Recently I learned about Cyber-informed Engineering:
How do I turn “what ifs” into “even ifs”?
🧙 
T
tychotithonus@infosec.exchange
@tychotithonus@infosec.exchange
Posts
-
Recently I learned about Cyber-informed Engineering: -
Whoever designed the schema for the censys offline data.@darfplatypus I haven't seen it since it was publicly downloadable. Is it still one line per record wrapped JSON? The first thing I did in those days was convert it to per-type TSVs, usually reducing its cumulative size by half.
-
Happy Alberti Day, @a1batross.bsky.social !Happy Alberti Day, @a1batross.bsky.social !
PETER CAESAR ALBERTI
FIRST ITALIAN SETTLER
LANDED IN N.Y. JUNE 2, 1635 -
Hmm.@mhoye "Hmm, someone's clock is off"
But in theory, there's supposed to be like 30s of slush time on either side for exactly such drift.
But if the app also has a "check a log for recent logins" feature, might be good to make sure someone else didn't use it.
-
#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation).@harrysintonen To confirm ... only validated affected setup so far is Signal Desktop on macOS?
-
Are there answers to "what can go wrong" which are not threats (in the sense of possible future problems, "He threatened to beat me up," or "it threatened to rain")@adamshostack "Don't threaten me with a good time!"
-
they have a solid point, y'know.Each individual user may not consider a given credential as worth needing MFA, but since most users reuse passwords, it's arguably better move for the ecosystem and site operators to require some kind of MFA. Otherwise, if one site gets popped, a wave of user accounts could be abused in bulk and require operator intervention. Whether or not mass lockout/reset is inconvenient enough for the individual user to think MFA is a good trade-off may vary.
-
Did you know…?@fugueish I ſee what you did there!
-
Got an email from Apple: "You have signed the following agreement: Apple Developer Agreement"Got an email from Apple: "You have signed the following agreement: Apple Developer Agreement"
The fact that this email was a surprise is strong circumstantial evidence of a dark pattern.
-
Voice modems (from Computers Are Bad)I'm a big fan of this project, which uses "hard" USB modems with voice features as Caller-ID-aware call filtering. It's the only way my parents could keep their landline.
GitHub - thess/callattendant: A python-based automated call attendant, call blocker, and voice messaging system running on a Raspberry Pi or equivalent. Screens callers and block robocalls and scams with a low-cost system and modem.
A python-based automated call attendant, call blocker, and voice messaging system running on a Raspberry Pi or equivalent. Screens callers and block robocalls and scams with a low-cost system and modem. - thess/callattendant
GitHub (github.com)
Passively listens on another extension in the house, so the first ring will come through, but if you have a modern cordless phone, you can often program it to suppress the first ring.
I have my own resources for the project here, including how to adopt a "default mostly deny" policy by using publicly available telecom exchange data.
GitHub - roycewilliams/callattendant-resources: grab-bag of callattendant-related materials
grab-bag of callattendant-related materials. Contribute to roycewilliams/callattendant-resources development by creating an account on GitHub.
GitHub (github.com)
-
Trying to level up a language from "Your $language is so good!" to "Where are you from?" is a grind.@axx $spouse grew up here (Alaska)
-
Trying to level up a language from "Your $language is so good!" to "Where are you from?" is a grind.@evacide My $spouse, a native speaker of US English, is somewhat regularly asked what country she's from. I would love having a linguist + speech therapist determine root cause for this!
-
Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability.@DaveMWilburn Not disagreeing - I think Eissing is using "responsible" here on purpose, rather than "coordinated"
-
DigitalOcean: Hey that Apache vuln thing needs upgrade on your droplet.@gnomon it's in the blog post. Eissing shows the timeline
-
DigitalOcean: Hey that Apache vuln thing needs upgrade on your droplet.@Andres4NY Parent post updated, apparently CVE-2026-23918 was fixed much earlier?
-
Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability.RE: https://chaos.social/@icing/116526903529846107
Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. Which they already were protected from, but did not know. Because the CVE was not public at the time the fix was shipped.
[...]
Two security researchers found the vulnerability independently. Just scanning the 2.4.66 source code. This means the bad guys can no longer be kept in the dark. Coordinated disclosure no longer works.
-
DigitalOcean: Hey that Apache vuln thing needs upgrade on your droplet.@Andres4NY Ah, thanks - I was just going to start asking!
-
does anyone know of any computer programs that are good?@lindsey ddrescue!
-
DigitalOcean: Hey that Apache vuln thing needs upgrade on your droplet.DigitalOcean: Hey that Apache vuln thing needs upgrade on your droplet.
Me: Thanks! Are your distro repos updated to contain the patched version?
DO: lol no
[Edit: to be fair, this is Debian's fault, not DOs (see screenshot). At least DO told me!]
[Edit 2: that specific vuln was quietly fixed on Debian specifically well before this version?? Would be advisable for them to have said that now?
https://infosec.exchange/@tychotithonus/116527548611779862 ]
