Conversation

Notices

1. ≠ (amerika@annihilation.social)'s status on Monday, 07-Oct-2024 02:19:22 JST ≠

   • sj_zero
   • cjd
   • h4890
   • Three-alist 🌲
   • pistolero
   @threalist @sj_zero @p @cjd @h4890
   
   I work with an infosec-related website and am looking for articles on why infosec, the internet, and "hacking" are bullshit these days to use in content for the site. Any ideas?
   • djsumdog (djsumdog@djsumdog.com)'s status on Monday, 07-Oct-2024 02:19:21 JST djsumdog

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     I wouldn't say infosec is "bullshit." I'd say a lot of people in those fields are NOT developers, and they lack a true understanding of what security techniques are actually versus beneficial versus those that tick a box on a checklist (CrowdStrike was always a garbage security nightmare from the moment I saw it; and I constantly raised concerns and no one cared because "compliance.")
     
     SHIELD certification was talked about a lot ~2012 and a lot of people in the security sector were against any type of certification, because it's just so pointless. There was a panel discussion about SHEILD form 2012, but Ruxcon pulled the video for some reason. I'd put it on catbox, but it's 950Mb.
     
     One of the most iconic images I remember for a security conference was [Travis Goodspeed's talk on packet-in-packet injection](https://www.youtube.com/watch?v=iQk0GHXs8NY), because of the following image titled "Encapsulation."
     
     Software is built on layers, and even security is designed in layers that are intended to create isolation as well as redundancy. The trouble is that very few people can describe, in any reasonable level of detail, everything that happens in a single HTTP request.
     
     Modern security exploits are often a single strap in these layers. No matter how much everything else is locked in, one bad link could cause everything to come crashing out on the motorway.
     † top dog :pedomustdie: likes this.
   • pistolero (p@fsebugoutzone.org)'s status on Monday, 07-Oct-2024 08:26:57 JST pistolero

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     @amerika @cjd @h4890 @sj_zero @threalist Oh, man, you should ask @ins0mniak , I bet he has a stack.
     † top dog :pedomustdie: likes this.
   • pistolero (p@fsebugoutzone.org)'s status on Monday, 07-Oct-2024 14:35:58 JST pistolero

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     @skylar @ins0mniak @amerika @cjd @h4890 @sj_zero @threalist
     
     > pointless box-checking for insurance and regulatory compliance purposes,
     whoahoahsinternally.jpg
     † top dog :pedomustdie: likes this.
   • スカイラー🎄🇷🇺 :z: (skylar@misskey.yandere.love)'s status on Monday, 07-Oct-2024 14:35:59 JST スカイラー🎄🇷🇺 :z:

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     • pistolero
     @ins0mniak @amerika @p @h4890 @cjd @sj_zero @threalist i feel bad for all the folks who go into cybersecurity thinking they're gonna be doing sick nasty hacker man shit only to find out their job is pointless box-checking for insurance and regulatory compliance purposes, and arguing with boomers who think that MFA on their office 365 account is a personal attack against them
   • ins0mniak (ins0mniak@majestic12.airforce)'s status on Monday, 07-Oct-2024 14:36:00 JST ins0mniak

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     @p @amerika @h4890 @cjd @sj_zero @threalist
     
     I mean not really any articles off the top of my head but I have several theories.
     
     Mainly there are a lot of gatekeepers making money of certifications that at the end of the day install a false sense of knowledge and confidence to those who get them.
     
     Garbage distros like kali or parrot have a lot of automated tools that people will use and not exactly understand, so it's a point and fire situation. I mean if you can't set up your own box that you're fucking useless. Like honestly, if you don't know what a fuzzer is doing don't use it. (not you, like people in genreal)
     
     Most schools are diploma mills so people who go that route have an inflated sense of superiority. Enjoy the debt dummies.
     
     Moar gatekeeping. Like, most places now want at least a 4 year computer science degree which is dumb, theres nothing a classroom will do if you cant learn it yourself. just check out any so called "hacking forum" its moron after moron that can't google "why is postgres not starting" or "what are some common ports?"
     
     Basically it's filled to the brim with annoying dipshits who spend most of their time blabbing about women issues in tech and building communities rather than fixing shit.
     
     Every clown on Earth these days is all "im gonna do cyber security!"
     
     Cool.
     
     Learn a scripting language at least, at least be able to read C, learn how things like linux and windows servers work...at the very least before even thinking about security.
     
     I once met a fucker at the bar blabbing about his 6k security consulting job. I started kinda talking to him and it was all "i don't code, no I don't need any of that thats for developers"
     
     I wanted to kick his stool out form under him.
     
     I hate that industry I hate the dumb asses in it and I'm at the point where if people get owned by the Ruskies than that's just not my problem lol
     
     Thanks for coming to my seminar.
   • スカイラー🎄🇷🇺 :z: (skylar@misskey.yandere.love)'s status on Monday, 07-Oct-2024 15:01:25 JST スカイラー🎄🇷🇺 :z:

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     • pistolero
     @ins0mniak @amerika @p @h4890 @cjd @sj_zero @threalist honestly sticky notes and notepads in the desk drawer got an unfairly bad reputation
     even if anyone can just go and read it, they'd have to be in the building at that person's desk to do so. if someone's got unsupervised access to their desk and the computer on it, they could just go and fiddle with it anyway to steal all the credentials from someone's password manager (or the passwords.xlsx file on the desktop cause the password manager was too hard to use).
   • ins0mniak (ins0mniak@majestic12.airforce)'s status on Monday, 07-Oct-2024 15:01:26 JST ins0mniak

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     @skylar @amerika @p @h4890 @cjd @sj_zero @threalist 100. Ot the burnout that comes from just staring at nessus all day and trying to make boomers understand that putting their passwords on sticki notes is a bad idea
   • pistolero (p@fsebugoutzone.org)'s status on Monday, 07-Oct-2024 15:01:49 JST pistolero

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     @skylar @ins0mniak @amerika @cjd @h4890 @sj_zero @threalist
     
     > they'd have to be in the building at that person's desk to do so.
     
     Until some boomer decides to increase the LAPD's social media presence and you put the password for the server holding scans and photos of evidence onto Youtube.
     † top dog :pedomustdie: likes this.
   • sapphire (sapphire@shortstacksran.ch)'s status on Monday, 07-Oct-2024 16:13:39 JST sapphire

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     • pistolero
     @skylar @amerika @p @h4890 @ins0mniak @cjd @sj_zero @threalist meanwhile payment processors are starting to allow 1FA but with SMS and this is supposedly ok
   • pistolero (p@fsebugoutzone.org)'s status on Monday, 07-Oct-2024 16:13:39 JST pistolero

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • sapphire
     • ins0mniak
     @sapphire @skylar @amerika @cjd @h4890 @ins0mniak @sj_zero @threalist You think it's gross incompetence or money-laundering?
     
     I mean, devil's advocate, right, they compensate you for fraud, that comes out of their FDIC insurance. So you want to pull a $current_year Iran-Contra, you help the people you want to fund perpetrate a massive fraud, FBI issues a warning blaming someone convenient, banks don't give a shit as long as they get their money.
   • Mr. Bacon (tony@clew.lol)'s status on Monday, 07-Oct-2024 16:14:12 JST Mr. Bacon

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • sapphire
     • ins0mniak
     • pistolero
     i think gross incompetence is more likely tbh.
     
     especially when it comes to computers. boomers gonna boom
   • h4890 (h4890@liberdon.com)'s status on Monday, 07-Oct-2024 19:29:38 JST h4890

     in reply to

     • sj_zero
     • cjd
     • Three-alist 🌲
     • pistolero

     @sj_zero @amerika @p @cjd @threalist

     This is a great business opportunity. If you can create such a thing, based only on european components, let me know, and I will introduce you to some people who pay a fortune for these devices today. Logically, they should then be willing to pay you half a fortune for it! ;)

   • sj_zero (sj_zero@social.fbxl.net)'s status on Monday, 07-Oct-2024 19:29:39 JST sj_zero

     in reply to

     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     If you're trying to get data from a secure network to a less secure one, there's a device called a data diode which can't be hacked traditionally because it can only send signals outward and not inward. Think of a fiber optic cable where you only have a transmitter on one side and a receiver on the other, or an AM radio -- you can't hack the radio station no matter how you turn the dial on your am radio because the info only moves from the station to your radio. Contrast with a 2-way link into a secure network from a third party.
   • ≠ (amerika@annihilation.social)'s status on Monday, 07-Oct-2024 19:29:40 JST ≠

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     @sj_zero @p @h4890 @cjd @threalist
     
     Not to mention Antimalware Service Executable paralyzing half of the Windows machines on Earth half of the time they are running!
   • sj_zero (sj_zero@social.fbxl.net)'s status on Monday, 07-Oct-2024 19:29:41 JST sj_zero

     in reply to

     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     We all remember the recent event where half the earth crashed because a security company sent an update, and there was an event earlier where solar winds had a bad cert that allowed bad actors to access dozens of companies carte Blanche.
     
     Trusting an info sec company that can write to your network is bullshit. If these companies cared about security they wouldn't allow data to be sent back and forth like this.
     
     Kaspersky antivirus just installed a while new antivirus to all their us customers without asking permission. This is all evidence that infosec is bullshit because it you get into infosec companies you get privileged access to tons of critical networks.
   • pistolero (p@fsebugoutzone.org)'s status on Monday, 07-Oct-2024 19:30:26 JST pistolero

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     @h4890 @sj_zero @amerika @cjd @threalist You can do it in software with just routing. Drop incoming UDP/ICMP/etc., drop incoming SYN packets, just drop everything *except* ACKSYN. Then on one side of the network, it cans end out whatever packets it wants, it can establish connections (but only send data down them, not receive any), and on the other side, the only message that can be sent is the second step of the TCP handshake.
   • pistolero (p@fsebugoutzone.org)'s status on Tuesday, 08-Oct-2024 13:30:04 JST pistolero

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     @ins0mniak @amerika @cjd @h4890 @sj_zero @skylar @threalist Yeah, LAPD's done it at least twice. Just one global password for the entire dang fileserver still.
     
     LASD, last time I saw, was still logging into their shit using a 5250 terminal emulator.
   • ins0mniak (ins0mniak@majestic12.airforce)'s status on Tuesday, 08-Oct-2024 13:30:04 JST ins0mniak

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     @p @amerika @h4890 @skylar @cjd @sj_zero @threalist Oh that's awsome.
     
     The police department in Michigan where my parents live got hacked, certainly for something just as stupid.
     
     Guy all on the news going "I want to move everything to the cloud, it's safer, everyone is doing it and we won't have to worry about security"
     
     Which tacks on to my effort post about how dumb infosec is lol
   • ins0mniak (ins0mniak@majestic12.airforce)'s status on Tuesday, 08-Oct-2024 13:30:05 JST ins0mniak

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     @p @amerika @h4890 @skylar @cjd @sj_zero @threalist Is that related to that leak of all those heads hots or whatever it was?
   • pistolero (p@fsebugoutzone.org)'s status on Tuesday, 08-Oct-2024 13:30:53 JST pistolero

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     @ins0mniak @amerika @cjd @h4890 @sj_zero @skylar @threalist The cloud isn't a physical place.
     kamala_cloud.mp4
     † top dog :pedomustdie: likes this.
   • スカイラー🎄🇷🇺 :z: (skylar@misskey.yandere.love)'s status on Wednesday, 09-Oct-2024 12:54:44 JST スカイラー🎄🇷🇺 :z:

     in reply to

     • sj_zero
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     • pistolero
     @p @amerika @h4890 @ins0mniak @cjd @sj_zero @threalist if a vtuber said that it would be cute
   • pistolero (p@fsebugoutzone.org)'s status on Wednesday, 09-Oct-2024 12:54:56 JST pistolero

     in reply to

     • sj_zero
     • スカイラー🎄🇷🇺 :z:
     • cjd
     • h4890
     • Three-alist 🌲
     • ins0mniak
     @skylar @amerika @cjd @h4890 @ins0mniak @sj_zero @threalist "Cute" just means "stupid in an endearing way", fundamentally, and it's somewhat less endearing when it's a person that wants to control the internet:
     kamala_demands_speech_regulation.mp4
   • ≠ (amerika@annihilation.social)'s status on Thursday, 10-Oct-2024 02:42:28 JST ≠

     in reply to

     • sj_zero
     • djsumdog
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     • Leyonhjelm
     @h4890 @p @cjd @sj_zero @threalist
     @djsumdog
     @Leyonhjelm
     
     It's a non-profit site on infosec topics, not designed to make money, but needs an infusion of energy.
   • h4890 (h4890@liberdon.com)'s status on Thursday, 10-Oct-2024 02:42:29 JST h4890

     in reply to

     • sj_zero
     • cjd
     • Three-alist 🌲
     • pistolero

     @amerika @p @cjd @sj_zero @threalist

     Interesting. Are you coming at it from a marketing perspective? What is the audience of the text, and the purpose of the website?

     I think if you could provide a bit more detail, perhaps it would be easier to come up with some ideas.

   • ⚡Eineygður ☯ Flakkari⚡ (toiletpaper@shitposter.world)'s status on Thursday, 10-Oct-2024 02:43:01 JST ⚡Eineygður ☯ Flakkari⚡

     in reply to

     • sj_zero
     • djsumdog
     • cjd
     • h4890
     • Three-alist 🌲
     • pistolero
     • Leyonhjelm
     @amerika @djsumdog @p @h4890 @cjd @Leyonhjelm @sj_zero @threalist
     
     First thing that comes to mind is "caveat emptor" given arguably the majority of projects related to infosec these days are actually just honeypots created with fed money to con privacy/anonymity oriented people into giving up both in exchange for a supposed free lunch. Either that or security theatre designed to part fools from their money. Plus everyone I've heard from in the pen-testing community tends to agree that security auditing is just a way to check a box on the marketing hype, and 9 times out of 10 the same problems are cited year after year with jack squat ever done to resolve them. $0.02