Mike Manrod

The section of our kiosk hacking project focused on 3rd party kiosk software running on Windows OS, is now robust enough to leverage IRL if you need a guide on assessing these types of kiosks. 1/🧵 github.com/CroodSolutions…

@notbrvnd0n 💯

@CroodSolutions I'll take my feels like 38 🤣

These temperatures do not belong in March.

@techspence Lol

@CroodSolutions Well dang. I’d happy take 30-40 degrees from ya

@spellerrer @techspence The version in Windows or the version in Halo?

@techspence Cortona

What’s on everyone’s bingo card as being the next big zero day?

@syntaxish @techspence Literally always a safe bet.

@techspence Fortinet

@christian_tail @techspence Lol

@techspence Quantum computers. 🫪

@0xTib3rius @techspence @CouldBeTheYear @AcrossPondPod @SwiftSecur1 @tuckner @IceSolst 💯

@techspence @CouldBeTheYear @CroodSolutions @AcrossPondPod @SwiftSecur1 @tuckner @IceSolst Officially* 🔥

This @AcrossPondPod episode with @0xTib3rius, @SwiftSecur1, and @tuckner on the extension ecosystem (with mention of @IceSolst) was super informative and got me a little bit worried about things that I thought we had handled. Check this out and deeply consider how you handle extensions, starting with browser ecosystems, but then also extending to IDEs and beyond. youtu.be/ecj5FnHyXFE?si…

@techspence @AcrossPondPod @0xTib3rius @SwiftSecur1 @tuckner @IceSolst 💯 Same here!!

@CroodSolutions @AcrossPondPod @0xTib3rius @SwiftSecur1 @tuckner @IceSolst Nice man! Yeah I just did a quick 101 on it. Need to dive deeper

@CheckTheLogs @techspence One challenge is obscurity will exist for a long time (maybe always), and there will always be someone with more AI/more tokens to take one more obscure thing, and make it un-obscure (sometimes exploitable).

@techspence @CroodSolutions Obscurity is an option.

Sorry folks but, "we found 137 vulnerabilities we never knew were there thanks to AI" doesn't mean you're all of a sudden protected.

@syntaxish 💯

@CroodSolutions If he doesn’t do stand up, he needs to.

Tonight’s TISU class was great and even better the presenter’s slides had me dying.

Immunize yourself against dumb. 🦄

Until I stop having conversations where me mentioning LAPS to someone is the first time they have ever heard it, I won't stop making content about this...

@vxunderground @bquintero its actually insane that they don't give you VT Enterprise, the amount of benefits to the whole community from your uploads + research easily justifies this. Yo, just give him the Ent account, we are all on the same side here

@uwu_underground @vxunderground @bquintero 💯

yr_compiler_add_file DOESN'T ACCEPT WCHAR wE NeEd iT To WoRkl WiTh LiNux AnD maCoS Okay, I guess I'll call WideCharToMultiByte 9000 times to APPEASE YOU

Side note - liked your podcast on this also, and it was based on your reference of this one, that I specifically tracked down this particular episode. Making it a goal to do some testing and maybe even try to create BeaconatorC2 extension payloads later this year (after defcon).

Yea - same. I knew it was a risk and we put in a process long ago, but I really did not fully grasp the magnitude of the problem, or even how little telemetry there may be when a browser or IDE extension leads to info theft, that later leads to intrusion. How many breaches with unknown entry points are really this? It is difficult to know.