Max Maass 

@hacksilon@infosec.exchange
427 Followers
122 Following
1.1K Posts

Sr. Security Specialist at iteratec // @seemoo alumni // Member of CCC // Crypto means cryptography.

tfr.

Bloghttps://blog.maass.xyz
GitHubhttps://github.com/malexmave
Pixelfedhttps://pixel.infosec.exchange/@hacksilon
Pronounshe/him
Max Maass 1d ago
OWASP Germany Chapter 1d ago

Liebe #AppSec Community!

(English below)

Wir *) haben nun offiziell den Call for Presentations des German #OWASP2025 Days 2025 eröffnet und freuen uns auf eine spannende Konferenz!

Der GOD, so wie der traditionell heißt, wird dieses Jahr am 26.11. in Düsseldorf stattfinden, mit Trainings am Vortrag und dem üblichen Networking-Event am Vorabend.

Wir wollen an die letztjährige Konferenz in Leipzig, die tollen Zuspruch bekommen hat, anknüpfen und suchen dich als Sprecherin oder Sprecher. Falls du ein spannendes Thema hast, was du dort vorstellen möchtest, würden wir uns freuen, wenn du dem Programmkomitee deine Idee unterbreiten würdest. Den CfP findest du unter https://god.owasp.de/2025/cfp . Wir haben Slots mit 20 und 40 Minuten Präsentationszeit.

Falls du Bekannte oder Kolleginnen/Kollegen kennst, die vielleicht gerne ihr Thema in Düsseldorf vorstellen wollen, leite dies gerne weiter.

-----

We've *) just opened the Call for Presentations for the German OWASP Day 2025 and looking much forward to an exciting conference, again.

This year's conference, nicknamed GOD traditionally, will take place on November 26 in Düsseldorf with training sessions the day before and the usual networking event the evening before.

We want to build on last year's conference in Leipzig, which was very well received, and thus are looking for you as a speaker. If you have an exciting topic that you would like to present in Düsseldorf, we would be delighted if you would submit your idea to the program committee. You can find the CfP at https://god.owasp.de/2025/en/cfp.html . We have slots with 20 and 40 minutes presentation time.

If you have friends or colleagues who might be interested presenting their topic, please pass this on.

*) "Wir" bedeutet wie jedes Jahr ein Team von Leuten, die dies ehrenamtlich mit viel Einsatz auf die Beine stellen.

As every year "we" is a team of volunteers who put this together with a great deal of commitment.

German OWASP Day 2025

Max Maass 2d ago
Ted2d ago

Some ✨ personal news ✨: I'm starting my independent consultancy, focused on helping organizations do good things with privacy-enhancing technology 🎉

It's called Hiding Nemo, and you can read all about it on our website ➡️ https://hiding-nemo.com 🪸

Hiding Nemo — Unlock the value of your data, without losing user trust.

An independent consultancy helping organizations do more with data in a safe and respectful way, with built-in compliance. Get in touch!

Max Maass 3d ago
Volpeon 3d ago
AAAAAAAAAAA MONDAY
Max Maass 3d ago
Very Hairy Jerry3d ago
I really don’t understand the push to for a computer replicate what goes on in the human brain. I mean, I know what goes on in mine and it just seems ill advised for a computer to be thinking those thoughts.
Max Maass 4d ago
bert hubert 🇺🇦🇪🇺🇺🇦5d ago
The attempts by law enforcement & governments to subvert end-to-end encryption are ongoing. The European Commission is going to spend a year thinking about their new "Roadmap for law enforcement access to data", and they are (genuinely) asking for people to join their expert group to help. Here I urge you to join that group (also because I can't): https://berthub.eu/articles/posts/possible-end-to-end-to-end-come-help/
Possible End to End to End Encryption: Come Help - Bert Hubert's writings

tl;dr: The European Commission is honestly asking for experts to advise them on ways to institute “effective and lawful access to data for law enforcement”. If you are an expert, I urge you to apply to join this group. You have until September 1st. Do read on for more details! The never-ending battle where police and intelligence services demand more/total access to communications shows no sign of stopping, even in the face of mathematical and practical impossibilities.

Bert Hubert's writings
Max Maass 6d ago
Simon PhippsJul 3

Would you like to end the constant drumbeat of ill-informed legislative proposals that threaten to destroy end-to-end #encryption in #OpenSource #software? Are you from #Europe? Can you demonstrate your expertise? Then why not apply to join the European Commission's Expert Group for a Technology Roadmap on Encryption (E04005). Deadline is September 1st, don't be late.

https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=4005

Max Maass 6d ago

Looking to install two LED strips at home. Desired features:
- Controlled via WiFi or #Zigbee
- #HomeAssistant integration
- RGBW strips, individually addressable
- Either comes with a diffusor or is compatible with standard diffusors (is "not being compatible with that" even a thing?)
- Length: Two strips of ~2 Meters each, ideally with a shared controller and PSU to avoid duplicating functionality, but I'm willing to compromise here
- I'm willing to pay a certain premium not to have to worry about all the technical details (i.e., I would prefer a plug-and-play solution to a mix-and-match "buy a controller, PSU, and strips separately from AliExpress and pray that they interoperate properly").
- Would like to avoid having to buy a proprietary hub to use it (zigbee2mqtt-compatibility would be perfect).
- Will be installed in the bedroom, so it is important that the PSU does not emit any high-pitched noise.
- Should be available in EU / Germany.

Any recommendations from the #HomeAsssistant hivemind? Or should I just bite the bullet, get a #QuinLED and figure out all the technical details myself after all?

Show threadMax Maass Jul 2
I received a response, documented here: https://infosec.exchange/@hacksilon/114782534325988895
Max Maass :donor: (@hacksilon@infosec.exchange)

Update: I heard back from the people running the system. Apparently it isn’t a geoblock, but the specific IPs my requests were coming from were blocked because of abuse from that CDN (bunny.net). The error has been fixed. (Now I wonder if Fraenk hosts their stuff on Bunny.net, or if it’s the DNS resolver I am using 🤔) Anyway, in the future, access to the warnings should be possible. Also, they saw this toot and referenced it in their reply 😅. https://infosec.exchange/@hacksilon/114765561556000011

Infosec Exchange
Max Maass Jul 2

Update: I heard back from the people running the system. Apparently it isn’t a geoblock, but the specific IPs my requests were coming from were blocked because of abuse from that CDN (bunny.net). The error has been fixed. (Now I wonder if Fraenk hosts their stuff on Bunny.net, or if it’s the DNS resolver I am using 🤔)

Anyway, in the future, access to the warnings should be possible.

Also, they saw this toot and referenced it in their reply 😅.
https://infosec.exchange/@hacksilon/114765561556000011

Max Maass :donor: (@hacksilon@infosec.exchange)

Attached: 1 image Today in #ITSecurity gone wrong: I am in Austria as a German. I just received a notification via cell broadcast about a fire in the area. The broadcast contains a URL - but this URL is only accessible from an Austrian IP address. My LTE roaming IP isn’t allowed. So… I guess I just suffocate because I have the wrong IP address, then? 😅

Infosec Exchange
Max Maass Jun 29
Great article. And has this gem as a closing statement: „Somewhere, a protocol is being used exactly as intended. This is deeply suspicious.“
https://darmstadt.social/@claudius/114766051184046904
Claudius (@claudius@darmstadt.social)

This blog entry about #MCP[1] is very true, and we've seen almost the same thing in the early 2000s ("Web 2.0", no not the "social media" thing that everybody associates with it now) Web 2.0 was all about APIs. For a brief moment, everything had a relatively open API. Twitter - that's where all the clients came from. Flickr. Delicious. Maps. YouTube. They all were relatively open. And people built the coolest stuff with it. [1]: https://worksonmymachine.substack.com/p/mcp-an-accidentally-universal-plugin

darmstadt.social
×
Max Maass Jun 29
Today in #ITSecurity gone wrong: I am in Austria as a German. I just received a notification via cell broadcast about a fire in the area. The broadcast contains a URL - but this URL is only accessible from an Austrian IP address. My LTE roaming IP isn’t allowed. So… I guess I just suffocate because I have the wrong IP address, then? 😅
Show threadMax Maass Jun 29
Sent them an email requesting to have my IP range allowlisted and questioning the general assumption such a service should be limited to in-country IP ranges. Let’s see what happens.
Show threadMax Maass Jul 2
I received a response, documented here: https://infosec.exchange/@hacksilon/114782534325988895
Max Maass :donor: (@hacksilon@infosec.exchange)

Update: I heard back from the people running the system. Apparently it isn’t a geoblock, but the specific IPs my requests were coming from were blocked because of abuse from that CDN (bunny.net). The error has been fixed. (Now I wonder if Fraenk hosts their stuff on Bunny.net, or if it’s the DNS resolver I am using 🤔) Anyway, in the future, access to the warnings should be possible. Also, they saw this toot and referenced it in their reply 😅. https://infosec.exchange/@hacksilon/114765561556000011

Infosec Exchange
Show threaddanimrichJun 29
@hacksilon Hmm, interesting. Is it normal to get an IP from the home country when doing LTE roaming? Is this similar to a VPN?
Show threadnot Evander SinqueJun 29
@danimrich @hacksilon most of the time, yes. I have two SIMs from different countries and each data plan identifies me as coming from the country the SIM is from.
Show threadioPhileasJun 29
@danimrich yeah roaming is ?always? tunneled to your providers original country (at least that's what I've experienced with a lot of providers in a variety of countries)
Show threadsabikJun 30
@hacksilon
How we all imagine it happened:
Show thread¯\_(ツ)_/¯Jun 29
@hacksilon wow
Show threadlegionJun 29
@hacksilon wtf
Show threadH.Lunke & SockeJun 29
@hacksilon die Notrufleitstelle Tirol bekommt von deutschen Mobiltelefonen auch keine Standortermittlung. Letztes Jahr für euch in den Bergen getestet.
Die Bergrettung konnte dann aber was mit den per SMS übermittelten Koordinaten anfangen
Show threadf1r3Jun 29
@HLunke @hacksilon das SMS-Ding is nur eine leere Webseite die den Standort wissen will - ein eher plumper Workaound um das Problem, aber *Leitstellen tun sich manchmal wirklich schwer Verunglückte zu finden.
Show threadNicoJun 29
@HLunke @hacksilon hast du die via 112 angerufen oder über eine andere Nummer?
Show threadH.Lunke & SockeJun 29
@nicoduck @hacksilon
Die Kumpels haben das für mich gemacht und ja das muss die 112 gewesen sein
Show threadNicoJun 29
@HLunke @hacksilon hab gerade mal gesucht, Österreich hat die EU Regel wohl (noch?) nicht komplett umgesetzt und unterstützt die automatische Lokalisierung der Endgeräte (AML) weder im Roaming, noch bei iOS Geräten (generell). Roaming scheint aber generell ein Thema zu sein, das unterstützen die wenigsten Länder. Leider.
Show threadH.Lunke & SockeJun 29

@nicoduck @hacksilon p

Ah, war ein iOS Gerät und Roaming

Allerdings konnte, oder wollte, der Mensch am Telefon auch auf Nachfrage nix von den Koordinaten wissen. Die Bergrettung war dann froh dass wir die liefern konnten

Show threadWulfyJun 29

@hacksilon

If it's a national broadcaster URL, everyone is doing it, UK, Sweden, Poland, Australia.

You don't want non-taxpayers leeching your Comms...apparently.

Show threadchristian mockJun 29
@n_dimension Nope, this is the province government. @hacksilon
Show threadJeffreyJun 29
@hacksilon
Show threadQueerNews.atJun 29
@hacksilon @cm Hallo Max Maass, I have an Austrian IP address (static. Magenta) and see the same error. Looks like the wrong URL was included in the message (i.e. one that is only reachable from within the network vs. a public one)
Show threadMax Maass Jun 29
@QueerNewsat @cm I could actually get it to work when using the hotel WiFi and turning off my custom DNS resolver and using the default. Seems to be a DNS-based block, I think?
Show threadSebastianJun 30
@hacksilon @QueerNewsat @cm Reminds me of overblocking (Reddit, ImmoScout Captcha and other) because the IP is listed as
„Anonymous Proxy: This IP address has been identified as an anonymous proxy.“
You can check on www.liveipmap.com
Show threadAndreas ScherbaumJun 29

@hacksilon Wouldn't trust the Germans either (and I am one) ;-)

Jokes aside, as a minimum I'd expect the error website to show the IP the server is seeing. This makes debugging so much easier.

Show threadkokuryaJun 29
@ascherbaum
Tja wir haben halt jedes Jahr viele Touristen aus Deutschland.
Es muss halt auch wieder Platz für Neue sein ;)
@hacksilon
Show threadOlaf BohlenJun 29
@hacksilon in Nußdorf brennt ein Recyclinghof, der Brand ist riesig und die Rauchwolke konnte man von weitem sehen (ich bin da gestern dran vorbeigefahren…)
Show threadMax Maass Jun 30
@olbohlen jep, ich hab das dann auch über andere Quellen herausfinden können.
Show threadioPhileasJun 29
@hacksilon oh darn! Hope you are safe! Thanks for the screenshot, I might use this in the future to illustrate impact of Cybersecurity risk controls on (patient) safety risks. This is something the quality manual requires us to evaluate (into both directions). So this here should have been caught when introducing a Cybersecurity risk control as an issue.
Show threadPhilip Mallegol-HansenJun 29
@hacksilon GeoIP restrictions are totally a useful tool and not at all just a dumb sham 🙃
Show threadKrutonium://Jun 30
@hacksilon Well that's incredibly stupid
Show threadBDSM-RezoJun 30

@hacksilon Tyrol, of all places. They're not very good at issuing warnings in time. I remember an avalanche accident in 1998, and there was something during Corona too.

How meaningful was the Cell Broadcast message without the website?

Show threadMax Maass Jun 30
@Reemt tbh, the website mostly repeated the cell broadcast message. Not that important.
Show threadAsta McCarthyJun 30
@hacksilon #geofencing kills
Show threadGöran RoseenJun 30
@hacksilon Why does Austria have ip addresses that doesn't work outside of the country?
Is this a common thing I just didn't know of?
Show threadMax Maass Jun 30
@roseen it’s just regular geoblocking, I assume - they only allow Austrian IP ranges, apparently.
Show threadPiia BartosJun 30

@hacksilon

Austria, the country that doesn't allow Google Street View but has detailed maps of universities (with each prof's room named) available online. At least a few years ago, I don't know if they changed anything...

They have somehow crooked sense of security.

Show threadmtpJun 30

@hacksilon This same type of deal happens all the time. I am U.S. American permanently domiciled in CH. When I travel back to the U.S. and use mobile roaming, a bunch of systems in the U.S. break down with the foreign IP:

1. Most restaurants' digital menus.
2. Most mobile (car) parking applications.
3. U.S. Government web sites.

What is this whole problem class called? Is this an artifact of "home routing" per the LTE roaming agreement: https://i3forum.org/wp-content/uploads/2014/05/i3F-LTE-Data-Roaming-over-IPX-Release-1-FINAL-2014-05-12.pdf?

Show threadMax Maass Jun 30
@matt either that or just regular geoblocking?
Show threadDietmar aka DL2SBAJun 30
@hacksilon Small statehood at its best
Show threadClemens ZaunerJun 30

@hacksilon

Sure, that's a geoblock and not just another shitlisting of Vodaphone or T-Mobile IP-space?

I would totally understand the later. Traffic from this sources is generally as trustworthy as from public WiFi networks from Bangalore...

Show threadMax Maass Jun 30
@czauner can’t really tell from the outside. Don’t have any other devices on other networks to play with. But using the hotel WiFi while tunneling DNS (but not HTTP) over my home network (via VPN) triggers the same behavior. So, probably DNS-based Geoblocking?
Show threadClemens ZaunerJun 30

@hacksilon Depends on your 'home-IP'. Some German Networks have a very, very bad reputation (outside of Germany) as they seem to lack decent abuse-handling. It's noticeable when glancing over fail2ban logs (especially some German hosters are a cesspool). So, if your DNS tunnel goes via a hosted machine: There is that.

Usually if geoblocking in place, there is a hint to that. 'Untrusted network' is ljngo for 'on shitlist'. What ever it is, I'm confident that it's not by Tirol itself, there is no knowledge for that.

Likely a booked 'interner security solution', without knowledge of the inner workings by the country itself. Which doesn't make it really better, in any way, shape or form.

Two years ago ago I had the pleasure to address some reachability issues (for Austrian customers of mine), the culprit was a transparent 'web firewall'.

Show threadMax Maass Jun 30
@czauner it should come from a residential IP, not a hosted VPS or anything. Still, a false positive is always possible.