15 minute important read: [Wayback/Archive] the 90 day disclosure policy is dead :: Himanshu Anand :: Threat Notes
TL;DR: (not sugar coated; read the full post and their follow-ups on the why and how)
Archive for the ‘Security’ Category
the 90 day disclosure policy is dead :: Himanshu Anand :: Threat Notes
Posted by jpluimers on 2026/05/19
Posted in AI and ML; Artificial Intelligence & Machine Learning, Blue team, Development, LLM, Power User, Red team, Security, Software Development | Leave a Comment »
Wondering if the takeown/icacls/del trick still work to screw up %windir%\system32 (via Patrick Doyle on Twitter)
Posted by jpluimers on 2026/05/07
A few years back this trick was shown to screw up %windir%\system32 [Wayback/Archive] Patrick Doyle on Twitter: “@SwiftOnSecurity @RoseAreaZero Delete any file in three easy steps: > takeown /F "example.ext" > icacls "example.ext" /grant "%USERNAME%":F > del "example.ext"“.
Like [Wayback/Archive] SwiftOnSecurity (@SwiftOnSecurity) / Twitter (see the long thread further below), I was expecting that Windows would either prevent you from doing this at all, or allow for easy recovery with System File Protection (now Source: Windows File Protection).
That didn’t prevent or recover it back then.
I wonder if that has been changed by now.
From the above Tweet:
Delete any file in three easy steps:> takeown /F "example.ext" > icacls "example.ext" /grant "%USERNAME%":F > del "example.ext"
Share this:
Posted in Batch-Files, Development, Power User, Scripting, Security, Software Development, Windows, Windows 10, Windows 11, Windows Development | Leave a Comment »
Arjen Lentz Crystal Ball Vulnerability Prediction: A Wizard’s Guide to Foreseeing the Unseen: NLUUG voorjaarsconferentie, 7 mei 2026, Arjen Lentz over de echte root cause van veel CVE’s en hoe die te fixen
Posted by jpluimers on 2026/05/04
Ook vandaag even een herinnering aan de NLUUG voorjaarsconferentie 2026 van (komende) donderdag 7 2026 mei in het Van der Valk Hotel Utrecht¹.
Deze keer omdat een goede vriend van me daar spreekt. Arjen Lentz heeft het over A Wizard’s Guide to Foreseeing the Unseen.
Dat klinkt misschien vaag, het concrete resultaat is dat je met analyse van CVE’s veel te weten komt over hun echte root cause. Die blijkt verrassend voorspelbaar, is fixbaar, en kennis daarover is niet alleen nuttig voor adversaries. Het kan jou namelijk helpen bij de development en selectie van wat je zelf gebruikt.
Het volledige programma staat hieronder², eerst de aankondiging van [Wayback/Archive] L⭕️rd Quux RCX CCX: “Over een week is het zover! De enige NLUUG conferentie van 2026. …” – Mastodon
Share this:
Posted in Blue team, Development, DVCS - Distributed Version Control, git, Infosec (Information Security), Power User, Red team, Security, Software Development, Source Code Management, Systems Architecture | 1 Comment »
scr.im « Share your email in a safe way. Get less spam.
Posted by jpluimers on 2026/04/10
Cool: [Wayback/Archive] scr.im « Share your email in a safe way. Get less spam.
Bumped into this via [Wayback/Archive] Mary Branscombe (@marypcbuk) / Twitter.
At the time of writing, it had an invalid TLS certificate, so you would get red warnings when accessing it over HTTPS.
Hopefully that has been fixed by now.
It’s not exactly security through obscurity, but it allows people to access your email after solving a captcha so it is not 100% secure but a lot more secure than otherwise.
I found it 5 years after mailhide got discontinued by Google. I used it on my [Wayback/Archive] Contact form through mailhide.recaptcha.net which Google slowly killed without me noticing likely because Google didn’t want to upgrade it from using reCAPTCHA v1 into v2 or v3.:
Share this:
Posted in LifeHacker, Power User, Security | Leave a Comment »
GitHub – D00Movenok/BounceBack: ↕️🤫 Stealth redirector for your red team operation security
Posted by jpluimers on 2026/04/08
Not just for red teamers (:
[Wayback/Archive] GitHub – D00Movenok/BounceBack: ↕️🤫 Stealth redirector for your red team operation security
Via [WaybackSave/Archive] Florian Roth ⚡️ on X: “This is a legitimate part of red teaming”
[Wayback/Archive] Tom Dörr on X: “Reverse proxy hides infrastructure from scanners …”
--jeroen
Share this:
Posted in Communications Development, Development, Go (golang), Power User, Red team, Security, Software Development | Leave a Comment »
Generating random strings for passwords and uuids/guids on both Windows and Linux using base64 and hex encoding, plus: “Hive Systems: Are Your Passwords in the Green?”
Posted by jpluimers on 2026/02/25
Often I need to generate passwords or uuids (on some systems called guids). I usually try to do that in a relatively platform agnostic way as I use MacOS, Windows and Linux in various mixes for many reasons (for instance that I have had developed quite hefty RSI in the early 1990s of the and the best keyboard/pointing-device combination for is the MacBook built in keyboard/touchpad combination so basically MacBooks are my window to all other operating systems).
Generating randomly with a good random number generator them makes sense as for most usage, it is important that both passwords and uuids are hard to guess which means having an entropy that is as high as possible.
A cool thing about OpenSSL is that:
- most of not all systems have it installed (it was no coincidence I published Installing OpenSSL on Windows a few days ago)
- it has a very good pseudo-random number generator and as of [Wayback/Archive] OpenSSL version 1.1.1 first released in 2018 has solved the problem around [Wayback/Archive] Random fork-safety – OpenSSLWiki, see [Wayback/Archive] Our Review of the OpenSSL 1.1.1 Random Number Generation Update – OSTIF.org.
- it supports various useful output formats
hex(hexadecimal) andbase64(next to the default of octet – or by today’s naming convention byte – output)
The easiest to generate are passwords. Yes I know that password managers can do this too, but there are some systems I cannot use them on or sync between them (don’t you love the corporate world) so my aim is to use a random password generator in a platform agnostic way which usage is easy to remember. Read the rest of this entry »
Share this:
Posted in *nix, *nix-tools, Apple, base64, bash, bash, Batch-Files, Conference Topics, Conferences, Development, Encoding, Event, HEX encoding, Mac, Mac OS X / OS X / MacOS, MacBook, OpenSSL, Power User, Python, Scripting, Software Development, Windows | Leave a Comment »
The Intel’s Management Engine Backdoor Nobody Can Remove – via YouTube
Posted by jpluimers on 2026/01/21
Interesting video explaining on Intel’s Management Engine which has been the Intel Inside part of about every Intel Chipset since 2008: [Wayback/Archive] The Intel Nobody Can Remove (Not Even You) – YouTube
This is very relevant as it runs on a lightweight operating system called Minix, and there is a move from attacks on end-user operating systems personal computers and mobile phones towards edge devices running lightweight operating systems (not limited to Citrix, Ivanti, Fortinet, Palo Alto, Cisco, SonicWall and Juniper – for a potential OS list see Category:Lightweight Unix-like systems – Wikipedia).
More sources have started warning for this, see for instance [Wayback/Archive] Network security devices endanger orgs with ’90s era flaws | CSO Online and [Wayback/Archive] Security Appliance Vulnerability Bingo 2025 – Google Regneark.
Hopefully [Wayback/Archive] Dr. Christopher Kunz | heise online will have created a cku.gt/appbingo26 this year.
--jeroen
Share this:
Posted in CPU, Cyber, Hardware, Infosec (Information Security), Intel CPUs, Power User, Security | Leave a Comment »
Found back some emails and links from way back when promoting/helping ThunderByte AntiVirus (hi Frans Veldman)
Posted by jpluimers on 2026/01/20
Nice memories of the TBAV/ThunderByte Anti-Virus story.
Together with Jeroen Smulders, I was sort of on the sideline in the early days as we both were at the university had access to FidoNet (I as host, other Jeroen as point), Internet, mailing lists and newsgroups.
I used it because it was the fastest Virus Scanner around and a need when scanning all incoming FidoNet data for viruses (I had seen at university what damage a spread could do).
Some VIRUS-L, comp.virus and book links from that past:
Share this:
Posted in 8086, 8088, Antivirus, BBS, Compuserve, FidoNet, History, Internet, Power User, SearchEngines, Security | Tagged: 96 | Leave a Comment »
ssl – Why was 398 days chosen for TLS expiration? – Stack Overflow
Posted by jpluimers on 2026/01/01
Cool, since I switched to Let’s Encrypt a long while ago, I missed that various tools now require TLS expiration be no longer than 398 days away (and preferably even 397 days).
So I also missed the reason for that specific number of days. [Wayback/Archive] ssl – Why was 398 days chosen for TLS expiration? – Stack Overflow (thanks [Wayback/Archive] stevendesu and [Wayback/Archive] user10063)
answers it:
366+31+1 = 398 days
It equals one leap year + one month + “a little room to handle the messiness of dates.”
then posts a lot of quotes from references to the history on how that reason came to be. I have archived and listed the links below.
Most of the discussion was during a very hectic time in life: after a single sided bad accident my mentally retarded brother was in and assisting him during his recovery period, I developed cancer and had extensive treatments against it. All the more reason for missing all this:
Share this:
Posted in Communications Development, Development, Encryption, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, Security, TCP, TLS | Tagged: 138, 195 | Leave a Comment »
Gamifying Security – Security Boulevard
Posted by jpluimers on 2025/12/23
Interesting thought: [Wayback/Archive] Gamifying Security – Security Boulevard
Via [Wayback/Archive] CircuitSwan on Twitter: “…”.
–jeroen
Share this:
Posted in Blue team, Infosec (Information Security), Power User, Red team, Security | Leave a Comment »
The Wiert Corner - irregular stream of stuff 