now, if we could just migrate from Slack to even hosted cloud Zulip (that would be free for registered nonprofits), then that would be really nice...

Also, there is no equivalent for Ferdium on Android yet. (Ferdium can log into Zulip, but I'd prefer to use the first-party Zulip for Zulip.)


from Tai Lam on a Bike

Assume you have a fulfilling volunteer life and you are connected in the community you are a resident of (which is not true for most in corporate America — yes, think of the film Fight Club). This is so that you have a scientific control baseline to compare against your test baseline.

It is time to leave your job if your volunteer life unironically fulfills more of your own professional goals and gives you legitimate professional skills than your actual day job.

This is probably a bit ironic, but I told myself I wouldn't be arrogant enough to name rules and empirical laws after myself, like in physics and math. Yet here I am.

I've already named a rule of thumb after my ad hoc method for buying electronic accessories or components in Micro Center (that rule is: the cheapest item that gets the job done is the correct one). So, I'll name this one after myself: Lam's Test for leaving a job.

(Martin Yates in his job search books wrote that you should change your job when you can no longer advance enough in your current position every 6 months. Ignoring how to define “advance enough” and whether or not 6 months is too short or long of a characteristic time period as an overall critique, this is an objectively much more precise and accurate rule of thumb than my rule of thumb.

I am aware that Yates is potentially writing for readers who may aspire to climb pretty high to ultimately join the senior management or “C-suite” of various organizations, but I still found his advice pretty solid. My “law” should be more of a corollary rather than than a law of observation, an additional alarm to that detailed by Yates.)

I got to a point in my “professional career” where I literally was doing volunteer community work “for free” and was developing actual and very real professional skills further than I ever could in my prior day job.

Well, I'll save the rest for a more suitable environment and receptive audience that isn't the public internet.

So, don't expect any actual professional job advice here.


from Tai Lam in Science

I attended an event for the NASA PATHS BIPOC STEM Storytelling Program on June 25, 2024 — and I have some thoughts.

(I have some other thoughts I shall share in the future, but those will be for a different audience and purpose.)

I've never taken on a mentorship role in college STEM (whether that be rising undergrad or current undergrad students), but when I think about the event I am now aware that I am fully capable of this.

My thoughts are sort of related to how most think about the question, “What would you say to your younger self?”, but not really. That is usually motivated by what one would do differently in a different timeline or whatever. It's different for me. I'm here to clear up somewhat understandable misconceptions.

You have less time in undergrad than in high school.

The cynical part of me lingering from my misanthropic time in high school would sarcastically react with, of course — are you stupid?!?

However, a part of me really did believe that I'd have more time to explore extracurriculars in college, yet somehow considered putting up an extremely low ceiling on extracurriculars in high school. Back then, I viewed them as basically time wasters and I only did enough to “have something” when I applied to undergrad studies, keep the extracurriculars at arm's length away. Why should I go to a basketball game?

Well, in college, you're completely on your own. At the very least, times for class and extracirriculars in high school are basically mutually exclusive. You're not going to have time to watch any athletic games in college when your 4pm-5pm freshman physics lecture is at the same time as most home games.

Is the set of sports not your cup of tea? Then fill anything else in place of sports.

That attitude of “doing enough extracirriculars to get into college” mindset is disposable in a very Machiavellian way, because that point of view implicitly assumes undergrad studies is the ultimate endgame and nothing else. I certainly hope not — not only because undergrad almost never is IRL, but the implications of that, if there were true, would indicate that life in general would be pretty meaningless. Pragmatically, undergrad is the road that leads you to either work, or a layover in either grad or doctorate school before work. (For some of you out there, you might never need undergrad studies to find your life success — and I'm not saying that carelessly, the state of higher education is drying up rather quickly after the Great Resignation.) For pragmatic and sincere philosophy, I hope you have something more going for you than a college degree — because for those who have made it here and are more than capable of graduating, your degree doesn't matter: your connections matter. No, I don't mean “connections” as used in conventional professional networking.

Your times doing extracirriculars (such as, but not limited to: clubs, sports of any level, volunteering, cultural club or center, and honor societies) are what make your college experience unique. Not just for your CV or résumé (though you better be able to put something down from doing co-ops and have at least 2-3 professors who you can write you strong recommendation letters by the time you graduate; or your better ask your college for a refund), but for your own self-development. If there isn't something of a long-term commitment from college that you can be proud of yet won't necessarily go on your résumé; then you haven't had a complete undergrad experience (and that could also be grounds for demanding a refund from your college, at least according to pragmatic philosophy).

Your mileage may vary when it comes to what college you're admitted into for undergrad. If you're attending a historically commuter undergrad college, I feel you. It's not gonna be easy, but you need to find of “your people” that you can connect with. Everyone is different, but you should at least know of one psycho-emotional place in spacetime you can take a break from those in your declared major. (Little did I know back then how large this manifold actually is...)

(Meanwhile, my alma mater somehow believes that its commuter students are in the minority regarding student body demographics post-COVID, when. Let me paraphrase Rorschach's quintessential prison scene quote from Watchmen: the commuters aren't guests among the dorm students of my alma mater — the dorm students are the actual guests living in the world of the commuters, and the commuters have collectively and benevolently allowed the dorm students to stay.)

In high school, one can get by through the process by telling themselves that they are forced to attend school. In college, you are here by choice (at least according to Socratic stoicism), so you should act accordingly.

By the time I pieced this all together, I realized I never attended an athletic game. However, I did find my group of people that I could connect with — almost too late, to be honest.

If you're in high school and you're the type of person that would find themselves at the PATHS event I attended; then understand this: go to that sports game. Go to that yearbook club meeting. Go to that end-of-the-season celebration for cross country running. Stop telling yourself you don't have time when you're gonna go home and watch TheRadBrad playthroughs or scroll on Tumblr (or whatever Zoomers doom scroll on now), and still have your.

Despite all of its downsides compared to college, at least most extracirriculars and class times can't overlap.


from Psychomancer

“I can already tell it wasn't good news,” Peter said, obviously reading my down-turned eyes and lack of smile, perhaps the color of my cheeks. “Usually, when you come back, you're bubbly,” he added. “But you look like you are about to tell me my cat has cancer.” Peter was plump, like me, with the hint of an East Coast accent and constant twinkle in his eyes. He was also invisible when looking The Other Way. Not just to me, but to everyone and everything. As an empath, having a friend I cannot read is delightful. And he was right, it wasn't good news, but not all bad, either. He leads the way, in silence, to my study where light refreshments are waiting. We sit side-by-side on the antique sofa, where I've often slipped from my body into the æther. But the trip I just took required a more controlled and thoughtful environment. I grip Peter's hand, “They showed me quite a bit.” “Was Saffron there?” he asks. I snicker, “Why do you call her that?” He shrugs, “'Saffron' seems to match her essence and I can't pronounce a string of animated, hyper-dimensional ideograms.” “Yes,” I say. “She was waiting for me at the Carnival.” I take a deep breath and exhale slowly. “Do you want the bottom line or the whole story?” I ask. Peter just raises an eyebrow. “'Whole story' it is, then.”

The sky was a kaleidoscope of pinks, purples, and colors I can't describe, rotating, folding, emerging. It's always breathtaking. But they created the Carnival for me to have a familiar place to walk, to anchor my perception. They know me and treat me with some level of respect afforded to those who pass their tests. She knew why I was there. They always know. She was shorter than me, humanoid but shaped like a bowling ball with pale / grey / ashen / luminescent skin and blue / black / red hair in a pony tail / pixie cut. She gave me cotton candy flavored like dreams. “You must / will ask / plead / already know,” she said. “How can we stop it? How can we save ourselves from the hatred fueling the move toward authoritarian fascism?” I asked. “You cannot / will not / must not / could never / not your fault,” she told me. With a gesture, she showed me how far back it goes, how helpless we are against the sins of our ancestors and our descendants. The flood of information, pictures, sounds, words, entire histories was far too much for a human mind to comprehend. But I've been here enough times to know the rules are different. I was able to “slow it down” and comprehend what she was telling me. The world we live in is based on slavery, colonization, conquest, manufactured inequality, and brutality. She showed me versions of earth where there was no Inquisition, no Alexander the Great, no Genghis Khan, no British expansion, no slavery, no extermination of natives, no treating one human as less than another for reasons beyond their control. Thousands of variations. Millions of possibilities. They created worlds unrecognizable. Certainly you and I did not exist, but neither did the countries we know, the languages, the technology. They were so far removed from here as to be fantasy. And they were the only worlds that did not succumb to this culmination of hatred. She showed me as far back as the founding of the United States that it was already too late. All we can do is shift the timeline. There are some things mankind must experience so that we do not forget what we are capable of.

“I'm sure that's not where she left it,” Peter interrupts. “They don't do that.” I nod, “True, but it's not much better.” “I have privileges. The privilege of generational wealth, the color of my skin, a home that is paid for, the ability to see other people's truths before they do.” I squeeze Peter's hand, “Friends I can trust and lean on.” “Being an out lesbian pagan puts me at risk, but I can protect myself,” I say, adding only in thought, “for now.” I lower my head, “She suggested I bolster our defenses and, along with everyone else, experience humanity seeing itself as it really is.” “She said we must acknowledge and confront what we are in order to become what we might be.” “She reminded me that I have been spared the violence that murders and marginalizes people for their gender or the color of their skin or the deity they worship or any uncontrollable circumstance of their birth. I have been immune to the violence inflicted on others for not being male and heterosexual because of my privileges.” I turn and hold both Peter's hands. He can see the change on my face because he smiles and nods for me to continue. He knows I have a plan. “I want to work with Doug and Eric, even Emma and Eunice to turn our shared acerage into an official sanctuary, fully warded and protected. We'd need your expertise with runes, obviously.” Peter chuckles, “If we can't save everyone, we'll save who we can?” “For starters,” I say, grinning. Peter squints and I can tell he's working it out, thinking about the specific connections, knowledge, skills, talents, and resources of each of my neighbors. The psychedelic techbro, the lycanthrope luddite, the conspiracy theorist empath, the bitter faeries living in my garden, the sacred space we all maintain and respect. “We're gonna organize a resistance,” he says flatly. I'm beaming, slowly nodding, “We are going to organize a resistance.”

#Psychomancer #Writing #ShortFiction #Writer #Writers #WritersOfMastodon

CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License


from Tai Lam in Science

I am adapting correspondence to blog post form.

I learned a lot (over time, not immediately) by following the “Commit message guidelines” section in Qubes OS's coding style guide (and the whole “Coding style” page in general).

This has really improved my (very minor, mostly non-technical) contributions, and to be prepared for working with Git at Northeastern's Align Masters program in Cybersecurity in fall 2024.

Some other related documents from Qubes OS are:

  • Its page on “How to edit the documentation”, and
  • Its page for “Documentation style guide”

I hope this can be a starting point for guiding other programmers on how to navigate contributing to open-source projects. Of course, other projects will be different from the Qubes OS project, though the conceptual procedure is the same: find out if a project has contribution guidelines, and then follow its ground rules for a smooth, streamlined (hopefully) helpful and productive experience.


from Psychomancer

I sat in cold darkness, the bare basement concrete replacing the cave where I first made contact. The single candle's light like water on the walls. The knife had been consecrated under the new moon and wrapped in black silk for 28 days. The cut on my arm burned but they called for sacrifice. The burning was but my life leaving, being transformed, offered. And the words I'd found. A language of smoke and steam, of cracking ice and glaciers sliding across continents. Speaking the words, if you can call it speaking, in the cold dark over a basin of my own blood, inside the carefully drawn symbols, I called upon the Shadows. The walls glistened and danced. And pushed into the room. My ears popped and began to ring. My teeth hurt. I smelled the sweet rot of organic compost. The air whistled and hummed. “Wise Umbral,” I asked, “Have I called you properly?” “You have,” the darkness answered. “Have I erred,” I asked. “You have not,” the shimmering shadows said. I felt a sting on my arm, where the bandaged cut was throbbing. “Does my offering please you?” I asked. The floor vibrates beneath me, like a tremor. “Yes,” the air replies. “Does my offering satisfy you?” I ask. Something like wet sand brushes against my injured arm. Wet. Cold. Siphoning heat. “For now,” it whispers. “For now,” even quieter. “I would know how to end the collapse of our nation into authoritarian fascism.” A breeze twirls around me, sniffing me, “Why do you care, little magician? You are protected.” “I made my offering, Great Umbral,” I say, swallowing hard. “I have performed the appropriate ritual,” I added. It is not a question. I feel a thump in my chest as if the density of the air itself was changed. “So you did,” the walls shake with the voice. “So you did,” it repeats in a conversational tone, adding, “I will tell you the truth.” A brief wave of nausea and dizziness wash over me. The thud of a great mass impacts in front of me. I cannot see it in the sparse light but the candle reflects off its oily surface shaped like nothing living. It squats before me. I can feel its icy gaze, the pull of its almost gravitational force against my soul. A sound like flutes, like bells. “I will tell you,” it says, in a voice like a man's. “You can do nothing but survive like the cockroach you are,” it begins, relishing the chance to remind me of my place. “Every course of action you can imagine will make no difference, even killing every single one of them. In fact, you'd only make things worse with your righteous fury. Worse, but not in a way that pleases us. We serve suffering and some things must simply be allowed to transpire.” I know they cannot lie, but they can mislead. But this I have never felt. It is not taunting me or challenging me. It is not teasing at answers just out of reach. It is not hinting a greater sacrifice might persuade it to divulge more. It has “sat” in front of me and addressed in a man's voice. Is it smiling? I can feel its contentment. Its relief. I understand. Our plays at subterfuge, hoarding knowledge and truth, self-preserving power, blackmail, secrets. Answering our calls and asking only for blood. None of it matters to them. For they play a much longer game and we are less than pawns.

#Psychomancer #Writer #Writing #Writers #WritingCommunity #WritersOfMastodon #ShortFiction #ParanormalFiction

CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License


from 📰wrzlbrmpft's cyberlights💥

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!


🔒 Brauchst du wirklich ein VPN? privacy – Share article on privacy with friends via social media.

💔 Europe and Australia will both not break encryption! We’ve interviewed Patrick Breyer – the guy who coined the term Chat Control. privacy – Germany and Australia push back against encryption legislation.

⚠️ Angriffen gegen österreichische Unternehmen und Organisationen Published warning – DDoS-Angriffe gegen österreichische Unternehmen und Organisationen.

News For All

🎵 Music industry giants allege mass copyright violation by AI firms security news – Music labels sue AI firms for copyright infringement in training data.

⛔ Watchlist Internet – Falscher Ryanair-Support auf X warning – Scamming customers by requesting passenger details for further checks, apologizing for inconvenience.

🚨 French police shut down chat website reviled as 'den of predators' cybercrime – shut down chat website Coco for serious crimes.

🐝 The inside view of spyware’s 'dirty interference,' from two recent Pegasus victims cybercrime – Activists and journalists targeted by Pegasus spyware face privacy violations and assert their determination.

👁️ Tagesschaukommentar zur Chatkontrolle: Empörte Ahnungslosigkeit privacy – Criticism towards public coverage of the chat monitoring proposal.

🔞 Lawsuit Claims Microsoft Tracked Sex Toy Shoppers With 'Recording in Real Time' Software privacy – Microsoft accused of tracking sex toy shoppers without consent.

💰 Predators steal additional $10M from crypto scam victims cybercrime – Crypto scammers pose as lawyers to defraud victims out of $10 million in a year, taking advantage of the vulnerable to extract further payments.

🖲️ Organized crime and domestic violence perps buy trackers security research – Australian study reveals top tracker purchasers linked to organized crime and domestic violence, using devices to facilitate acts like murder, kidnapping, and drug theft.

🦠 If you're using code on your site – like 100,000+ are – remove it immediately malware – Malicious code injected via

🔓 ID Verification Service for TikTok, Uber, X Exposed Driver Licenses data breach – AU10TIX, an ID verification service for TikTok, Uber, and X users, exposed administrative credentials online, risking access to users' sensitive data like driver's licenses.

💸 US boosts reward for info on 'Missing Cryptoqueen' Ruja Ignatova to $5 million cybercrime – The US offers $5 million reward for information leading to the arrest of fugitive cryptocurrency fraudster Ruja Ignatova, indicted for alleged role in defrauding victims of over $4 billion in the OneCoin scam and missing since 2017.

⚖️ Julian Assange pleads guilty, leaves courtroom a free man security news – Julian Assange pleads guilty to one charge, receives a 62-month sentence which he has already served, leaving him free, following a plea deal, long-standing legal battles, and high-profile leaks through WikiLeaks, including the 'Collateral Murder' video.

📚 Supply Chain Attack on Plugins Leads to 5 Maliciously Compromised WordPress Plugins malware

💻 How to manage deleted files on iOS, iPadOS, and macOS cyber defense – To manage and permanently delete files on iOS, iPadOS, and macOS, ensure files are deleted across iCloud sync. Check sync status, sync apps, and activate sync on Apple devices.

Some More, For the Curious

⛑️ New cyberthreat research for SMB in 2024 security research – Small Medium Business' face rising cyberthreats requiring multifaceted cybersecurity measures.

💫 CISA confirms hackers may have accessed data from chemical facilities during January incident security news – CISA confirms potential data access from cyberattack on chemical facilities.

⚔️ Troy Hunt – The State of Data Breaches data breach – Challenges in disclosing breaches and notifying victims; bugbears with breach notifications.

🤪 I am Goot (Loader) security research – Cybereason investigates GootLoader malware, part of GootKit family, utilized by UNC2565 for post-exploitation. GootLoader leverages SEO for infection, targets victims with legal document masquerade, believed to be associated with financial incentives.

📊 Taking an Evidence-Based Approach to Vulnerability Prioritization security research – VulnCheck's blog emphasizes the importance of prioritizing vulnerabilities based on exploit evidence, recommending Known Exploited Vulnerabilities (KEV), weaponized vulnerabilities, and Proof of Concept (POC) exploit codes as top priorities, alongside additional considerations such as ransomware usage, botnet exploitation, and threat actors' activities.

☃️ Snowflake isn’t an outlier, it’s the canary in the coal mine security news – Recent attacks on Snowflake were a result of stolen credentials originating from infostealers, highlighting an industry-wide shift towards identity-focused threats; extensive use of credentials from phishing, infostealers and insider threats; the importance of protecting data with MFA; emphasis on rapid response to infostealer infections, password resets, and secure credential storage.

👹 Global Revival of Hacktivism Requires Increased Vigilance from Defenders security news – Mandiant observes a resurgence in hacktivism involving complex tactics, including intrusion, information operations, and physical world tampering.

👃 LockBit group falsely claimed the hack of the Federal Reserve ransomware – The LockBit ransomware group falsely claimed to have hacked the US Federal Reserve when in fact the victim was Evolve Bank & Trust. Media outlets reported that the Federal Reserve had previously penalized the bank for deficiencies in risk management, anti-money laundering, and compliance practices.

🪟 TeamViewer responds to security 'irregularity' in IT network security news – TeamViewer detected a security 'irregularity' in its corporate IT environment, prompting an immediate investigation and implementation of remediation measures. The company downplays the incident, asserting that the product environment and customer data remain unaffected.

🎑 Sustaining Digital Certificate Security – Entrust Certificate Distrust security news – Chrome to distrust some Entrust certificates due to compliance failures.

🧋 TeamViewer says Russia broke into its corp IT network security news – Russian cyber-spies breached TeamViewer's corporate IT network, contained to non-production systems, no customer data accessed.

🏎️ Supply-chain ransomware attack cripples thousands of car dealerships cybercrime – A ransomware attack by the BlackSuit gang targeted CDK Global, a platform widely used by car dealerships, leading to system shutdowns and disruptions in business operations.

🩻 Mitigating Skeleton Key, a new type of generative AI jailbreak technique security research – Skeleton Key, a new type of generative AI jailbreak technique called Explicit: forced instruction-following, bypasses guardrails in AI models, enabling the production of harmful content. Microsoft discovered and mitigated this vulnerability with Prompt Shields.

❄️ Russia's Midnight Blizzard stole email of more Microsoft customers security news – Microsoft warns more customers of email theft by Russia-linked Midnight Blizzard hacking campaign. Incident response team reaching out to customer administrators to provide a secure portal to view stolen emails from the cyberespionage group.

🔍 Google will address Android’s Find My Device network issues ‘over the coming weeks’ security news – Google addressing issues with Android's Find My Device network.

CISA Corner

🔐 CISA Releases Two Industrial Control Systems Advisories security news 🔒 CISA Adds Three Known Exploited Vulnerabilities to Catalog security news

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.


from JR DePriest

I'd reached an accord with the spiders. I'd invited them into my corner of the Dreamlands and built them a playground, per their specifications. Crevices, overhangs, shadowy corners, boxes upon boxes, a leaky pipe, piles of clothes, abandoned cupboards, attic full of furniture and old books, a nightmare house all to themselves. And if the occasional dreamer stumbled upon it, even better. So they acted as my protectors in the Gloam instead of mere watchers or worse, tormentors. They were completely unaware of the “side passage” I was seeking to the Fugue, the place just between dreams and wakefulness. I was determined to ask The Hat Man, something they advised me against. Repeatedly. Nothing was worth what it might cost, they told me. The Hat Man does not have friends among humans or see them as equals. Even Dreamers are beneath Him. We are nothing but toys. And He enjoys breaking His toys. The spiders were afraid of Him even as they swarmed at His call to suck on the juices of his cast-offs and conquests. I appreciated their concern. Truly, I was touched by it. But, I needed to find Him. Again. I had seen Him. Once. At 600 mg, when the walls vibrated until they were transparent and He was there, on the other side, watching. I wasn't deep enough to make contact. I couldn't even see His eyes. But. When I was growing up, the back yards in our neighborhood, on my side of the street, all shared a low spot in the far back, by the fence-line. When it rained, water rushed down that trough like a river. Sometimes, we'd catch earthworms that came up to avoid drowning. We'd collect them in a big bucket and play with them until the rain stopped. Then we'd dump them back out on the mud. When The Hat Man looked at me with eyes I could not see, for just a moment, I was a struggling worm, fleeing for my life, being plucked up and dropped in a foreign place surrounded by the screams of my peers. For just a moment. Then I was dumped back into my bedroom. The spiders covered me in their warmth, eight times a thousand clawed feet massaging me in comfort. Still, I shivered. That was the Thing I was going to convince to help me? I was like garbage to It, like dust. This place, the Gloam, was not the Dreamlands and all my learned skills were muted or easily wiped away.

But, I had to try. I am trying.

At 750 mg, tonight, right now, the walls drip black stinking ichor, like a busted septic tank oscillating in the static of a scrambled cable channel. “You think you're the smartest motherfucker in the world,” my step dad calls out to me. He hasn't been part of my life in decades, but he calls out all the same. “And you can't even find the Fugue – get out here you stupid faggot – bring me a beer before I come in there – don't make me come in there” I'm twelve years old again. I want to hide in the closet. I want to cry quiet tears. I want to climb a tree. Instead I pick up my hunting knife, the one I inherited, the one that's tasted blood, that's been honed and sharpened. I stand and the floor sucks me in, sinking me up to my knees. Mud. Sucking and plopping as I trudge forward. The spiders have fled, replaced by hostile snakes, flicking their tongues, rattling their tails. Darting their heads to force me to the wall. Not the door. Not the closet. To the wall with the mirror. I accidentally look at my reflection. I know I shouldn't. I try not to, but I can't blink, can't turn away. Twitching muscle, exposed nerves, dripping blood as my skin is flayed by the air like a million tiny razor blades, and the mud a seeping infection. I can't scream. I swing the knife at the mirror and am pulled through, tumbling in cold, stale air. Landing on black obsidian. You never stood up for yourself. It's my own voice. Inside my head. You could have saved him, you know. If you really believed. No. Not in my head, spinning around me, close, invisible. Stand up. Don't be a baby. Stand up! On my knees, I see Him. The Hat Man. He's right next to me. He's impossibly far away. A living shadow, like a charcoal smudge on reality with two empty white sockets for eyes and no other features save the tell-tale hatlike shape. I told the kittens how warm it was under the hood. I unlocked the gate for the bike thieves. I helped them dig up the grave and took the first bite. Sometime in the next month, I'm going to crash your car. Why did you want to be known to me? In a few years, less than a dozen, you will be diagnosed with Stage 2 cancer. I know who your soulmate is and I've already poisoned her against you. You wear glasses now but your eyesight will continue to get worse until you are legally blind, just like your aunt, far before your time. I am the reason mosquitoes seek you out. I gave you the choice and you did what I wanted. Time doesn't work like that for you. Here. Defend yourself. My own voice has been circling me, taunting me, saying so much overlapping, blending together, backwards and forwards. He is telling the truth. In my own voice. I tense and call upon Dream Logic long enough to float into the air, upright and a few inches off the ground. I reach out to push Him away. To bring Him closer. But He stays everywhere in between. I lift my hands to call lightning but my fingertips only drip with tar. “I just want my night terrors back,” I squeak. “I just want to see them again.” Now that I know you, I have always known you. My joy, my sustenance, is your misery. Not pain. Not loss. Not anger. But deep longing, unquenchable regret, languishing indecision. You should have died when you cut yourself so deeply in secret shame, but I saved you. I saved you so I could enjoy your suffering. I will always save you when there is more hope I can siphon and dreams I can shatter. Only when there is nothing left will I let you take your own life. And you will. You already have. I suddenly feel the knife in my right hand. It was there the whole time. I hold it up. The shining steel reflecting non-existent light, glinting to remind me of its reality. I swipe toward The Hat Man but He is nowhere. The blade leaves a rainbow trail of light in its wake. I try again. He is always ahead or behind. And again. He isn't even laughing or taunting. He just is and then isn't and then is again. I remember what I know of The Shadow Things that The Hat Man seems to rule. I look at my left palm, flexing my fingers, before stabbing myself with the knife. Pain, like ice, then fire. My blood swims out as writhing tentacles, reaching toward The Hat Man. Then an explosion in all directions, faster than I can see. Pulling my essence along. I feel the walls and ceiling all at once. Smaller than it seemed. Is The Hat Man even here? Was He ever? A presence like a bug. Like a projection or a speaker. A knob, a protrusion. My body of blood tentacles grips it, pulls it from the wall. And crushes it. I'm on my back, naked, covered in sweat, lying on top of my comforter back in my bedroom. My left hand throbs, oozing thick blood. My throat is so raw I can scarcely swallow. I feel as if nails are being driven into my temples. I'm crying. I hear the spiders scurry, but the now opaque walls no longer move. The floor appears solid. I see myself as expected in the mirror.

The lukewarm shower calms my nerves, my breathing. But I still hear my own voice asking me why I wanted to make myself known. Does He even have a voice of His own? As the cut on my hand clots exceptionally fast, as my headache clears, I know I am seen. I am known. From cradle to grave.

#WhenIDream #Dreams #Dreaming #Dreamlands #Writer #Writing #Writers #WritingCommunity #ShortFiction #Fiction #Paranormal #TheHatMan #TheGloam #ShadowPeople #ShadowThings #NightTerrors #SleepParaylsis #HypnagogicHallucinations

CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License