Chris's Avatar

Chris

@brompwnie

Likes to hack things. GitHub.com/brompwnie

319
Followers 273
Following 18
Posts 25.05.2023
Joined
Posts Following

Latest posts by Chris @brompwnie

Dependabot's implementation of Go modules continues to be poor.

FWIW, I recommend Go projects just turn it off, run govulncheck in a scheduled GitHub Action for security updates, and otherwise update dependencies manually when it makes sense in their release cycle.

14.03.2025 09:01 πŸ‘ 99 πŸ” 13 πŸ’¬ 8 πŸ“Œ 0

This thread (and the answers) are a small gem, covering an almost forgotten piece of history of the security field.

06.03.2025 06:38 πŸ‘ 19 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0
1. Three new bad practices on use of known insecure or outdated cryptographic functions, hardcoded credentials, and product support periods. 2. Additional context added to the memory safety section. 3. Added additional examples of recommended actions to prevent SQL injection vulnerabilities. 4. Added additional examples of recommended actions to prevent command injection vulnerabilities. 5. Clarified timelines for patching Known Exploited Vulnerabilities (KEVs). 6. Added language for multi-factor authentication (MFA) specific to operational technology products. 7. Added that software manufacturers should support phishing-resistant MFA. 8. Other updates to phrasing throughout.

1. Three new bad practices on use of known insecure or outdated cryptographic functions, hardcoded credentials, and product support periods. 2. Additional context added to the memory safety section. 3. Added additional examples of recommended actions to prevent SQL injection vulnerabilities. 4. Added additional examples of recommended actions to prevent command injection vulnerabilities. 5. Clarified timelines for patching Known Exploited Vulnerabilities (KEVs). 6. Added language for multi-factor authentication (MFA) specific to operational technology products. 7. Added that software manufacturers should support phishing-resistant MFA. 8. Other updates to phrasing throughout.

The FBI has released version 2.0 of its Product Security Bad Practices

PDF: www.ic3.gov/CSA/2025/250...

The changes are detailed in the image below

19.01.2025 18:39 πŸ‘ 14 πŸ” 6 πŸ’¬ 0 πŸ“Œ 0

Oui oui, when in France!

05.12.2024 20:35 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
New era of slop security reports for open source I'm on the security report triage team for CPython, pip, urllib3, Requests, and a handful of other open source projects. I'm also in a trusted position such that I get "tagged in" to other open sou...

Seth Larson, the maintainer of several crucial Python projects, says he is seeing an increase in "extremely low-quality" security reports submitted by bug hunters, suggesting researchers are using AI/LLM tools to discover vulnerabilities and put together reports.

sethmlarson.dev/slop-securit...

05.12.2024 15:45 πŸ‘ 30 πŸ” 13 πŸ’¬ 2 πŸ“Œ 2
Preview
the man is wearing a suit and tie and clapping his hands . ALT: the man is wearing a suit and tie and clapping his hands .
21.11.2024 14:46 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

All that’s left is Giphy integration!

21.11.2024 14:43 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

If it sounds like a duck and looks like a duck, its probably not a duck

21.11.2024 12:05 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

I’ve experienced similar and bsky feels to be ticking all the boxes for me at least. This feels like Twitter of 2014(in a good way)

21.11.2024 10:30 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

πŸ‘‹πŸ‘‹πŸ‘‹πŸ‘‹ botb was/is something useful in this space…

19.11.2024 17:23 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Wow so is bsky really maybe potentially becoming a thing now?

14.11.2024 14:01 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Ok, where are the South African hackers at? Post handles in replies if you see this please, and I’ll attempt a starter pack.

cc
@leonjza.bsky.social
@haroonmeer.canary.love

13.11.2024 19:01 πŸ‘ 7 πŸ” 3 πŸ’¬ 5 πŸ“Œ 0
Post image

Once you are specifically targeted, chances are very good you will continue to see attempts to breach your defenses. APTs come for a purpose and there’s a reason the Persistent part of the name was chosen.

11.10.2023 11:35 πŸ‘ 7 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0

This could be gnarly if your proxychains setup is somewhat exposed..which it shouldn’t

11.10.2023 13:45 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

So everybody from Musk's site seems to be here, yet my feed feels a bit anemic. What's a good trick to synch follows?

02.10.2023 11:51 πŸ‘ 7 πŸ” 2 πŸ’¬ 2 πŸ“Œ 0

Total blast from the past…

15.09.2023 18:15 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

In January, the Bluesky app began with a few hundred users. We’ve since grown past 1 million. I’m proud of what our team has accomplished in the last 9 months: we’ve open sourced the protocol and app, introduced self-verification via custom domains, and enabled algorithmic choice with custom feeds.

12.09.2023 22:50 πŸ‘ 2987 πŸ” 370 πŸ’¬ 91 πŸ“Œ 34

Tale as old as time: hackers hack stalkerware company because stalkerware is low-quality crap.

techcrunch.com/2023/08/26/b...

29.08.2023 04:06 πŸ‘ 64 πŸ” 12 πŸ’¬ 1 πŸ“Œ 0

Now that’s a flex to aim for

21.08.2023 20:07 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

NEW: Several attendees at Def Con saw mysterious alerts on their iPhones.

A researcher claimed responsibility and said it was a research project to teach people to turn off Bluetooth and "to have a laugh."

https://techcrunch.com/2023/08/14/researcher-says-they-were-behind-iphone-popups-at-def-con/

14.08.2023 20:01 πŸ‘ 8 πŸ” 3 πŸ’¬ 0 πŸ“Œ 1
Post image

Today in 2000, 23 years ago, we introduced libcurl into the world. curl 7.1 was the first release featuring a separate library for Internet transfers, that curl was then made to use.

Today we estimate 20 BILLION installations worldwide.

07.08.2023 07:03 πŸ‘ 14 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0

Worse than npm or pip etc?

03.08.2023 07:52 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Wait, it’s summer camp next week already? #itsbeenawhile

01.08.2023 16:06 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
01.08.2023 09:48 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Code Kept Secret for Years Reveals Its Flawβ€”a Backdoor A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty.

For 25+ yrs police, military, intel agencies and critical infrastructure around the world relied on the TETRA radio standard to secure critical communications. But now Dutch researchers have examined secret algorithms used in TETRA and found something startling - an intentional backdoor, and more

24.07.2023 10:17 πŸ‘ 33 πŸ” 20 πŸ’¬ 0 πŸ“Œ 3

Ask @patrick.risky.biz to go on vacation?

27.06.2023 11:22 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

This is valuable insight, thanks for sharing. How are you defining downturn? And what kind of timescales would you see as not crazy?

17.06.2023 17:52 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Yeah definitely that’d be great, let me know when you’re in London again!

30.05.2023 10:36 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Howsit bru!

26.05.2023 06:49 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0