Forwarded from vx-underground
It's so incredibly depressing seeing young people, such as Kai West a/k/a IntelBroker, throw away their lives.
Let's think about it for a second.
If Mr. West is found guilty (which he probably will), he is facing 20 years (or more) in federal prison.
Think about how insanely long 20 years is. When Mr. West is released from prison he will be about 45 years old. He will have spent a good portion of his adult life in a prison cell.
I myself personally will be well into my 50s. My son will be in his 20s.
Many of you, who I know interacted with Mr. West, will be well into your 30s, or 40s. Many of you will have settled down and be married with children.
Celebrities we know right now will become irrelevant or die. Many current politicians will succumb to old age and die. If Mr. West has any beloved pets they will be dead.
Assuming Mr. West's parents are in their 40s right now, when he is released they'll be considered senior citizens. Mr. West will spend every Christmas, New Year's, Birthday, and even funerals, behind bars thousands of miles away from his friends and family.
Think of how many Threat Groups and Threat Actors appeared 20 years ago. How many do you remember? How many of you remember zf0? Presumably very few.
In 20 years Breached and Raid will likely be a distant memory that will be brought up on occasion or when discussing the history of cybercrime. IntelBroker may or may not be discussed. Regardless, as life carries on he will be locked in a cell.
That sucks so much
Let's think about it for a second.
If Mr. West is found guilty (which he probably will), he is facing 20 years (or more) in federal prison.
Think about how insanely long 20 years is. When Mr. West is released from prison he will be about 45 years old. He will have spent a good portion of his adult life in a prison cell.
I myself personally will be well into my 50s. My son will be in his 20s.
Many of you, who I know interacted with Mr. West, will be well into your 30s, or 40s. Many of you will have settled down and be married with children.
Celebrities we know right now will become irrelevant or die. Many current politicians will succumb to old age and die. If Mr. West has any beloved pets they will be dead.
Assuming Mr. West's parents are in their 40s right now, when he is released they'll be considered senior citizens. Mr. West will spend every Christmas, New Year's, Birthday, and even funerals, behind bars thousands of miles away from his friends and family.
Think of how many Threat Groups and Threat Actors appeared 20 years ago. How many do you remember? How many of you remember zf0? Presumably very few.
In 20 years Breached and Raid will likely be a distant memory that will be brought up on occasion or when discussing the history of cybercrime. IntelBroker may or may not be discussed. Regardless, as life carries on he will be locked in a cell.
That sucks so much
🎉2💊1
祝各位防守队成员入口全收敛,终端全覆盖,数据零出域,主防零失分,报告有表彰,态感抓0day,云墙全挡出,白班有零食,夜班玩一晚,交班error: You have an error in your sql syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near ' '' at line 1
MySQL server version for the right syntax to use near ' '' at line 1
🎉5💊1
Forwarded from 鳖频道 (⑨BIE)
家人们,redis爆咯 Redis hyperloglog 远程代码执行漏洞
https://mp.weixin.qq.com/s/CZJJFoxl_dnRfz3VfrDNWw
https://github.com/leesh3288/CVE-2025-32023
https://mp.weixin.qq.com/s/CZJJFoxl_dnRfz3VfrDNWw
https://github.com/leesh3288/CVE-2025-32023
GitHub
GitHub - leesh3288/CVE-2025-32023: PoC & Exploit for CVE-2025-32023 / PlaidCTF 2025 "Zerodeo"
PoC & Exploit for CVE-2025-32023 / PlaidCTF 2025 "Zerodeo" - leesh3288/CVE-2025-32023
🎉2
Forwarded from Sukka's Notebook
恭喜 TailScale 拿到了 192.200.0.0/24 和 2606:B740:49::/48 。TailScale 的 API、控制平面从 2025 年 7 月 15 日(UTC+0)起将开始使用来自该 IP 段内的静态 IP。
最近在忙着搞蓝队运营的活各处调研,看到GCP的Security Posture管理直接nm破防了,人家一整套CSPM已经做到去跟合规标准对齐而且还跟进到最新最热大模型产品了,policy, constraint和detector按层次一条条id列好实现,乃至于直接给IaC做校验。
反观国内的CSPM/ASPM,项目经理是要求会喝酒的,安全开发是写漏洞的,接口是封闭的,告警是洪泛的,BAS是不分青红皂白的,交付上来就是堆人,然而高级的蓝队帕鲁要去跟开发网络运维和领导开会扯皮,低级的蓝队帕鲁没日没夜盯屏盯成dumb,有电脑中级高手打进来了要严肃问责,全天无事发生领导又觉得你没有工作量,钱用多了审计部门还要你“老实交代”,本质上还是做人的system,领导觉得安全你就不用搞了,领导觉得慌了又要你尽可能节约地排个一堆设备一堆拓扑一堆框框的PPT给他安全感,而没有个理性的量化的指标。
反观国内的CSPM/ASPM,项目经理是要求会喝酒的,安全开发是写漏洞的,接口是封闭的,告警是洪泛的,BAS是不分青红皂白的,交付上来就是堆人,然而高级的蓝队帕鲁要去跟开发网络运维和领导开会扯皮,低级的蓝队帕鲁没日没夜盯屏盯成dumb,有电脑中级高手打进来了要严肃问责,全天无事发生领导又觉得你没有工作量,钱用多了审计部门还要你“老实交代”,本质上还是做人的system,领导觉得安全你就不用搞了,领导觉得慌了又要你尽可能节约地排个一堆设备一堆拓扑一堆框框的PPT给他安全感,而没有个理性的量化的指标。
💊9
There are people tied to the tracks. You’re driving the metaphorical trolley. Maybe nobody told you you’re driving the trolley. Maybe they lied to you and said someone else is driving. Maybe you have no idea there are people on the tracks. Maybe you do know, but you’ll get promoted to L6 if you pull the right lever. Maybe you’re blind. Maybe you’re asleep. Maybe there are no people on the tracks after all and you’re just destined to go around and around in circles, forever.
But whatever happens next: you chose it.
We chose it.
https://apenwarr.ca/log/20250711
apenwarr.ca
Billionaire math
I have a friend who exited his startup a few years ago and is now rich. How
rich is unclear. One day, we were discussing ways to expedite th...
rich is unclear. One day, we were discussing ways to expedite th...
💊1
最近几个月在电报上不下5次看见被同一种骗术骗到的人,(甭管有没有造成实际的经济损失),但之前的受害者一直不愿意告诉我们到底是哪些账号在发布诈骗信息,最近终于遇到愿意说的bro。
大概原理是,骗子会在一些野鸡黑客技术群里讲自己利用黑客技术反吃诈骗网站惩恶扬善顺便摸走他们的U获得利益的故事,以吸引人上钩,然后真有人来聊了,骗子会让受害者自己去寻找“blackarch堡垒机镜像”“kali三层镜像”之类,就可以“移植攻击脚本,成功攻击”。另一方面骗子会拿这两个关键词在电报上架设频道,基于电报的搜索类bot做SEO,这样受害者看似是自己去搜了个服务商,实际上还是掉进了陷阱。然后骗子就可以把一个最普通的VPS开出几千块一个月的高价,诱导用户购买,然后登上去执行不知所谓的脚本,最后以目标加强了防护为理由跑路。
这类骗术精明的点在哪呢,一是他话术上选用“kali” “blackarch” “跳板” “堡垒机” “三层网络”这类词汇,能够有效过滤出对黑客技术赚大钱有幻想的人,另一方面这些词但凡稍微懂点安全的人都会觉得他在扯,所以聪明的人也被过滤掉。二就是上面说的,他有个对人类行为的bait水坑。三则是Google的搜索引擎上什么都搜不到,他精心挑选了电报群组+黑灰产搜索引擎构成的信息茧房,实现隐蔽的效果。四则是毕竟涉及黑灰,受害者往往也不敢报警。可见骗子的钱也不是那么好赚,太聪明了。
这类受害者的特点是明明有好几个货真价实的进攻性高手告诉他是假的,他还是会去问这个怎么操作,说明他们的贪欲已经远超他们的知识和能力,那么被骗也是必然的。
要是有更纯粹作恶做绝的人,心狠一点直接诱导人开点国内服务器做电诈钓鱼页,年轻人不懂事稀里糊涂就帮信了,想想更加刺激。
大概原理是,骗子会在一些野鸡黑客技术群里讲自己利用黑客技术反吃诈骗网站惩恶扬善顺便摸走他们的U获得利益的故事,以吸引人上钩,然后真有人来聊了,骗子会让受害者自己去寻找“blackarch堡垒机镜像”“kali三层镜像”之类,就可以“移植攻击脚本,成功攻击”。另一方面骗子会拿这两个关键词在电报上架设频道,基于电报的搜索类bot做SEO,这样受害者看似是自己去搜了个服务商,实际上还是掉进了陷阱。然后骗子就可以把一个最普通的VPS开出几千块一个月的高价,诱导用户购买,然后登上去执行不知所谓的脚本,最后以目标加强了防护为理由跑路。
这类骗术精明的点在哪呢,一是他话术上选用“kali” “blackarch” “跳板” “堡垒机” “三层网络”这类词汇,能够有效过滤出对黑客技术赚大钱有幻想的人,另一方面这些词但凡稍微懂点安全的人都会觉得他在扯,所以聪明的人也被过滤掉。二就是上面说的,他有个对人类行为的bait水坑。三则是Google的搜索引擎上什么都搜不到,他精心挑选了电报群组+黑灰产搜索引擎构成的信息茧房,实现隐蔽的效果。四则是毕竟涉及黑灰,受害者往往也不敢报警。可见骗子的钱也不是那么好赚,太聪明了。
这类受害者的特点是明明有好几个货真价实的进攻性高手告诉他是假的,他还是会去问这个怎么操作,说明他们的贪欲已经远超他们的知识和能力,那么被骗也是必然的。
要是有更纯粹作恶做绝的人,心狠一点直接诱导人开点国内服务器做电诈钓鱼页,年轻人不懂事稀里糊涂就帮信了,想想更加刺激。
💊4🎉2
落地武汉初印象:讲真让现阶段的萝卜快跑和高德来开都比司机和运管更拟人,武汉站出来就是个,有大量神人司机需要神人运管来管,而神人运管管出更多神人司机,的死亡循环
Forwarded from 今天abc看了啥🤔 (asfr | abc1763613206🤔)
赞美一下 USTCLUG 出的 Linux 201 项目,内容已经扩充到了相当详实的地步:https://201.ustclug.org/
与主打基础扫盲的 Linux 101 不同,我觉得 201 是一份更进阶的 Linux 服务器运维指南,非常适合需要深入理解底层原理、处理复杂问题的 Power User。无论是系统学习一些表层事物的底层原理,还是作为疑难杂症的速查手册,都极具实践上的价值。
taoky 老师说还有很多页面是空白的,尚未最终完稿。感觉内容完善后,完全可以作为实验室新人上手公共服务器的指定教材用,培训方面省很大的力(
与主打基础扫盲的 Linux 101 不同,我觉得 201 是一份更进阶的 Linux 服务器运维指南,非常适合需要深入理解底层原理、处理复杂问题的 Power User。无论是系统学习一些表层事物的底层原理,还是作为疑难杂症的速查手册,都极具实践上的价值。
taoky 老师说还有很多页面是空白的,尚未最终完稿。感觉内容完善后,完全可以作为实验室新人上手公共服务器的指定教材用,培训方面省很大的力(
201.ustclug.org
Linux 201
Linux 201 进阶教程