April 5, 2023

April 05, 2023

New: the IRS wants to buy an internet mass monitoring tool. This tool allows investigators to see what is happening on the wider internet beyond their own network; asks for "65 days traffic history." The tool can be used to trace activity through VPNs
— Joseph Cox (@josephfcox)
1:11 PM • Apr 4, 2023

When you first start using kubernetes
— memenetes (@memenetes)
4:00 PM • Apr 3, 2023

Investigators "say the boat may have been a decoy, put to sea to distract from the true perpetrators, who remain at large"
— Kim Zetter (@KimZetter)
12:56 PM • Apr 4, 2023

Between two nerds

Compare and contrast two operations in 2016.

https://risky.biz/BTN31/

This is still itw 0day
— Ryan Naraine (@ryanaraine)
3:22 PM • Apr 4, 2023

A good attack technique is to blend in with infosec noise and look like a false positive. It will give your attack a greater window of opportunity.
— Chris Wysopal (@WeldPond)
3:33 PM • Apr 4, 2023

🚨🚨
BREAKING: Genesis Market, one of the world’s largest platforms for cyber fraud, has just been seized in an FBI-led operation involving more than dozen international partners.
Story here: therecord.media/genesis-market…
— Alexander Martin (@AlexMartin)
5:54 PM • Apr 4, 2023

Interesting changes in ad policy by Meta to ensure transparency. Not sure how effective they’ll be.

Buying ads on political etc. topics requires government issued photo ID

The ads will display a “Paid for by” message and a link to the account of the purchaser

There will be a publicly accessible, searchable, database of all ads

https://www.nationthailand.com/thailand/general/40026343

just got back from this year's FibonacciCon and it was as big as the last two put together
— Adam Cerious (@Browtweaten)
7:11 PM • Apr 4, 2023

New attack against always on microphone AI assistants.

https://www.theregister.com/2023/04/04/siri_alexa_cortana_google_nuit/

I just got wrecked by GPT 3.5 when playing … pick a number. I did not anticipate the outcome
— Matt Waller (@wattmaller1)
12:58 AM • Mar 31, 2023

Come on Microsoft, this was totally avoidable - just stop renaming things
Also, Clou dAlert, lolol
— Nathan McNulty (@NathanMcNulty)
1:17 AM • Apr 4, 2023

To the lady at Costco with her son on a leash. I'm sorry that I asked if he was a rescue.
The profanity wasn't necessary but thank you for not siccing him on me.
— Destry (@DestryBrod)
10:54 AM • Mar 21, 2018

We put GPT-4 in Semgrep to point out false positives & fix code
“We added GPT-4 to our cloud service to ask which findings matter before we notify developers. We also tried to have it automatically fix these findings, and its output is often correct.”
http
— [email protected] (@0xdea)
6:52 AM • Apr 5, 2023

it may be one of my more controversial legal opinions but if you steal something larger than a very large man and no one catches you in the act of doing it or transporting it or hiding it, you should not be able to be charged with a crime
— 🌲🥦☭ Treezy the Magnanimous 707er ☭🌉🌉 (@coryandtreezy)
7:02 AM • Apr 5, 2023

So I'm sure all are aware my RAV4 was stolen last year, ironically via "CAN Injection 🚘💉". Myself and @kentindell have been reverse engineering the device that I beleive was used for the theft. More details are on his blog
— Ian Tabor (@mintynet)
5:06 PM • Apr 4, 2023

🧵 Yesterday we published my interview with the commander of the National Cyber Force (economist.com/britain/2023/0…), timed w/ publication of its paper "Responsible Cyber Power in Practice". I wanted to share a few more highlights of the interview, which I couldn't fit into the piece.
— Shashank Joshi (@shashj)
9:28 AM • Apr 5, 2023

3/ One example of that is shift in framing of cyber. In middle of last decade was "red button": big effect at key moment, or retaliatory option. Even the National Offensive Cyber Programme (NOCP), initiated in 2014, was about developing "slightly red-button-like" capabilities.
— Shashank Joshi (@shashj)
9:28 AM • Apr 5, 2023

7/ Another e.g. of learning is how cyber integrates w/ military. In "early years", says Babbage, it was assumed offensive cyber would be delivered via "fighting platforms" at tactical level. Now "we're tending to find more utility for cyber [at] operational and theatre level"
— Shashank Joshi (@shashj)
9:28 AM • Apr 5, 2023

8/ That doesn't mean no tactical effects. Babbage: "What we're finding now is that beyond that tactical [electronic warfare] activity there is there are cyber effects that you might need to have locally for force protection reasons" (e.g. )
— Shashank Joshi (@shashj)
9:28 AM • Apr 5, 2023

11/ Obvious, perhaps, but cyber power depends on leveraging dependencies of target. Babbage: "the more distant they are in geography and the more dependent they are on cyber and digital technologies to communicate at all, then the stronger the power of cyber." C4ISR = leverage.
— Shashank Joshi (@shashj)
9:28 AM • Apr 5, 2023

15/ NCF paper mentions "blocks of capabilities". What does this mean? In past capabilities often designed for a particular conflict or crisis. Now focus is on those "that can be repurposed more in the moment." Babbage points to GRU use of edge devices ().
— Shashank Joshi (@shashj)
9:28 AM • Apr 5, 2023

23/ Persistent engagement has downsides, too: a sort of cyber innoculation. "We're cautious about offering strength training for adversaries...it's about the cognitive impact [&] you definitely need to engage persistently, but you need to be thoughtful about the long term impact"
— Shashank Joshi (@shashj)
9:33 AM • Apr 5, 2023

Reply

or to participate.