infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

@robpike
this post | permalink
[RSS] The Fragile Lock: Novel Bypasses For SAML Authentication

https://portswigger.net/research/the-fragile-lock
this post | permalink
[RSS] How Citrix Fixed an ESC1 Risk in Their Documentation

https://medium.com/@Debugger/how-citrix-fixed-an-esc1-risk-in-their-documentation-5051bf410139?source=rss-3ba65b326b28------2
this post | permalink
@gsuberland styropyro? :)
this post | permalink
@davidrevoy @eri that frog made my day <3 go frog!
this post | permalink
@damieng archive.ph seems to have at least some of it: https://archive.ph/IIOAR
this post | permalink
I recently posted about looking for an artist and got a bunch of replies.

Problem is 1) there are many obvious bots 2) those who are likely not bots also seem to use LLM/templates to communicate, making them look like bots.

If you don't want to get reported, use your own voice!

#fedihire
this post | permalink
@boblord That'd make sense, but unfortunately I don't know of any resources I could recommend (in part because of the reasons Hacklore exists...). I keep this in mind though and let you know if I find anything!
this post | permalink
@boblord I agree with your post and also that scanning QRs is not the problem (as stated on Hacklore).

Now that I look more into it, I think I found what's been bugging me about this point. It seems that QR is the only part where Hacklore expects extra work from the user:

"which is mitigated by existing browser and OS protections, and by **being cautious** about the information you give"

... but the recommendations don't say anything about how to "be cautious", while scams initiated via untrustworthy channels are a very real problem.

I think this should deserve a recommendation bulletpoint with at least some rules of thumb. I'm thinking along the lines of:

"If you are contacted via $untrused_comms to give out $sensitive_data, reject the request and initiate the contact yourself via $known_good" (may be simple enough to work if phrased carefully?)
this post | permalink
@boblord Wow that was quick, glad I could help!

I've been doing infosec for ~20 years but I only realized recently we communicate wrong after some relatives fell for QR-based scams and had to walk them through what happened.

I agree that determining risk is incredibly hard in this case and TBH I think "don't trust QRs" may be more effective than trying to teach everyone URLs, DNS and PKI...
this post | permalink
Next Page