Interesting thought: [Wayback/Archive] Gamifying Security – Security Boulevard
Via [Wayback/Archive] CircuitSwan on Twitter: “…”.
–jeroen
Archive for the ‘Infosec (Information Security)’ Category
Gamifying Security – Security Boulevard
Posted by jpluimers on 2025/12/23
Posted in Blue team, Infosec (Information Security), Power User, Red team, Security | Leave a Comment »
If you develop web-sites, be sure their basics work without JavaScript, as JavaScript is a security risk
Posted by jpluimers on 2025/12/18
I have had JavaScript disabled by default for years now, which means that:
- if your site requires JavaScript, I will opt for an alternative
- I will block anything ad related, even if it means I cannot use your site
The reasons are simple:
- JavaScript has become a big security threat over time. Be it tracking (hello fingerprinting!), data leakage, direct attacks, supply chain attacks, sloppy code or other risks, JavaScript is not vulnerable just by itself, but especially the eco systems (hello npm – 2 attacks in September 2025 alone – and advertising networks) using it. Just a few references:
- [Wayback/Archive] The perils of JavaScript: How we’ve broken the internet’s security
- [Wayback/Archive] Most Common Security Vulnerabilities Using JavaScript – SecureCoding
- [Wayback/Archive] Supply Chain Security Alert: Popular Nx Build System Package Compromised with Data-Stealing Malware – StepSecurity
- [Wayback/Archive] Wormable Malware Causing Supply Chain Compromise of npm Code Packages – Arctic Wolf
- [Wayback/Archive] FingerprintJS | Identify Every Web Visitor & Mobile Device
- JavaScript has become a huge resource hog. Disabling JavaScript by default increased the snappiness and battery life of my laptops and smartphones significantly. In addition, it makes it way easier to read region-blocked content. Double win!
The below thread by [Wayback/Archive] Dr. Christopher Kunz (@christopherkunz@chaos.social) – chaos.social sparked me to finally write why and add some relevant links.
Thread:
Share this:
Posted in Development, Infosec (Information Security), JavaScript/ECMAScript, Power User, Scripting, Security, Software Development, Web Development | Leave a Comment »
i-am-shodan/USBArmyKnife: USB Army Knife – the ultimate close access tool for penetration testers and red teamers.
Posted by jpluimers on 2025/09/30
Now that I got pointed to this twice (see “Via” below), I need to get one so I can play with it: [Wayback/Archive] GitHub – i-am-shodan/USBArmyKnife: USB Army Knife – the ultimate close access tool for penetration testers and red teamers.
Via:
Share this:
Posted in *nix, *nix-tools, Blue team, Bluetooth, Development, Encryption, ESP32, Hardware, Hardware Development, Hardware Interfacing, Home Audio/Video, HTTPS/TLS security, Infosec (Information Security), Network-and-equipment, Power User, Red team, Software Development, WiFi, Wireshark | Tagged: USBArmyKnife | Leave a Comment »
0x00 – Introduction to Windows Kernel Exploitation //
Posted by jpluimers on 2025/05/27
On my reading list (plus read/watch the links it mentions): [Wayback/Archive] 0x00 – Introduction to Windows Kernel Exploitation // by [Wayback/Archive] wetw0rk (@wetw0rk_bot) / X ([Wayback/Archive] wetw0rk.github.io).
Hopefully by now, more episodes have been published.
Links from this one, including archived versions split in the same sections as the above article:
- [Wayback/Archive] you need to learn Virtual Machines RIGHT NOW!! (Kali Linux VM, Ubuntu, Windows) – YouTube
- [Wayback/Archive] Debugging Tools for Windows – Windows drivers | Microsoft Learn (WinDbg)
- [Wayback/Archive] GitHub – hacksysteam/HackSysExtremeVulnerableDriver: HackSys Extreme Vulnerable Driver (HEVD) – Windows & Linux
- [Wayback/Archive] OSR Online Downloads:Driver Loader
- [Wayback/Archive] Welcome to Python.org
- [Wayback/Archive] Ghidra
- [Wayback/Archive] GitHub – wetw0rk/Sickle: Payload development framework
- [Wayback/Archive] exploit writing tutorial part 1 | Corelan Cybersecurity ResearchCorelan Cybersecurity Research
- [Wayback/Archive] GitHub – wetw0rk/MBE-NOTES: This repository will serve as the “master” repo containing all exploit code and notes in regards to the Modern Binary Exploitation course by RPISEC.
- [Wayback/Archive] Corelan Consulting – Exploit Development Training for Windows
- [Wayback/Archive] Security Training Reimagined | RET2 WarGames
- [Wayback/Archive] RET2 SYSTEMS WarGames Review
- [Wayback/Archive] How to configure WinDbg for kernel debugging
- [Wayback/Archive] Win7 and _KPCR?
- [Wayback/Archive] windows-internals/IRP Major Functions List.md at master · ayoubfaouzi/windows-internals · GitHub
- [Wayback/Archive] Kernel Exploitation on HEVD #1: Stack Overflow + Environment Setup – YouTube
Via [WaybackSave/Archive] Alex Plaskett on X: “0x00 – Introduction to Windows Kernel Exploitation by @wetw0rk_bot …”.
--jeroen
Share this:
Posted in Development, Infosec (Information Security), Red team, Security, Software Development | Tagged: 1 | Leave a Comment »
Cyber Gangsta’s Paradise | Prof. Merli ft. MC BlackHat [Parody Music Video] – YouTube
Posted by jpluimers on 2025/05/16
Cyber Gangsta’s Paradise | Prof. Merli ft. MC BlackHat [Parody Music Video] – YouTube [Wayback/Archive]
Cyber Gangsta’s Paradise; professor Merli featuring MC Blackhat
#ParodyMusicVideo #cybergangster #paradise #reimtsich
Via @christopherkunz@chaos.social [Wayback/Archive]
The video is on the walled garden called Instagram as well, but since I intentionally don’t have an account there accessing is hard. Anyway, it is at: [WaybackSave/Archive] Instagram: „Cyber Gangsta’s Paradise“ feiert Premiere 🎶🎬.
In the past, picuki was an alternative. Now it fails for instagram content. [Wayback/Archive] Instagram Reels Download with Reels Downloader got me to [Wayback/Archive] cdninstagram, which in the end worked.
Transcript (via Google, typos all mine), song-text (from video description), and of course the credits:
Share this:
Posted in Blue team, Cyber, Infosec (Information Security), Power User, Red team, Security | Tagged: cybergangster, paradise, ParodyMusicVideo, reimtsich | Leave a Comment »
Reminder to self: re-check the Dotpe API Security Breach — bool.dev
Posted by jpluimers on 2025/03/04
Still public merchant information
It looks like some store and merchang APIs were not protected back when [Wayback/Archive] Dotpe API Security Breach — bool.dev was published.
Reminder to self: check their status now as I can’t believe their “human error” got fixed properly.
History (reverse chronological order):
- [Wayback/Archive] How DotPe’s ‘Human Error’ Exposed Confidential Customer API Data
- [Wayback/Archive] Deedy on X: “Today, Google-backed DotPe locked down their APIs by rate-limiting by IP on /external/merchant and blocking others. They sent a legal notice to the author before fixing it and haven’t publicly acknowledged the issue at all. Companies must be held accountable for poor security.…”
[Wayback/Archive] Tweet JSON: [Wayback/Archive] GYSlTthakAEoojp.png:orig (2346×1838)
-
Now protected private API
[Wayback/Archive] Deedy on X: “6 hours later, the API is still very much public! …”
[Wayback/Archive] Tweet JSON: [Wayback/Archive] GYK38dXbkAEEEs_.jpg:orig (1358×1798)
Share this:
Posted in Communications Development, Development, HTTP, Infosec (Information Security), Internet protocol suite, REST, Software Development, TCP, Web Development | Leave a Comment »
What’s inside the QR code menu at this cafe? – by peabee
Posted by jpluimers on 2024/09/27
This is why I do not trust ordering via QR-code: you never know how good (or usually bad, often even non-existent) their security is.
[Wayback/Archive] What’s inside the QR code menu at this cafe? – by peabee is a really bad example about Google backed DotPe: they have zero-auth and by now have rated limited API access by IP address.
…
I went to a cafe near my home. I sat down and scanned the QR code on the table. It took me to a website displaying the cafe’s menu. It asked me for my name and Whatsapp mobile number. I entered the details and placed the order.
In 5 mins my order arrived at the table. There was no OTP verification, and no one came to confirm the order. Is this what the peak ordering experience looks like?
It was a slow workday, and I thought I might as well open this QR code website on my laptop and have a quick look under the hood. Maybe I should’ve just made my own coffee and stayed home because I didn’t realize I was opening a can of worms.
…
This kind of zero-auth is not infrequent: the Panels API and CDN were wide-open too: [Wayback/Archive] https://storage.googleapis.com/panels-api/data/20240916/media-1a-i-p~s
Share this:
Posted in Authentication, Development, Infosec (Information Security), LifeHacker, Phishing, Power User, Security, Software Development | Tagged: 1 | Leave a Comment »
XZ 5.6.x are backdoored and present in many systems: downgrade to 5.4.x or earlier now; consider libarchive compromised until proven otherwise
Posted by jpluimers on 2024/03/30
Edit 20240331: because of
https://mastodon.social/@kobold/112183756981119562
Debian is working on reverting back to even earlier than 5.4.x
[Wayback/Archive] #1068024 – revert to version that does not contain changes by bad actor – Debian Bug report logs
> I'd suggest reverting to 5.3.1. Bearing in mind that there were security> fixes after that point for ZDI-CAN-16587 that would need to be reapplied.
Note that reverted to such an old version will break packages that usenew symbols introduced since then. From a quick look, this is at least:- dpkg- erofs-utils- kmod
Having dpkg in that list means that such downgrade has to be plannedcarefully.
Original post:
Everything I know about the XZ backdoor
- [Wayback/Archive] Everything I know about the XZ backdoor
- [Wayback/Archive] blog.holz.nu/2024/03/29/0.html: xz wurde gebackdoort
- [Wayback/Archive] xz-utils backdoor situation · GitHub
Note that because of the Wayback Machine limit of 5 archivals per URL per day, the archived versions are rapidly getting out-of-date.
It is way worse:
[Wayback/Archive] Thread by @_ruby on Thread Reader App – Thread Reader App
@_ruby: The setup behind the CVE-2024-3094 supply-chain attack is fascinating. I originally wanted to finish and share a tool to audit other OSS projects for anomalous contributor behavior, but I feel what I found tr……
How it was found:
Analogy on how it was found:
Via:
Related:
If you are running homebrew on a Mac, then update too:
Of course this “XKCD dependency” adoption applies:
[Wayback/Archive] GJ4KvbeWIAAS_mu (535×680)
Share this:
Posted in C, Compression, Development, Infosec (Information Security), Power User, Security, Software Development, xz | Leave a Comment »
All the Cyber Ladies: Een podcast voor, door en over vrouwen in cybersecurity. – PodcastFeed
Posted by jpluimers on 2023/06/20
Een ontzettend belangrijke podcast is [Wayback/Archive] All the Cyber Ladies – PodcastFeed
Een podcast voor, door en over vrouwen in cybersecurity.
Ik mis geregeld de periode van 30-35 jaar terug waarin IT-teams vaak “gewoon” uit 25% vrouwen bestonden. Gemêleerde teams zijn van onschatbare waarde voor goed functionerende IT, niet alleen vanuit oogpunt van #a11y en #inclusie: ook voor information security.
De tijd maakt inmiddels gelukkig een inhaalslag: er komen steeds meer vrouwen in de IT en je merkt gestaag dat teams diverser worden. All the Cyber Ladies draagt eraan bij dat proces binnen information security verder te versnellen.
De podcast is begin juni dit jaar van start gegaan en heeft nu al een trouwe schare volgers die hopelijk verder groeit naarmate Google deze hoger in de zoek-index opneemt.
Uiteraard is er ook een [Wayback/Archive] All the Cyber Ladies – PodcastFeed RSS zodat je die aan je eigen Podcast Player kunt toevoegen (en vaak staat die er al zoals bijvoorbeeld bij [Wayback/Archive] Player.FM: All The Cyber Ladies podcast)
Via [Wayback/Archive] Lucinda on Twitter: “@jpluimers Zeker!! Je kan de podcast in veel andere players vinden. https://t.co/ksUB8Hd7e4” / Twitter.
–jeroen
Share this:
Posted in accessibility (a11y), Awareness, Cyber, Development, Inclusion / inclusive society, Infosec (Information Security), Power User, Security, SocialMedia | Leave a Comment »
The Wiert Corner - irregular stream of stuff 