Dan 

@[email protected]
179 Followers
203 Following
220 Posts

DFIR / digital archaeologist / codez / vetz / hamz.

I'm an archaeologist who digs through digital dirt to find artifacts of battles with mercenaries fought within corporate empires. I often analyze fragments of rotting logs to reconstruct historical events.


"As long as you are green, you will grow; when you are ripe, you will rot" (4eva a n00b).

Laserkittens! Blockchain tacoz!


All my opinionz are belong to me (and are typically goofy).

#DFIR #BlueTeam #infosec #cybersecurity #ThreatIntel #TTPs #IOCs #ReverseEngineering #reversing #malware #MalwareAnalysis #ransomware #HamRadio #PrivacyLaw #privacy #hacking

#programming :: #python  && #golang  && #csharp && (begrudgingly) #cpp #cplusplus  && (learning) #rust #rustlang 

Bio / Linkzhttps://4n68r.com
Twitterzhttps://twitter.com/4n68r
CountryUnited States of America
RegionNorthwest Indiana (Chicagoland), AKA “Da Region”
Dan May 21
O RLY CYBERMay 21

(aikido.dev) Google API Key Revocation Delays: A 23-Minute Window for Attackers to Exploit Leaked Credentials

Google API keys on GCP remain active for up to 23 minutes post-deletion due to eventual consistency, creating a critical window for attackers to exploit leaked credentials. Revocation delays (median 16m) enable data exfiltration via services like Gemini or other enabled APIs. Google classifies this as "won't fix."

In brief - Google API key deletion does not revoke access immediately, leaving a 23-minute window for attackers to exploit leaked keys. Organizations must treat key deletion as a 30-minute operation and monitor for misuse.

Technically - Revocation delays stem from eventual consistency in Google's infrastructure, with regional disparities (e.g., 82% success in us-east1 vs. 32% in asia-southeast1 post-deletion). Legacy Google API keys are uniquely affected, while Service Account and Gemini API keys revoke faster (5s–1m). No visibility into revocation status is provided in GCP console, and invalid requests aggregate under `apikey:UNKNOWN`.

Source: https://www.aikido.dev/blog/google-api-keys-deletion

#Cybersecurity #ThreatIntel

Google API keys keep working after you delete them long enough to be exploited

Deleting a Google API key doesn't revoke it immediately. Our testing found successful authentications up to 23 minutes after deletion, and Google has declined to fix it.

Dan May 18
When output quality is decoupled from competence, the workplace becomes a hall of mirrors. Another good read on the death of human judgment in the age of AI: https://nooneshappy.com/article/appearing-productive-in-the-workplace/
Dan May 18
YellowKey #Bitlocker Bypass Vulnerability. Unsure if this is legit or not, but interesting: https://github.com/Nightmare-Eclipse/YellowKey
GitHub - Nightmare-Eclipse/YellowKey: YellowKey Bitlocker Bypass Vulnerability

YellowKey Bitlocker Bypass Vulnerability. Contribute to Nightmare-Eclipse/YellowKey development by creating an account on GitHub.

GitHub
Dan Mar 20
Love that the tagline is "for humans and agents." The same abstraction that hides port conflicts from developers hides port-based IOCs from your SOC. Accidentally elegant. https://github.com/vercel-labs/portless
GitHub - vercel-labs/portless: Replace port numbers with stable, named local URLs. For humans and agents.

Replace port numbers with stable, named local URLs. For humans and agents. - vercel-labs/portless

GitHub
Dan Mar 20
Turns out "what if AI gets too smart?" was the wrong question. "What if we just hand it all our keys and walk away?" was sitting right there. Classic enshittification arc: make it frictionless to use, make it catastrophic to secure, act surprised when the two meet. https://honnibal.dev/blog/clownpocalypse
The looming AI clownpocalypse · honnibal.dev

Exploits will soon be cheaper to develop autonomously than they earn. What then?

Dan Mar 20
Reminder that "the cat is out of the bag" hits different when the cat deleted your passkey and now your dead grandmother's photos are gone forever. Great post on PRF misuse from @timcappalli -- https://blog.timcappalli.me/p/passkeys-prf-warning/ #passkeys
Please, please, please stop using passkeys for encrypting user data

Passkeys are the future of authentication, but using them for data encryption is a disaster waiting to happen. Overloading these credentials creates a dangerous blast radius that can lead to the irreversible loss of a user's most sacred memories and documents.

Timbits
Dan Oct 2, 2025
hackadayOct 1, 2025

AOL has now shut down dial-up service as of September 30.

Let us play the forgotten music...

Dan Sep 16, 2025
The COM marshaled object header (it's always #Caturday )
Dan Jul 8, 2025
Show threadKevin BeaumontJul 8, 2025

I wrote up a thing on how to hunt for CitrixBleed 2 exploitation

https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71

CitrixBleed 2 exploitation started mid-June — how to spot it

CitrixBleed 2 — CVE-2025–5777 — has been under active exploitation to hijack Netscaler sessions, bypassing MFA, globally for a month.

Medium
Dan Jun 20, 2025

Was fun co-presenting at AWS re:Inforce with my colleagues from Unit 42 and AWS earlier this week and hanging out with awesome friends.

If you haven't checked out the Threat Technique Catalog for #AWS at https://aws-samples.github.io/threat-technique-catalog-for-aws/ ... you should!

Threat Technique Catalog for AWS - Threat Technique Catalog for AWS (TTC)