l1quid-

JTAG Deep dive for reverse engineers: voidstarsec.com/blog/jtag-pifex voidstarsec.com/blog/jtag-ssd

Pentester who just resends last year’s report 🤝 Client who didn’t even notice cause they know they didn’t fix shit

🏟️ Ludus launched 2 years ago and the community embraced and extended it with write-ups, roles, configs, and environments. We're excited to see what you build with Ludus 2! (1/4)

What Cops Saw Chasing Down New Jersey Drones A large tranche of never-before published documents provides insights into what law enforcement saw in the skies during the drone scare of 2024. twz.com/air/what-cops-…

@badsectorlabs @ellie_huxtable One of the best blogs out there, thank you for creating it!

@ellie_huxtable *self promotion* This is our 100% human curated and written weekly cyber wrap up. It's the blog we wish existed, so we made it. blog.badsectorlabs.com

Does anyone have any cool blogs they follow? Updating my feed reader with new stuff, what should I add?

If Monday after daylight saving had a face…

Spread the word! @phrack CFP with demoscene cracktro is live. Turn up the volume and enjoy the awesome stylings of @PiotrBania with some hopefully inspiring text from phrack staff :) phrack.org

“You either die a hero or live long enough to become a vendor” — @hackeroats

There’s an astronomical skill gap between good security people, and the rest. There’s no mid. Accounts you see posting their research here are absolutely cracked, it’s not the norm. When you go out and talk to security folks that don’t go to conferences, don’t read up on research, you realize- holy shit. They have no fucking clue. The majority of the cybersecurity work force is absolutely incompetent. It’s partly why vendors can come up with inane bullshit as marketing material and it works on many CISOs. If you’re reading this, you’re most likely 1000x the skill level of the average person. Like I cannot emphasize enough how low the bar is when the sample size is the entire industry.

github.com/ZephrFish/ludu… ludus template to build an AD CS attack lab which is a snippet from my course (lms.zsec.red) with the addition of pre-reqs for MDE/MDI deployment and windows hardening, you can drop in replace this for elastic too

Linux Rootkit Competition — tmp.out #5 Rootkits may target userland, kernel space, or use hybrid approaches. Categories: * Stealth / Detection Evasion * Persistence * Complexity * Obfuscation * Novelty / Ingenuity #linux #rootkits #tmpout

Everyone today is a hacker in a sense but there are very few OG hackers on which shoulders we stand Oh dude, Felix “FX” Lindner you were so much a hackers hacker and you will be missed RIP my friend and thank you

Finally got some breathing room, so here's a quick recap of the cyber side of IR/US ongoing war: 1. Right after the first strikes by US, within the first hours, multiple popular (pro regime) news agencies and outlets were compromised at the same time. Legitimate looking news contents were injected to the front page, aimed at degrading morale of pro-regime force by typical PSYOPS tactics. Sites were quickly taken down and restored. 2. Shortly after that, BadeSabaa (Prayer time app), a popular mobile app with 30+ Million installations (from Iranian app store) was hijacked and used to send push notifications to users. This time the target audience was mostly army members, calling them to surrender and join the people, if they want to survive. This app is an interesting pick, not just because it has a high number of downloads. Users of the app are particularly religious people and have higher chance to be also pro-regime and within body of the army. One important but seemingly ignored fact about this app is that it requests location access to operate. It's safe to assume most users allow that for more accurate prayer time results. It's also safe to assume that, if the app backend is compromised enough to allow sending push notifications, it's safe to assume that any telemetry logs and data from the app would be also compromised. Correlating telemetry with unique device ID for that large user base can be (ab)used in many different and interesting ways! Not that it has been the case. * Rumors circulated that EITAA, an Iranian popular messaging app, was also taken down and no longer accessible. That turned out to be just a rumor as I verified. 3. Iran internet went in full blackout mode again. Not that this had anything to do with a cyber operation. Initially starting from MCI and expanding to the entire country within a day. Like in previous case, there are still a small fraction of hosts that remain accessible from outside, but if you have been logging previous round's data and compare it with current one, you might notice interesting discrepancies ;) This is likely a multi-reason effort to contain exposure of impact of strikes, possible denial of service to smaller drones (which turned out a failed assumption and attempt during IR/IL war too) and finally to have a veil over any potential aggression towards upcoming unrests and protests by people in the streets. 4. During second day of strikes, Iranian national TV's Channel 3 satellite streams (IntelSat) were hijacked (2nd time since recent protests) and videos of Trump and Netanyahu speeches were broadcasted instead. Again, expected PSYOPS move considering the situation. Other covert operations have been also in progress, which I guess we might be hearing about them (or not) in near future. I will be occasionally updating this as a thread, if more notable cyber attacks takes place.

“How should cybersecurity companies do marketing?” Just look at @HuntressLabs and @ThinkstCanary: - hire fantastic people - publish blog posts to show off real, nuanced research - no theatrical clickbait bs - don’t put lamp shades on heads - word of mouth does the rest

AI is NOT replacing cybersecurity jobs. Full stop. I'm so tired of people parroting "AI will replace reverse engineers" and "malware analysis is solved". No. It is not. I have analyzed hundreds of malware samples using AI. Here's what actually happens: -> It gives you made-up decryption keys with full confidence -> It tries to decrypt data that is literally random garbage -> It misidentifies malware families -> It misses critical functions And have you ever tried retrohunting with the YARA rules AI writes across thousands of samples? Go ahead. Watch the false positives roll in. That alone should tell you everything you need to know. Every single output needs human validation and rigorous review. AI is a tool, a powerful one. But someone still has to build the MCPs, validate the output, understand the context, catch the hallucinations, and make the actual calls during incident response. The people saying this stuff loudest have clearly never watched AI confidently hand them completely wrong decrypted data and make them believe it's real. Stop scaring newcomers out of the field and misleading people with this nonsense. Cybersecurity still needs humans.

Nothing is as entertaining as running "Find all the security issues" on the same codebase over and over and getting different results each time.

Real imposters don't get imposter syndrome. You're fine.

we desperately need a new season of silicon valley. the ai era alone would carry 3 seasons

Can't echo the sentiment enough!