#fridayrant! Happy friday everyone, and here's this week's rant.

Speaking with a friend and colleague who sends me systematically #CVEs and fresh of the day #exploits, we had an argument (always a pleasure to have one btw) about #data #validation and other #cybersecurity issues.

My exact comment for this CVE (a #rabbitmq code injection) was: "if you don't sanitize your input and pass it to your application based on belief, you deserve the #code #injection".

Seriously, let's make a clear statement: how many #APIs do sanitize their input data? One of the very best answers I ever got was "but the data is sanitized on the client side"

Well, spoiler alert: nope. That's not gonna happen.

This problem is nothing new, truly: it's something I've been discussing since the early 2000s (actually after one the very first applications I made was so badly injected I still remember it to this day).

There is no such thing as "client side data sanitization".
You control everything coming to your application.

There is no such thing as "the #framework automagically solves this issue". You either know it or not. And if you use a framework, you probably have a legacy issue. Or will have one.

At the end of the day, #data is your main #asset and it provides value to your business and decisions.

Businesses stopped developing #software to solve problems, and often it sounds like arguing about divinities or alchemy.

It's a tool, not a magic wand.
But "any sufficiently advanced technology is indistinguishable from magic". So... are you a developer, or a believer?

Had this great honour of talking on the #GDPRday in #Bologna yesterday about #cybersecurity and #legal, with a public made primarily by #dpo and #lawyers.

Few things to stop believing:
- if you are not interesting, you won't be targeted by #cyberattacks: wrong, if you're connected to the internet, you're interesting
- #https websites are not "secure": the communication is, the malware from a compromised website will arrive on your computer digitally signed
- #IT and legal teams must work together: we're no paladin or heroes, we don't make the rules (as a former IT person)
- which one is worse? Losing your wallet or your phone?

While reviewing our browser logs, this one popped up: does anybody know the #Velen #Crawler #useragent?

The page states it's a data scraping tool for #AI, but it does not provide any information on who is collecting this kind of data.

The IP address was from the #Google #Cloud infrastructure, still no clue on who's the owner.

And thanks to the #GDPR worst idea ever of hiding the #WHOIS information to "protect users", now we can't try understanding who's behind this potential #dataabuse. ✌

Update: cleared down below in the thread

#Friday #Rant! At last!

I thought I was going to skip it this week, and yet, here we are

LinkedIn, are you OK?

Over the last few months there has been an exponential increase in the amount of #malware content or links to sites more suited to p*rnhub than this social media.

The trend is growing on all platforms (on FB today I saw yet another example of malware being downloaded by following a sponsored link).

So the rant is: isn't it a bit of a mockery to talk about #cybersecurity through #socialmedia platforms that are increasingly getting used as an attack vector?

If I didn't have my @bitdefender #XDR properly configured, what could have happened while accessing a link posted in a #cybersec group?

If we talk so much about #zerotrust strategies, isn't it perhaps time to rethink everything from scratch? Starting with the dissemination tools we use?

Ideas? Opinions? Suggestions?

Does anybody managing a #Mastodon instance have this issue too?

While reviewing our e-mail logs we found a massive (thousands per day) failed delivery attempts to the domain associated with our instance.

They are all rejected at the origin and look like an attempt of account enumeration with multiple RCPT: attempts per request.

This has always been a thing, but since Aug 21st it literally exploded (coincidentally, it's the date when we upgraded to 4.1.6).

/cc @Mastodon

Want to see how much #microsoft #office cares about your #privacy? Try disabling the "send data to the #cloud" option, and see.

Every time you will open any Office product, it will remind you how it's important and how you can enable the "online experience".

Every.
Single.
Time.