Olivia
Online
otr
@bockcay
.
Mediterranean Sea
Joined March 2011
2.1K Following
269 Followers
2.1K Posts
We’ve now seen at least four nginx RCEs that require non-default configs: nginx rift, nginx poolslip, and two of our own (including the one in the last tweet).
The configs involved are unusual, which raises the obvious question: do these attacks actually work in real-world deployments?
We asked Claude to download and analyze more than 4,000 nginx config files from GitHub.
The result was embarrassing: none of them were vulnerable to nginx rift or our own attacks. We can’t say anything about nginx poolslip yet, since it hasn’t been published.
So don't worry about your nginx yet.
Moral of the story: AI can generate FUD, but also help fight FUD. Embrace it!
@mattjay https://t.co/1hDcMAxyEH
@mattjay Use current versions of uv and pnpm11. MinAge. I sandbox all pnpm and uv invocations using something akin something like Anthropics sandbox-runtime. So even if a malicious code gets executed it is constrained in what it can access on filesystem and network egress (littlesnitch)…
@IAMERICAbooted Thanks! I would have missed this one!
Who to follow
Jakub Rozsypal
@jakubrozsypal
Security Studies master @charlesuni
|
Software development PM & BA - @SiteOne
|
Co-Chair of Greens Prague 1 - @zeleni
Avid urban cyclist & father of 3
Alexis La Goutte
@alagoutte
Network Engineer | Wireshark core dev (@wiresharknews) | QUIC (@quicwg) | Aruba / HPE (@arubanetworks) | VMware NSX (@vmwarensx) VCP-NV 2019 vExpert (NSX) 2020
Profitap
@Profitap
Profitap offers an all-in-one network observability platform, including Network TAPs, Packet Brokers, and traffic capture & analysis solutions.
. @mubix shared this on LinkedIn and thought some of you might find it useful: “A Practical Reprioritization Guide for CISOs Entering the AI Vulnerability Era”
https://t.co/UaJUb82ecG
Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation - @Blurbdust
https://t.co/uDS3MRUiV8
There goes the home planet. Anthropic discovered 600 open source vulns in well-fuzzed open source projects, using Opus 4.6.
https://t.co/Ti5cYSA3zb
It's time for action. A short thread.
Prediction: you will see documentation disappear from most proprietary softwares websites
Whenever I start making something, I always feel uncertain-- right up until the moment that I encounter real difficulty. It's only once I discover that there is something difficult involved that I start to feel comfortable.
Before that moment, it's hard to know that the thing I'm making is worth making. After all, why doesn't it already exist? If anyone can do it, shouldn't someone else have done it already? Is this just a bad idea that has already quietly failed many times before?
But when I encounter something really difficult, that's when I know why it doesn't already exist, and overcoming that difficulty with my obsessiveness and anything else I can bring to bear becomes exciting. It feels like an opportunity; a reason that something is worth doing.
When I say that I consider these to be "the last days of software development," it's because -- for a lot of my life -- knowing how computers work has been significant and valuable, because for most of my life, it has been possible to sit down at a computer, start making something, and encounter that difficulty everywhere.
I don't think eliminating software development as it has been is a negative development in the slightest. I think making software easy/free to build will have all kinds of positive effects for all of us.
And sure, maybe there will continue to be humans in the loop etc etc.. but I do think that this is the end of something that I invested a lot of time thinking about, in large part so I could sit down at a computer and start typing into an editor with some trepidation, until the moment that I encounter something which makes me stop and think "oh." And then smile.
@TheAppleDesign I use this but the trigger is Airpods disconnect 😉
@me_jd_solanki @_larbish One note, nuxt content still does not support private collections or pages. Pull request here but unlikely to land: https://t.co/XMT4HOTjfo
@T3chFalcon Hence mentioning phishing and avoiding the need to decrypt anything.
I was reading an older report from CrowdStrike the other day:
"CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1]
Which reminded me of the post of @nas_bench :
"PowerShell has a list of suspicious keywords. If found in a script block an automatic 4104 event will be generated regardless of logging policy :)" [2]
You can look up the relevant code here (it's inside the SuspiciousContentChecker class.) [3] Nasreddine published the list here in a gist [4]
[1] https://t.co/9ettJqHezU
[2] https://t.co/iCayaHc0S4
[3] https://t.co/0Ch9WhCynS
[4] https://t.co/KpcLHsGJ48
![malmoeb's tweet photo. I was reading an older report from CrowdStrike the other day:
"CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1]
Which reminded me of the post of @nas_bench :
"PowerShell has a list of suspicious keywords. If found in a script block an automatic 4104 event will be generated regardless of logging policy :)" [2]
You can look up the relevant code here (it's inside the SuspiciousContentChecker class.) [3] Nasreddine published the list here in a gist [4]
[1] https://t.co/9ettJqHezU
[2] https://t.co/iCayaHc0S4
[3] https://t.co/0Ch9WhCynS
[4] https://t.co/KpcLHsGJ48](https://pbs.twimg.com/media/G6l0qe3XwAAywyo.jpg)
You can generate SSH keys on the secure enclave of your Mac, and use that to connect to your servers.
Since the OS can’t read any data on the secure enclave, it’s much harder for the keys to get stolen. When you need to use the key, the system will perform biometric authentication and then sign the request using your private key on the secure enclave without your CPU ever seeing the private key.
Recommend using this if you have SSH private keys currently stored on disk
https://t.co/a2cUMSIIIf
@Cyb3rMonk In what sense?
🚨 Heads up, LinkedIn users!
On November 3rd, Microsoft will share your LinkedIn data to train AI models — and you’re opted in by default.
Here’s how to opt out:
Account > Settings & Privacy > Data Privacy > Data for Generative AI Improvement > Toggle OFF ✅
@nuxt_js This is great, thanks for the quality work!
@IAMERICAbooted Great stuff, thanks!
Last Seen Users on Sotwe
รุ่นแม่กับลูกชาย
Seen from Thailand
Boy...THC..🇭🇺
Seen from Thailand
விஜயலட்சுமி
Seen from Singapore
한국야동모음
Seen from Korea
ecuagians 
Seen from Portugal
شيخت لبدو
Seen from United States
Gece kuşu
Seen from Turkey
Dead Man
Seen from India
kosong
Seen from Malaysia
The Queen of Wheeze 🌹
Seen from United States
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.4M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.9M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.5M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers