May 22, 2024

                May 22, 2024

            May 22, 2024

            May 22, 2024

                   Abusing url handling in iTerm2 and Hyper for code execution | Vin01’s Blog
What are escape sequences            

My data protection assessment of TLS Session Tickets. While they are a unique identifier, all is OK. No consent needed. Another conclusion would mean that the data protection rules are inherently inadequate and harmful. #GDPR #ePrivacy #CCPA #APRA https://t.co/rGFPfQNoEP
— Lukasz Olejnik☕️ (@lukOlejnik) May 22, 2024

Polish spies and saboteurs recruited for Russia
I don’t have the original polish link, only the selected translation of a few paragraphs provided by Lukasz Olejnik.

In dollar terms, they were paid US$5 for distributing leaflets and sticking stickers in public places. Placing a webcam or GPS transmitter on strategic locations paid around $400. And if one of the spies succeeded in derailing a military or humanitarian train, he or she would get US$10,000. In addition to this, they all travelled to the vicinity of airports, railway stations and arms companies and collected sensitive information, which they passed on to the boss. Travel and hotel costs were covered by ‘Andrei’.

Among the spies were couriers, food deliverers, a mechanic, a real estate agent, a French teacher, a lawyer, a programmer, a former footballer, a professional hockey player, a schoolboy and a student. Most of them have already heard their sentences as they voluntarily surrendered. They received between six years and several months in prison. Only the last two decided to fight in court, during the trial, for lower sentences.

The pricing, which seems low, is actually typical for what intelligence agencies pay agents. Even incredibly valuable assets aren’t paid fair value for the risks they take, Ames and Hansen got tens of thousands of dollars at a time. Which just isn’t that much considering the value they delivered and the risks they faced.
Most spies get paid far less. There are many reasons for this, including: forcing them to keep a low profile; limiting their freedom of manoeuvre; ensuring that they aren’t purely financially motivated, and various other security, psychological, and other reasons.
I must admit that food delivery drivers seem like a pretty good target for recruitment targets. Gig worker are able to travel many places, and if the agency were so inclined they could manipulate the food delivery system to ensure their asset has a valid cover for a particular journey. Gig worker even have good reasons to have their GPS enabled phones out, and take videos and pictures. “Need this for insurance” or, “for safety” etc.
Package delivery, Uber drivers, and so on are perfect. Safe houses are frequently establishments such as bed & breakfast boutique hotels. They have great cover for random strangers showing up at weird hours for short stays. 

I worked in a shipyard in Alaska once and because I sorta knew how to use Excel they all called me “Computer”
— Justin🦩Boldaji (@justinboldaji) May 21, 2024

i worked for an alaskan freighter company & built a spreadsheet in Excel to automatically output the day's close of day info if you just input the total sales from the receipt so you didn't have to hand-calculate it every day & they told all our clients it was AI-powered tech lol
— crumb stain (@tabula_rosa69) May 21, 2024

Logging into Twitter these days is like joining a club called “America is going to fail, so please buy my shitcoin”. I don’t even care if it’s true, I’m tired of seeing it. pic.twitter.com/RZghQVdgD3
— Matthew Green (@matthew_d_green) May 22, 2024

Cool cool cool. 🫠 pic.twitter.com/T6U2jQTIld
— Malwarebytes (@Malwarebytes) May 21, 2024

Cardinal Richelieu: "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."

Microsoft: "so guys, hear me out..."
— lcamtuf (@lcamtuf@infosec.exchange) (@lcamtuf) May 22, 2024

A few months ago, @KaustuvBasu1 and I noticed something unusual in the federal courts: a flood of claims for money seized by the US Government in purported drug dealing cases around the country. We started digging. A thread on what we found 🧵
— Seamus Hughes (@SeamusHughes) May 22, 2024

                  Thread by @SeamusHughes on Thread Reader App – Thread Reader App
@SeamusHughes: A few months ago, @KaustuvBasu1 and I noticed something unusual in the federal courts: a flood of claims for money seized by the US Government in purported drug dealing cases around the country. We st...…            

Grok has started summarizing all kinds of stuff happening on Twitter and it’s going about as well as you’d expect. 

Who needed a human curation team anyway? 🤷‍♂️ pic.twitter.com/4RZJg02fVM
— Ian Cairns (@cairns) May 21, 2024

Hackers unbrick trains. "She emailed a group that called itself “Dragon Sector,” and soon after, a trio of hackers reported for duty. A collection of coders with normal day jobs who come together in their off hours to defend cyberspace from malicious intrusions, they consider…
— Weld Pond | Chris Wysopal (@WeldPond) May 20, 2024

Interesting reading for learning something about Linux page cache, memory management, mmap and cgroups
Credits @brk0vhttps://t.co/3gtnUz48tD#Linux pic.twitter.com/nJiCXMvGlq
— 0xor0ne (@0xor0ne) May 22, 2024

Excellent introduction to Linux namespaces
Credits @quarkslab

Part 1: https://t.co/XaA5FYoOEO
Part 2: https://t.co/yB7Wuwk5Sk#namespace pic.twitter.com/5ufctkaqxV
— 0xor0ne (@0xor0ne) May 20, 2024

Here is the full blogpost: https://t.co/RjDYgDRlZ6
— Inti De Ceukelaire (@intidc) May 22, 2024

Just released the write-up for CVE-2024-4367, a bug I found recently in PDF.js (and hence in Firefox), resulting in arbitrary JavaScript execution when opening a malicious PDF.https://t.co/sex6fR0xHS
— Thomas Rinsma (@thomasrinsma) May 20, 2024

Our systemization of knowledge paper on „Prudent Evaluation Practices for Fuzzing“ (https://t.co/hITXZ9ZgJG) has received a Distinguished Paper award at IEEE #SP24 🎉
— Thorsten Holz (@thorstenholz) May 20, 2024

[🔍Vulnerability Research] N-day Exploit Series Finale ✨

It’s been a long journey, and the sixth and final chapter of our N-Day Exploit Series is out!

Introducing CVE-2023-36802, a critical In-The-Wild exploit leveraging a Windows kernel vulnerability to gain host system…
— Theori (@theori_io) May 22, 2024

Fat Leonard bribery cases fall apart because of prosecution blunders https://t.co/yTmOO9n6gr
— Stars and Stripes (@starsandstripes) May 20, 2024

Don't miss what's next. Subscribe to the grugq's newsletter:

Start the conversation: