I work freelance doing infosec work for large companies, mostly working to find relevant technical security gaps in their core infrastructure from an "assumed breach" perspective (AD, CS, IAM etc), explaining why they should get it fixed and helping them get things prioritized. If you need help, reach out!
I've been coding Golang for 7 years, primary work has been developing an EDR product and now my Active Directory attack graph tool Adalanche, which is available both as open source and with commercial licenses.
In my spare time I design and build machines - and then try to use them. On that list are multiple 3D printers, a laser cutter and a large CNC machine. I love making stuff and learning new things!
Curious security octopus | Sarcasm level 10 | Fond of LEGO | There will be swearing
#activedirectory #adalanche #golang #infosec #cnc #3dprinting #making #hacking #electronics #repairs #diy
LDAP Nom Nom v1.4.1 release:
Go download it like 27K other people did - it's the fastest way to find account names if you don't have a working username/password combo to that AD you're testing 🤣
https://github.com/lkarlslund/ldapnomnom/releases/tag/v1.4.1
I've ordered a Lenovo ThinkPad T14s Gen 6 - it's running the Qualcomm X1E ARM CPU, and I've been wanting to switch to ARM for a while.
It's only supported with Windows, but because @tobhe is totally smashing it (such a hero!), I have no reason not to just flush the Windos part and install Ubuntu Concept on it.
As with other early adopter setups, you will probably only need Windows to grab firmware things and to firmware updates.
There's more info about the ongoing efforts to get everything working on with Ubuntu for X1E laptops here: https://discourse.ubuntu.com/t/ubuntu-24-10-concept-snapdragon-x-elite/48800/72
Also the #aarch64-laptops IRC channel on the OFTC network is a place to hang out if you're an early adopter.
Can't wait for this adventure.
Great stuff! I got linux running on my HP Omnibook X 14! Windows-on-arm still boots (now via grub), Debian boots, Laptop-Display, Keyboard and Touchpad work. I’m a bit struggling with a missing dependency of “sudo apt install qcom-firmware-extract” due to a missing dependency - but this challenge is already addressed above. My detailed installation steps (as far as I could document these) are listed here: http://wiki.andreaswarnke.de/index.php?title=X1E-78-100
Use my new tool 'jugular' to do ultrafast scans of your internal networks (or the entire Internet?) for open (likely vulnerable) CUPS-browsed instances.
Many will be affected by the multiple CUPS vulnerabilities we learned about last week (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) and this should help you map out what you have in your infrastructure.
It's for Linux only, as it's written for performance (direct UDP packet creation and sending). There's a compiled x64 Linux binary available, otherwise you can build it yourself.
The debacle about the entire CUPS thing is a mess. Of course getting root by installing a malicious printer is bad, but it does require the target to actually print something. I think the potential for weaponizing the parsing problems is worse though.
Let me know what you think, comments and input is welcome.
Improve your Active Directory security with the new Adalanche v2024.1.11 release! It's been 8 months since the last release, and here's what happened since then:
There are also sample data available in my "adalanche-sampledata" Github repository, so you can take it for a spin without extracting data from your production environment.
Please share with your friends and colleagues - and I love feedback, good or bad.
The new release is here: https://github.com/lkarlslund/Adalanche/releases/tag/v2024.1.11
A lot of people have responded to my Duolingo post with things like "Never work for free," and "I would never donate my time to a corporation.” Which I completely agree with.
But here's the thing about Duolingo and all of the other companies like it. You already work for them. You just don’t know it.
On Duo, I thought I was learning a language. Participating in the community by helping other learners and building resources seemed like part of the process.
Luis Von Ahn, the CEO of Duolingo, was one of the creators of CAPTCHA, which was originally supposed to stop bot spam by getting a human to do a task a machine couldn’t do. In 2009 Google bought CAPTCHA and used it to get humans to proofread the books they were digitising (without permission from the authors of those books btw). So in order to access much of the web, people had to work for Google. Most of them didn’t know they were working for Google - they thought they were visiting websites.
This is how they get you. They make it seem like they’re giving you something valuable (access to a website, tools to learn a language), while they’re actually taking something from you (your skills, your time, your knowledge, your labour). They make you think they’re helping you, but really you're helping them (and they’re serving you ads while you do it).
Maybe if people had known what CAPTCHA was really for they would’ve done it anyway. Maybe I still would’ve done all that work for Duo if I’d known it would one day disappear from the web and become training data for an LLM ...
... Or maybe I would’ve proofread books for Project Gutenberg, or donated my time to citizen science projects, or worked on an accessibility app, or a million other things which genuinely improve people’s lives and the quality of the web. I didn’t get an informed choice. I got lured into helping a tech company become profitable, while they made the internet a shittier place to be.
How many things are you doing on the web every day which are actually hidden work for tech companies? Probably dozens, or hundreds. We all are. That’s why this is so insidious. It’s everywhere. The tech industry is built on free labour. (And not just free – we often end up paying for the end results of our own work, delivered back to us in garbled, enshittified form).
And it’s a problem that’s only getting worse with AI. Is that thoughtful answer you gave someone on reddit or Mastodon something that will stay on the web for years, helping people in future with the same problem? Or is it just grist for the LLMs?
Do you really get a choice about it?
Caleb Kraft
thermonuclear small claims