๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ

@j_@infosec.exchange
2 Followers
21 Following
201 Posts

IT security and privacy enthusiast. I'm primarily using this account to boost things that catch my attention.

Anything shared or boosted through this account does not represent my employer and does not necessarily represent my own views. Follow me at your own risk.

๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ23h ago
BrianKrebs1d ago

New, at KrebsOnSecurity.com: Marko Elez, a 25-year-old employee at Elon Musk's Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a private key that allowed anyone to interact directly with more than four dozen large language models (LLMs) developed by Musk's artificial intelligence company xAI.

https://krebsonsecurity.com/2025/07/doge-denizen-marko-elez-leaked-api-key-for-xai/

๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ1d ago
CatSalad๐Ÿˆ๐Ÿฅ— (D.Burch) Jul 7
This is a good analogy for AI, if you don't like toast and that's not jelly.
๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ1d ago
Ian Campbell2d ago

This is fun. Google Geminiโ€™s โ€œSummarize emailโ€ function is vulnerable to invisible prompt injection utilized to deceive users, including with fake security alerts.

#infosec #cybersecurity #blueteam

https://0din.ai/blog/phishing-for-gemini

The GenAI Bug Bounty Program

We are building for the next generation in GenAI security and beyond.

0din.ai
๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ3d ago
Zack Labe3d ago

A look at the recent sea surface temperature trend (annual mean) for the Gulf of Mexico... ๐Ÿซฃ

See more at https://zacklabe.com/united-states-climate-indicators/

๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ3d ago
evacide3d ago
This is your regular reminder that if you are the smartest person in the room, go find another room. You are not going to run out of people or rooms.
๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ3d ago
Police State UK4d ago

"While these agents promise to make life easier by allowing users to โ€œput your brain in a jar,โ€ they can also gather valuableโ€”and often sensitiveโ€”data. This is a core concern for #Signal, which is trusted by tens of millions of users, including those in government, military, human rights and journalism, for confidential communication and guaranteed #privacy."

https://observer.com/2025/07/signal-meredith-whittaker-agentic-ai-risk/

Signal Chief Meredith Whittaker Sounds Alarm On Agentic A.I.โ€™s Privacy Threat

Signal Foundation President Meredith Whittaker warns that agentic A.I. could breach app-level security, threatening privacy for millions of users.

Observer
๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ5d ago
Lorenzo Franceschi-Bicchierai6d ago

NEW: Over the weekend, Jack Dorsey launched an open-source chat app called Bitchat, which he promised to be โ€œsecureโ€ and โ€œprivate.โ€

He then later added a warning that the app not been tested or reviewed for security issues, asking people not to trust it as "it does not necessarily meet its stated security goals."

Security researchers are already finding flaws in it.

https://techcrunch.com/2025/07/09/jack-dorsey-says-his-secure-new-bitchat-app-has-not-been-tested-for-security/

Jack Dorsey says his 'secure' new Bitchat app has not been tested for security | TechCrunch

Dorsey admitted that his new messaging app had not been reviewed or tested for security issues prior to its launch.

TechCrunch
๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ6d ago
BrianKrebsJul 8

Good scoop by reporters with the Organized Crime and Corruption Reporting Project (OCCRP), who confirmed that Sergio Gor, the director of the White House Office of Presidential Personnel, was born in the former Soviet Union, specifically in Tashkent, Uzbekistan. Gor prompted speculation about his origins when he declined to say where he was born, saying only that it was not in Russia.

https://www.occrp.org/en/news/exclusive-top-trump-advisor-sergio-gor-was-born-in-the-soviet-union

Exclusive: Top Trump Adviser Sergio Gor Was Born in the Soviet Union

The birthplace of U.S. President Donald Trumpโ€™s director of personnel has been the subject of media speculation โ€” fuelled by his refusal to answer the question.

OCCRP
๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ6d ago
Steve HermanJul 9
Rolling Stone - Elon Muskโ€™s Grok chatbot goes full Nazi, calls itself โ€˜MechaHitlerโ€™ https://www.rollingstone.com/culture/culture-news/elon-musk-grok-chatbot-antisemitic-posts-1235381165/
Elon Muskโ€™s Grok Chatbot Goes Full Nazi, Calls Itself โ€˜MechaHitlerโ€™

Elon Musk's Grok chatbot unleashed a slew of antisemitic commentary and praised Hitler after apparent change allowed it to be 'politically incorrect'

Rolling Stone
๐“ผ๐“ฑ๐“ฎ๐“ฎ๐“น ๐Ÿ‘๐ŸŒˆ6d ago
evacideJul 9
Google continues the industry-wide trend of jamming AI down users' throats, making it difficult or impossible to opt out, and potentially endangering the privacy of communications: https://www.neowin.net/guides/google-can-now-read-your-whatsapp-messages-heres-how-to-stop-it/
Google can now read your WhatsApp messages, here's how to stop it

Google has released a feature that allows Gemini to access third-party apps, such as WhatsApp, even if you've turned off Gemini Apps Activity. Here's how to prevent that from happening.

Neowin
ร—
โšฏ Michel de Cryptadamus โšฏJul 2

pro tip: if you are an iranian crypto exchange engaged in laundering money for #terrorists, vladimir putin, and worse and you are being actively hunted by multiple foreign intelligence agencies but you don't want israeli cyber teams to hack your shit and steal all your money, a good first step is to not check all your secret keys and passwords into the #git repo where hundreds of people can access them

https://github.com/fotechv/Nobitex-Source-Code/blob/main/core/exchange/settings.py

#github #nobitex #iran #wallex #crypto #cryptocurrency #israel #moneylaundering

Show threadIan CampbellJul 2
@cryptadamist I just looked at this and sighed. That was all.
Show threadโšฏ Michel de Cryptadamus โšฏJul 2
@neurovagrant it's actually kind of impressive tbh
Show threadโšฏ Michel de Cryptadamus โšฏJul 2
@neurovagrant like not only are they working with an impressive number of API keys, they carefully checked both the production and development version of each and every one of them into a single 3,000 line python file.
Show threadcR0w Jul 2
@cryptadamist BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
Show threadIan CampbellJul 2

@cR0w @cryptadamist bored and don't wanna get up from my desk and do things, so am going through it.

some email addresses to play with, nothing really neat so far.

"Social Login OAuth Keys" looks fun

...prod database passwords, k...

Show threadIan CampbellJul 2

@cR0w @cryptadamist plaintext kafka authentication, sigh

oh oh it's gonna be fun to look at their KYC backend

Show threadcR0w Jul 2

@neurovagrant @cryptadamist

๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ

๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ
๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฆโ€โฌ› ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ
๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ
๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ ๐Ÿฟ

Show threadIan CampbellJul 2

@cR0w @cryptadamist gonna be some awkward conversations with OFAC for a few orgs providing services to nobitex i think

mailtrap[.]io for one

Show threadIan CampbellJul 2

@cR0w @cryptadamist also if the code is legit, looks like

webengage[.]com (user retention)
infobip[.]com (global scaling, looks like email management for nobitex maybe)

Show threadโšฏ Michel de Cryptadamus โšฏJul 2
@neurovagrant @cR0w yeah it looked legit to me as well, though admittedly my quick vetting mostly amounted to "does the farsi documentation match what i was looking at a few years ago"
Show threadโšฏ Michel de Cryptadamus โšฏJul 2

@neurovagrant IIRC nobitex was never technically fully sanctioned even as an increasing number of entities who did a lot of business with them were being sanctioned... my tinfoil hattish theory is that that could have been on purpose and they let nobitex keep going until israel was ready to attack and then they dropped the hammer.

tether has been blacklisting wallets that can be tangentially linked to the IRGC, nobitex, or demonstrate very similar behavior to the ones that can be so linked, both at a furious clip. i actually built a dashboard to monitor it:

https://dune.com/crypto_oracle/eth-tron-tether-usdt

Show threadโšฏ Michel de Cryptadamus โšฏJul 2

@neurovagrant (i guess saying "never technically fully sanctioned" might be overstating the case because US sanctions on iranian financial activity more broadly are and have been *harsh* for a long time now... it's basically a corporate death sentence for a financial institution that wants to be able to handle US dollars to even unwittingly send money to or from iran (same with north korea and more recently russia, though russia has a few carve outs)

the fact that ignorance is not considered a valid defence is why banks are so paranoid about anything that even looks like it might touch iran (this is theoretically true of money laundering regs in general, but the banks seem to be able to skate with just a fine if they launder billions of dollars for drug cartels)

Show threadโšฏ Michel de Cryptadamus โšฏJul 2
@neurovagrant but unlike garantex, the houthis, and some known IRGC money launderers who all touch nobitex "on chain", nobitex has never earned its chain addresses a coveted spot on the official OFAC list
Show threadIan CampbellJul 2

@cryptadamist gotcha

i expect that was to let 'em be the observed route, but that's just speculation

Show threadโšฏ Michel de Cryptadamus โšฏJul 2

@neurovagrant in other news, crypto companies that are actively doing exactly the thing that would get a regulated bank a corporate death sentence are now applying for national bank charters (Circle, Ripple, and a couple others have applied in the last few days)

brave new world

https://x.com/zachxbt/status/1940388827392344261

ZachXBT (@zachxbt) on X

1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies. To put this in perspective payments range from $3K-8K per month meaning

X (formerly Twitter)
Show threadIan CampbellJul 2
@cryptadamist canโ€™t wait for securitized crypto tranches
Show threadCatSalad๐Ÿˆ๐Ÿฅ— (D.Burch) Jul 2
@cR0w @neurovagrant @cryptadamist
Show threadIan CampbellJul 2

@catsalad @cR0w @cryptadamist if it's not legit, someone took the time to make it look legit at least at first glance. email addresses connected to nobitex domains, etc etc.

if it's legit, load of OSINT and cryptocurrency int there.

Show threadNosirrahSec ๐Ÿดโ€โ˜ ๏ธ guillotine enthusiastJul 2
@cryptadamist I need that money more than genocide-supporters do :(
Show threadacut3Jul 2
@cryptadamist although at first glance, everything really sensitive regarding prod seems to be encrypted with a key pulled from the environment
Show threadโšฏ Michel de Cryptadamus โšฏJul 3

@acut3 yeah i mean, it could be worse... but if your problem is you're about to get hacked by an incredibly competent and motivated adversary, it's still pretty bad to be checking in the keys for even the dev environment to a public repo.

(also while i know fernet keys make it theoretically safe to check in secret keys ro public repors, it still gives me the willies)

Show threadโšฏ Michel de Cryptadamus โšฏJul 3
@acut3 also IIRC some of the keys for the blockchain APIs that actually execute on chain functions are just... right there, and for a blockchain company those are theoretically kind of on the high end of importance.