roachy

Pro tip: Don't edit DNS zone files drunk...... 😳

The use of the word “limited” is a great way of skewing statistics, especially when you consider millions of customers. My wife’s work includes looking for evidence of domestic violence. She said this bank incident would trigger a lot of cases. People don’t think of wider issue

@myexploit2600 The "no harm, no foul" response to this has been absolutely shocking. I'd not thought about the DV impact (which is terrifying) but was thinking more about fraud that could occur as a result of knowlege of historical transactions.....

@_Freakyclown_ Oh look. A whole cluster of "nopes" 😱

By Merlin’s Merkin this is a nope from me! Even though I have no problem with them, this is just Indiana Jones levels of things that nothing should be allowed to do. #burnitall

🎖️ BSides London 2026 🎬'No REST 'til Hammersmith' 📅 12th December 2026 🏛️ Novotel London West 📜CFP open 1 Aug-30 Sept 🎟️Tickets available on the 1st of Sept, Oct & Nov 😍Sponsor info pack available in April 🌏BSides.London #BSidesLDN2026 #Security #BSides #London

Slightly late announcing this one - apologies! This month (11th March) we've got John Follin presenting his talk "Making Shor: cryptography in a post-quantum world". All are welcome. Full details in the link: dc151.org/march-2026-mee…

#BSidesLDN2025 videos are now live on our YouTube channel. Don’t forget to like and subscribe, we only publish once a year, your support makes a real difference! @SecuritybsidesOrgUk" target="_blank" rel="nofollow noopener">youtube.com/@Securitybside… Huge thanks to @Ministraitor & all our presenters for sharing their time and expertise!

@UK_Daniel_Card Some poor soul just trying to get back home from a party….. and then he encountered Nadhim Zahawi. That’s nightmare fuel

WTF this guy is a fucking l00ny tun3

Yeah, so pretty much that whole Windows 11 Notepad RCE thing was ridiculously stupid. Like, it was so dumb it kind of hurts. Windows 11 Notepad, with the fancy Copilot AI slop, now possesses the ability to handle mark up, or markdown, ... It's mark something, the stuff used in ReadMes. Whatever. Anyway, a security researcher realized that if you used markup in Notepad and instead of a hyperlink to a website with https:// you put file:// (the protocol on Windows for files, like in file explorer), it will arbitrarily execute it. It won't prompt you. Furthermore, he realized you could specify a remote host to execute it from using a different Microsoft specific protocol used for app installation. In other words, if you user clicked the hyperlink in Notepad it would download and run a program from any website ... without alerting the user. Normally, any sort of hyperlink that leads to a different domain, or tries to execute a file, is supposed to prompt you with an alert message, ... or something. However, Microsoft software engineers seemingly forgot to implement this notification Window. With this attack vector which has been present for AT LEAST 9 months, a malicious actor could send a .txt file and if the user clicked the link inside the .txt file it would automatically execute and run anything specified in the hyperlink. Even more silly, forensically under the hood, the logs on Windows, or to an anti malware service, it would look like Notepad was downloading something and then running a program. This is a very unique scenario which (to the best of my knowledge) no security product has encountered before. This could hypothetically result in files being downloaded and executed and being completely ignored by anti malware services because Notepad is a known and trusted program. Why would an anti malware service question Notepad? Basically, the point I'm trying to get to here is that I don't understand why Microsoft has introduced so many new features into Notepad. With new features means a new attack landscape (more stuff to abuse). Whatever man

We've had the dome collective out tonight. With talks tonight from @gr4y_r0se and Sean

@Cthulhu_Answers @TracketPacer Literally chatting to a pal today who's kid has just started an apprenticeship as a plumber. Lets see the fucking machines steal that career from him ;)

@TracketPacer I’m considering a job transition to a park ranger

Quick update for our meetup on the 11th Feb: dc151.org/february-2026-…

@J0hnnyXm4s @Secure_ICS_OT I remember dealing with an issue for an enterprise where the MS Exchange Global Address list stopped functioning. The cause - disabling IPv6 as a knee jerk reaction to a pentest where IPv6 misconfiguration was a step in domain takeover.

@Secure_ICS_OT I used to simply recommend disabling it as the remediation, but after seeing it knock so many things over at so many companies, I know that’s not the play

Abusing IPv6 is one of my first attacks in Windows networks. It’s often a great way to bypass micro segmentation, which is often only configured for the v4 interface.

Petition: By-elections to be called automatically when MPs defect to another party. This just makes completed sense and should reduce the incentive for individuals to stand, and move parties, for personal gain, and not in the interest of the constituents of the area. petition.parliament.uk/petitions/7376…

2 amazing talks to kick off the new year from Venus and Fabien

Today my boss asked me if we're "ready for AI this year". I said absolutely. I told him we've been running "machine learning models" on our data infrastructure for the past 18 months and we're seeing "significant optimization gains." He asked for specifics. I said, "Our email filtering system uses neural networks to detect phishing attempts with 97% accuracy." He looked impressed. Here's the truth: that's just the default spam filter in Office 365. Microsoft built it. We didn't do anything. But I rebranded it as "AI-powered threat detection" in a slide deck last year, and now everyone thinks we're innovators. My boss wants to announce our "AI initiatives" in the next shareholder meeting. I told him I'd prepare a presentation. I'm going to take every automated process we already have—backup scripts, user provisioning, patch management—and add the words "AI-enhanced" in front of them. Innovation isn't about building new things. It's about renaming old things with better buzzwords.

@brianwhelton Evergreen

Facebook memories… No idea why I had posted it then.

Happy New Year! We have 2 amazing speakers for our next meetup on the 14th Jan. All details in the link: dc151.org/january-2026-m… Hope to see as many of you as possible there

@notameadow Behind every warning label is a story 🤷‍♂️

Why.

@brianwhelton @em96168174 Late to the reply - but absolutely this. @brianwhelton and I didn’t do anything. You submitted to the CfP, you turned up and delivered a great talk. No thanks or credit needed!

@em96168174 @roachy It would only have been accepted because of the hard work you had put in, so I’m sorry, but I’m afraid you are going to have to take all the credit.