Mikail Tunç

Today I am open-sourcing SlackPirate, a tool I developed over the last couple weeks. It's designed to run under a given Workspace token and enumerate + extract sensitive/interesting/confidential data for easy offline viewing - github.com/emtunc/SlackPi…

@habazzi Let me know if you'd like any pro-bono cyber security advice/consultancy. My DMs are open.

bowelbuddy.app For more info on what I’m building :) Now more motivated than ever to do more with less.

I’ve decided to pull out my application to @ycombinator. I’ve been working silently on a new startup that I think will help millions in the world that struggle with Irritable Bowel Syndrome. It’s been so difficult to make progress given the ongoing genocide in Palestine, and stupid for raising money from organizations that have allowed this to continue. @paulbiggar ‘s brave and needed blog post earlier today was the small push I needed to look elsewhere. If I am to raise, it’ll be “human-aware” money.

@MishaalRahman ah that makes sense - should have checked the page source! Thanks ☺️

@emtunc If you look at the page's source, the FT link is set as the canonical URL, which Chrome has been using when sharing links on mobile for years now: ghacks.net/2018/02/20/chr…

@MishaalRahman you or someone you know might have a clue what's going on here - I share links from Chrome all the time but this is the first time the sharing link (ft dot com) is different from the actual URL of the page. Link to the Ars article in pic: arstechnica.com/security/2023/…

@NahamSec @TomNomNom question for y'all - what bug bounty platform are you finding most security-researcher friendly these days? I know a lot of it comes down to the program but the platform as a whole, triage team, etc make a big impact too.

@MalwareJake Wait until you check out Alfred. It's even snappier and more flexible in terms of config and what "things" are searched and indexed.

After using Finder on Mac, Windows Explorer feels prehistoric. I will never understand how it's acceptable in 2023 to fail to find a file in Explorer by typing part of the filename. I should not be wondering "do I go to the shell and ls |grep -i, or is the file just not here?"

@mattjay I wrote some thoughts on the topic here emtunc.org/blog/09/2023/h…

I heard about a company that is making a "Wall of SHAME" - On it? Team members who fail 3 times in phishing simulations. Let me hear your thoughts on this one.

@AlecMuffett This "test" uses FaceTec behind the scenes. I have no doubt FaceTec use the imgs & biometrics to train their algs. Also, your phone will immediately start uploading images to their (FaceTec) servers *as soon as* you've given camera permissions before any scans take place!

DIGITALLY FINGERPRINT YOUR FACE, FOR THE SAKE OF THE CHILDREN!!! WHAT COULD POSSIBLY GO WRONG??!?

For no specific reason ('cough, cough'), but today would be a great time to sign up to our mailing list✅ securitybsides.org.uk/contact.html If you're in, or going to be in Las Vegas at summer camp, please remember to drink lots of water and take care of one another! #BSidesLDN2023

@peterfox One reason is to determine authentication policies for the user as different groups of users may have diff policies assigned to them. e.g., userA belongs to a group that is enabled for passwordless logons so a password field for that group isn’t appropriate

Apps that have two steps with the username and password on a separate screen. Why?

@troyhunt Didn’t the Silk Road guy end up getting caught because he was logged in to Skype over Tor?

I’m thinking of writing something up about people who’ve been caught by simple opsec fails. What other ones are there? DPR’s Stack Overflow post, Ubiquiti hacker’s VPN dropping etc. What other noteworthy examples are there?-

Wow. Just. Wow.

@Burp_Suite I think 2023.1.2 breaks WebAuthn/security keys in Chromium. They work again for me when I roll back to .1 You can test on webauthn.io to see if it returns an error or not.

@quentynblog It's to line up with the seasons 🤣

@CircleCI When will audit logs be programmatically available? Q1? Q2?

CircleCI Security Alert | Since our last update we have also released a tool for discovering all your secrets on CircleCI. Use it to find an actionable list of items for rotation github.com/CircleCI-Publi… Additionally, we have made Self-Serve Audit Logs available to all customers.

@CircleCI I see the audit log docs have been updated which is an improvement github.com/circleci/circl… Are there plans to allow programmatic access to the logs so we can send them to a SIEM?

@emtunc Perhaps indeed, Mikail 🤔 Perhaps we're in agreement with you about audit log availability, and perhaps we were to have something in the works at this very moment... Stay tuned!

CircleCI Security Alert [4 Jan. 2023] We strongly recommend all CircleCI customers rotate secrets stored on our system. Read more: circleci.com/blog/january-4…

🔬 Open Sourcing Chronicle Detection Rules A collection of detection rules for Google’s cloud-native SIEM, Chronicle ➡️GitHub, Okta, Google Workspace, Slack AWS, Kubernetes, others coming soon Code: github.com/Algbra-Labs-OS… By @emtunc labs.algbra.com/open-sourcing-…

@ejcx_ @IanColdwater Are deleted vaults truly deleted? I moved away from LastPass a couple years ago.

@brianwhelton If you're into the home automation space or think you might be in the future then it's probably worth checking which have the best integration with home automation platforms like Home Assistant, etc

@emtunc I've bought a Polestar, PodPoint are who they've recommended, looking at the price they don't seem to be cheaper then some others, so I guess it's down to people's experiences with them. Aside aesthetics they all seem similar

UK EV Twitter. Need (want) to get a home charger, looking at a 7kw Pod Point one (recommended by the car peeps), any other suggestions, also tethered or untethered?

@EEHelpdesk @EE hey team, what can we do about these spoofed spam calls?