Reposted by Christoffer Jerkeby
Me and @kugg.bsky.social spoke at @disobeyfi.bsky.social about playing hide-and-seek in Java land! We compare traditional Java exploitation with emerging software supply-chain attacks.
If you deal with Java and/or build servers, then this if for you!
www.youtube.com/watch?v=U5yF...
If you deal with Java and/or build servers, then this if for you!
www.youtube.com/watch?v=U5yF...
[D25] Playing hide and seek in Java land - Johnny Withad and Christoffer Jerkeby
YouTube video by Disobey
www.youtube.com
March 11, 2025 at 3:19 PM
Me and @kugg.bsky.social spoke at @disobeyfi.bsky.social about playing hide-and-seek in Java land! We compare traditional Java exploitation with emerging software supply-chain attacks.
If you deal with Java and/or build servers, then this if for you!
www.youtube.com/watch?v=U5yF...
If you deal with Java and/or build servers, then this if for you!
www.youtube.com/watch?v=U5yF...
Reposted by Christoffer Jerkeby
Festligt att en app som skapades av en anarkist med dreadlocks blir officiell i Försvarsmakten. www.dn.se/sverige/appe...
Appen Signal blir officiell inom Försvarsmakten
Appen har hotat att lämna EU i protest mot övervakning.
www.dn.se
February 13, 2025 at 2:49 PM
Festligt att en app som skapades av en anarkist med dreadlocks blir officiell i Försvarsmakten. www.dn.se/sverige/appe...
En samtidskommentar: youtu.be/xwPhD3X6Tl0
En Glad Amatör - Tage Danielsson
YouTube video by Jan Viklund
youtu.be
February 8, 2025 at 10:48 AM
En samtidskommentar: youtu.be/xwPhD3X6Tl0
Reposted by Christoffer Jerkeby
Korea's attempted coup was no less dangerous or politically protected by career opportunists and cowards than the current coup in the US was.
It was shut down in 6 hours. The president was in jail within weeks.
It's only impossible to resist if you are convinced it is impossible to resist.
It was shut down in 6 hours. The president was in jail within weeks.
It's only impossible to resist if you are convinced it is impossible to resist.
February 7, 2025 at 10:33 PM
Korea's attempted coup was no less dangerous or politically protected by career opportunists and cowards than the current coup in the US was.
It was shut down in 6 hours. The president was in jail within weeks.
It's only impossible to resist if you are convinced it is impossible to resist.
It was shut down in 6 hours. The president was in jail within weeks.
It's only impossible to resist if you are convinced it is impossible to resist.
Try some atmospheric youtu.be/9G9HPThcyBE
T.Power - Police State (Remastered - Full EP)
YouTube video by Cryptic Jungle
youtu.be
February 3, 2025 at 6:05 PM
Try some atmospheric youtu.be/9G9HPThcyBE
Reposted by Christoffer Jerkeby
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
January 22, 2025 at 6:16 PM
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
Reposted by Christoffer Jerkeby
Reposted by Christoffer Jerkeby
I really need the conversation not to veer towards "malicious contributors could just stealthily introduce bugs!" because 1) that's not what happened with xz-utils and 2) we all fuck up sooner or later and the last thing we need is to be accused of being sleeper intelligence agents.
April 4, 2024 at 1:01 AM
I really need the conversation not to veer towards "malicious contributors could just stealthily introduce bugs!" because 1) that's not what happened with xz-utils and 2) we all fuck up sooner or later and the last thing we need is to be accused of being sleeper intelligence agents.
Reposted by Christoffer Jerkeby
Reposted by Christoffer Jerkeby
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Woah. Backdoor in liblzma targeting ssh servers.
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
March 30, 2024 at 5:13 PM
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
Är det möjligt att kriminalisera telefonförsäljning? Alltså ett företag får inte ringa en kund (företag eller privatperson) om inte detta avtalats i förväg.
March 10, 2024 at 2:05 PM
Är det möjligt att kriminalisera telefonförsäljning? Alltså ett företag får inte ringa en kund (företag eller privatperson) om inte detta avtalats i förväg.
Reposted by Christoffer Jerkeby
Så här idag på åttonde mars kan jag konstatera att säkerhetsbranschen inte varit den mest jämställda under de sisådär trettio år jag jobbat där. Fortfarande tror jag medvetenheten om detta är förvånansvärt låg bland de som uppför sig som mest "gubbigt".
March 8, 2024 at 11:47 AM
Så här idag på åttonde mars kan jag konstatera att säkerhetsbranschen inte varit den mest jämställda under de sisådär trettio år jag jobbat där. Fortfarande tror jag medvetenheten om detta är förvånansvärt låg bland de som uppför sig som mest "gubbigt".
Om det är något jag lärt mig efter några år med appsec så är det att dast och sast bara bidrar med en falsk trygghet. Endast om skanningen är anpassad som en regressionskoll av redan kända problem får den en positiv effekt på slutresultatet.
March 2, 2024 at 11:08 AM
Om det är något jag lärt mig efter några år med appsec så är det att dast och sast bara bidrar med en falsk trygghet. Endast om skanningen är anpassad som en regressionskoll av redan kända problem får den en positiv effekt på slutresultatet.
Vad är konsekvenserna av att polisen hackar tillbaka? Strategier bortom rätt och fel diskuteras, doxa, bränna eller radera och i vilken ordning? directory.libsyn.com/episode/inde...
Operation Cronos - Polisen slår tillbaka
Med nya metoder kommer nya ställningstaganden. Vad är konsekvenserna av att polisen hackar tillbaka? Strategier bortom rätt och fel diskuteras, doxa, bränna eller radera och i vilken ordning? Vill du ...
directory.libsyn.com
February 29, 2024 at 10:12 AM
Vad är konsekvenserna av att polisen hackar tillbaka? Strategier bortom rätt och fel diskuteras, doxa, bränna eller radera och i vilken ordning? directory.libsyn.com/episode/inde...
En kritik av pentest branchen. Konkurensen har ökat. Tech kraven gör det svårt för nya att komma in. Hitta en nisch. Skippa konsultlivet, bli inhouse testare först. Bidra till öppen forskning. assume-breach.medium.com/im-not-a-pen...
January 28, 2024 at 9:19 AM
En kritik av pentest branchen. Konkurensen har ökat. Tech kraven gör det svårt för nya att komma in. Hitta en nisch. Skippa konsultlivet, bli inhouse testare först. Bidra till öppen forskning. assume-breach.medium.com/im-not-a-pen...
Why would APPLE or ARM implement a hidden assembly instruction that disables memory protection on all devices? arstechnica.com/security/202...
January 10, 2024 at 3:41 PM
Why would APPLE or ARM implement a hidden assembly instruction that disables memory protection on all devices? arstechnica.com/security/202...
Can I intrest you in a recording from my collection of floaty breakbeat idm records from recent years? (It makes you smart) m.soundcloud.com/bigup2dance/...
bathtubreaks
Stream bathtubreaks by kugg jerkinsson on desktop and mobile. Play over 320 million tracks for free on SoundCloud.
m.soundcloud.com
December 5, 2023 at 7:14 AM
Can I intrest you in a recording from my collection of floaty breakbeat idm records from recent years? (It makes you smart) m.soundcloud.com/bigup2dance/...
Reposted by Christoffer Jerkeby
I keep hearing that there's a void in the InfoSec community because of the uncertainty around Twitter/X. I wonder where this will take us. BlueSky? Mastodon? Or is the party over at Telegram and Discord these days?
P.S. I've been off of social media for a long time.
P.S. I've been off of social media for a long time.
October 13, 2023 at 7:26 AM
I keep hearing that there's a void in the InfoSec community because of the uncertainty around Twitter/X. I wonder where this will take us. BlueSky? Mastodon? Or is the party over at Telegram and Discord these days?
P.S. I've been off of social media for a long time.
P.S. I've been off of social media for a long time.
I still have not found anyone I know here. Do I use a migration tool or whats the plan?
October 6, 2023 at 9:58 AM
I still have not found anyone I know here. Do I use a migration tool or whats the plan?
How do you make nervous people happy?
October 3, 2023 at 9:20 PM
How do you make nervous people happy?