I left my Spaceballs-themed MUD CTF game up for everyone to play after @hthackers
Why a MUD? Because learning security is better when you're having fun in a world where the password is "12345" and there's no MFA.
๐น๏ธ https://t.co/AYOGPvBAq2
#CTF#InfoSec
BambuStudio has been violating PrusaSlicer AGPL license since their fork, with the same networking binary black box in question today. Why are they willing to burn the goodwill over it?
There's something most have sensed but never seen it all in one place, the five-law framework China built between 2017 and 2023 โคต๏ธ
So maybe their hand is forced as their "network" is too valuable already? Each law on its own, interesting, okay... Read them together, and add any Chinese company with big reach to the mix you get the complete picture.
1) National Intelligence Law (2017)
All organizations and citizens must "support, assist, and cooperate" with intelligence work. The same law makes it illegal to disclose that cooperation happened. Cooperation is mandatory, and silence about it is mandatory too.
2) Cryptography Law (2020)
Commercial encryption must be state-approved and state-reviewed. When authorities request it, companies must provide decryption keys or plaintext. The state on both sides of that equation is the same one.
3) Data Security Law (2021)
Article 2 gives the state extraterritorial reach over data that touches Chinese national security or public interests. So EU/US data hosting does nothing to make it safe, because jurisdiction follows the company, not the server location.
4) Counter-Espionage Law revision (2023)
The general definition of espionage was expanded to cover "documents, data, materials, or items related to national security and interests." Industrial data is one of the intended targets since the revision.
5) Network Product Security Vulnerability regulation (2021)
Any company or researcher that discovers a software vulnerability must report it to MIIT within 48 hours. From there it flows to CNNVD (China National Vulnerability Database of Information Security), operated by the 13th Bureau of the Ministry of State Security. Microsoft's threat intelligence team documented Chinese state-hacker zero-day usage rising after this took effect. Shows the willingness to use the โtoolsโ China built.
Together they describe a system with no neutral exits. Cooperation is required, encryption is real but the spare keys live at the ministry, jurisdiction follows the company across borders, industrial data is in scope, and discovered vulnerabilities flow to an intelligence agency ๐ฌ
3D printing became strategic for China in 2020 and joined the โMade in China 2025โ plan soon after. Why does 3D printing matter so much? 1/x
@davepl1968 They were shot under aging mercury-vapor lamps that are green-shifting as the phosphors wear out. Mercury-vapor shift greener and greener as they age. You can often see yellow sodium-vapor and incandescent lights in the background of the shots.
Delve, a YC-backed compliance startup that raised $32 million, has been accused of systematically faking SOC 2, ISO 27001, HIPAA, and GDPR compliance reports for hundreds of clients. According to a detailed Substack investigation by DeepDelver, a leaked Google spreadsheet containing links to hundreds of confidential draft audit reports revealed that Delve generates auditor conclusions before any auditor reviews evidence, uses the same template across 99.8% of reports, and relies on Indian certification mills operating through empty US shells instead of the "US-based CPA firms" they advertise. Here's the breakdown:
> 493 out of 494 leaked SOC 2 reports allegedly contain identical boilerplate text, including the same grammatical errors and nonsensical sentences, with only a company name, logo, org chart, and signature swapped in
> Auditor conclusions and test procedures are reportedly pre-written in draft reports before clients even provide their company description, which would violate AICPA independence rules requiring auditors to independently design tests and form conclusions
> All 259 Type II reports claim zero security incidents, zero personnel changes, zero customer terminations, and zero cyber incidents during the observation period, with identical "unable to test" conclusions across every client
> Delve's "US-based auditors" are actually Accorp and Gradient, described as Indian certification mills operating through US shell entities. 99%+ of clients reportedly went through one of these two firms over the past 6 months
> The platform allegedly publishes fully populated trust pages claiming vulnerability scanning, pentesting, and data recovery simulations before any compliance work has been done
> Delve pre-fabricates board meeting minutes, risk assessments, security incident simulations, and employee evidence that clients can adopt with a single click, according to the author
> Most "integrations" are just containers for manual screenshots with no actual API connections. The author describes the platform as a "SOC 2 template pack with a thin SaaS wrapper"
> When the leak was exposed, CEO Karun Kaushik emailed clients calling the allegations "falsified claims" from an "AI-generated email" and stated no sensitive data was accessed, while the reports themselves contained private signatures and confidential architecture diagrams
> Companies relying on these reports could face criminal liability under HIPAA and fines up to 4% of global revenue under GDPR for compliance violations they believed were resolved
> When clients threaten to leave, Delve reportedly pairs them with an external vCISO for manual off-platform work, which the author argues proves their own platform can't deliver real compliance
> Delve's sales price dropped from $15,000 to $6,000 with ISO 27001 and a penetration test thrown in when a client mentioned considering a competitor
Everyone...there is no need to panic about mines.
The US Navy has kept four mine countermeasure vessels in the Persian Gulf for the past 35 years. These ships and crews have trained for this very circumstance.
WAIT...what is that?
The minesweepers just arrived in Philadelphia yesterday to be decommissioned, but we have three Littoral Combat Ships (LCSs) that took their place.
@WhiteCastle has the absolute worst "AI" powered drive-thru experience I've ever seen. Hot flaming garbage. So bad we couldn't order... so we just left.
0/10 cannot recommend.
BSides Pyongyang was a blast. From troll tweet to full psyop and real conference in 6 months. Thanks to everyone that participated and especially to those that gave talks and to our sponsors.
We raised over $1000 for refugees. Weโll be donating it as soon as OFAC clears us.
#BSidesPyongyang2025