Adam Katz#Cybersecurity #antispam research leader at @TalosSecurity@mstdn.social, FOSS advocate, zsh/bash #Linux geek, bastion of obscure knowledge.
Support freedom for βπΏ
πΊπ¦
π΅πΈ
π³οΈβπ
π³οΈββ§οΈ
β
οΈ
he/they.
Currently living in NYC.
Not representing any entity but myself (and occasionally your mom).
#fedi22 searchable
β
β
β
β
β
β
β
Adam KatzThere's a reason you separate military and the police. One fights the enemies of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.-- Commander William Adama, Battlestar Galactica
Adam KatzDo not conflate these terms!
Random: Completely up to chance
Arbitrary: Unexpected; seemingly random
Obscure: Generally unknown; topically arbitrary
Humans can't come up with things at #random; we accidentally create patterns. Use a password manager to generate your passwords and passphrases.
Adam KatzClick-trackers in email "need" to rewrite rewritten links in order to properly determine who clicked them. In longer threads, this gets a bit hilarious.
Here's the final payload at the end of an 18,660-character re-re-re-β¦-rewrite:
http%2525252525252525252525252525252525252525252525252525252525252525253A%2525252525252525252525252525252525252525252525252525252525252525252F%2525252525252525252525252525252525252525252525252525252525252525252Fwww.example.com%2525252525252525252525252525252525252525252525252525252525252525252F
(anonymized)
URI percent encoding uses percents, so : is %3A and / is %2F. All of those 25s are from escaped percents; %25 is %, so unescape(unescape(unescape("%25253A"))) gives you :.
That's three layers. The above example has 34 layers.
Adam KatzHow I got into cybersecurity: I ran a small systems group and we had a spam problem. I had a lot of fun fixing it and became a SpamAssassin committer out of it. Then I started attending the MIT Spam Conference. On my ~3rd conference, I responded to three presentations that I had implemented very similar solutions (as FOSS). One talk presented a null result. I told them the concept works great and I could prove it.
That got me a job offer.
Adam KatzToday's episode of #DemocracyNow is important. #MsRachel, heralded as a modern Mr. Rogers, has opened millions of apolitical eyes to the tragedy in #Gaza. If you can spare an hour, you won't regret it:
https://www.democracynow.org/2025/8/13/ms_rachel
Adam Katz[University of Florida Researchers] have released 40 solar-powered, remote-controlled robot bunnies in South Florida this month.https://www.popsci.com/environment/robot-bunnies-florida-invasive-pythons/ via @sambowne@infosec.exchange
Adam KatzThere's a reason you separate military and the police. One fights the enemies of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.-- Commander William Adama, Battlestar Galactica
Adam KatzDo not conflate these terms!
Random: Completely up to chance
Arbitrary: Unexpected; seemingly random
Obscure: Generally unknown; topically arbitrary
Humans can't come up with things at #random; we accidentally create patterns. Use a password manager to generate your passwords and passphrases.
Adam KatzClick-trackers in email "need" to rewrite rewritten links in order to properly determine who clicked them. In longer threads, this gets a bit hilarious.
Here's the final payload at the end of an 18,660-character re-re-re-β¦-rewrite:
http%2525252525252525252525252525252525252525252525252525252525252525253A%2525252525252525252525252525252525252525252525252525252525252525252F%2525252525252525252525252525252525252525252525252525252525252525252Fwww.example.com%2525252525252525252525252525252525252525252525252525252525252525252F
(anonymized)
URI percent encoding uses percents, so : is %3A and / is %2F. All of those 25s are from escaped percents; %25 is %, so unescape(unescape(unescape("%25253A"))) gives you :.
That's three layers. The above example has 34 layers.
Adam KatzHow I got into cybersecurity: I ran a small systems group and we had a spam problem. I had a lot of fun fixing it and became a SpamAssassin committer out of it. Then I started attending the MIT Spam Conference. On my ~3rd conference, I responded to three presentations that I had implemented very similar solutions (as FOSS). One talk presented a null result. I told them the concept works great and I could prove it.
That got me a job offer.