"Federated social media software #Mastodon had an impersonation vulnerability that was patched last week. More than half the instance admins patched it in less than 24 hours. I enjoyed the comment from Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems, saying “there's just not the same investment in security because there's not massive revenue supporting the platform, and each owner of an instance has to perform security management on their own” as I look wistfully in the direction of Microsoft and its massively lucrative portfolio of security binfires."
Bugs were reported by German #pentesting outfit #Cure53 during a #Mozilla-requested audit. https://www.theregister.com/2024/02/02/critical_vulnerability_in_mastodon_is/#fediverse#socksup
I write #php. I'm pretty good with #security. I'm open to doing tech/architecture/code/security reviews for either PHP or specifically #WordPress projects. This includes #pentesting.
I'm not spinning up a dedicated site to solicit leads yet. But if this is a space you work in and you're interested in hiring a consultant/contractor to get you to the finish line ... drop me a DM.
Or email eric@eamann.com and we can discuss scopes/timelines/budgets.
On a side note, have you noticed how many “training” sites there are now? It’s almost like people are making more money teaching hacking than actually doing it."
I agree, but it's worth noting the education market has been saturated with non-material, often designed as a ploy to encourage spending for a very long time now.
A cogwheel grift to get people spending.
Training resources (and the industry) suffer from the following issues:
Apple Mac mini (M1, 2020)
Apple MacBook Air (13-inch, M2, 2022)
Apple MacBook Air (M1, 2020)
Apple MacBook Pro (13-inch, M1, 2020)
Apple MacBook Pro (13-inch, M2, 2022)
Apple MacBook Pro (14-inch, M1 Pro/Max, 2021)
Apple MacBook Pro (14-inch, M2 Pro/Max, 2023)
Apple MacBook Pro (16-inch, M1 Pro/Max, 2021)
Apple MacBook Pro (16-inch, M2 Pro/Max, 2023)
Apple MacBoot Air (15-inch, M2, 2023)
Apple Studio (M1 Max/Ultra, 2022)
Apple iMac (24-inch, M1, 2021)
Banana Pi BPI-M5
NanoPi A64
NanoPi R5S
Orange Pi PC2
Orange Pi Zero Plus
Pine64 H64
Pine64 Pine 64/64+
Pine64 Pinebook
Pine64 ROCK64
Pine64 ROCKPro64
Pinebook Pro
Qualcomm Snapdragon 7cx
Qualcomm Snapdragon 8cx Gen 3
Raspberry Pi 3
Raspberry Pi 3 Model B+
Raspberry Pi 4
Raspberry Pi 400
Raspberry Pi Compute Module 4
In the coming days, we'll be adding more hacking tools for arm64. Stay tuned for updates!
One of the best, and most underrated ways to get the most out of a pen test is to be a good pen test client. Seems easy, but you’d be surprised. What does it mean to be a good pen test client?
make sure all the pre-test tasks, like provisioning of credentials, needed approvals etc, are completed well ahead of time. You ain’t paying the pentester to stand around and wait for access to be provisioned - so don’t. They also don’t want to stand around. They want to be pentesting.
be responsive to questions and clarifications requested during the engagement. Pentesters have a tiny time window in which to maximize the value they can give you. Help them, don’t hinder them.
give feedback on reports. Good, bad, neutral. Whatever, a lot of work goes into writing them (it should anyway, no ChatGPT you sneaky buggers), make people feel like their work has been reviewed accordingly.
don’t fight to have things removed from the report because they are embarrassing. Fix the issue, have the tester retest and move on. You can say “we had a bug and our testing found it”, which is why you had a pen test in the first place. Putting pressure on people to hide finds isn’t fair.
if you want a non-standard report format, mention that before the test begins. It’s your right to ask for the test results to be delivered to you however you please - in a spreadsheet for example, but asking a tester to reformat a report completely after delivery is lame. Don’t do it.