da_667@da_667@infosec.exchange
doc says I need 20 minutes off my ass daily. After about a week or two having been idle, getting back on the saddle mid-week sucks, but then again, so does dying. So, waddling my ass down the walkway it is.
da_667@da_667@infosec.exchange
da_667@da_667@infosec.exchange
da_667@da_667@infosec.exchange
Hey, Someone on linkedin is hiring for a Detection Engineering role.
Salary Range: 110-140,000 USD.
Fully remote, Candidate must be in the US.
Here's the relevant link: https://www.linkedin.com/jobs/view/4280471012
#infosecjobs #getfedihired
No, I don't know who the client is
No, I don't know the hiring manager personally.
If you have questions, you'll need to apply.
I'm just passing on an opportunity I don't need in hopes that maybe it helps one of y'all out there.
da_667@da_667@infosec.exchange
da_667@da_667@infosec.exchange
ah, yes. The Windows 11 experience. All I can hear right now is my work laptop spinning up, idle, with the fucking laptop lid closed.
da_667@da_667@infosec.exchange
When you upgrade to windows11, and you get the black screen, with white text. I always read the text in TeamFourStar's Mr. Popo's voice:
Hi.
We're getting things ready for you.
Everything is where you left it.
da_667@da_667@infosec.exchange
da_667@da_667@infosec.exchange
da_667@da_667@infosec.exchange
da_667@da_667@infosec.exchange
Hey there,
Yesterday I posted up a write-up on how to archive exploit write-ups and proof of concept code, and how to turn those blog posts and PoCs into Snort rules, and Suricata rules, and the differences between the two rule engines, their syntax, and why we do things what we do when creating rules for the ET ruleset:
https://www.totes-legit-notmalware.site/home/detection-exercise-d-link-dir-513-cves-2025-8184-8169-and-8168
Sometimes my blogposts on my personal blog are a little raw and a little vulgar. Sometimes you might want to share this stuff with co-workers or your SOC's chat channel and might not care for the foul language, so I create a more worksafe version that I put on the emerging threats community forum.
Just letting y'all know, that I finished the worksafe re-write of the blog post, and it's over here:
https://community.emergingthreats.net/t/detection-exercise-d-link-dir-513-cves-2025-8184-8169-and-8168/2944
Enjoy your Saturday
da_667@da_667@infosec.exchange
Time for me to reiterate why I think DOH is fucking garbage. This is the cliffnotes version:
-If you read the RFC, never once is privacy listed as a goal for the protocol
-Ostensibly, you get some privacy on the first hop, but from there, you have zero guarantees on literally anything. You have promises from various companies, but that doesn't mean jack shit.
-I'd like you to consider that cloudflare doesn't have a good track record of policing abuse of their platforms, they tacitly support white supremecists and terrorists, they've been known to forward abuse requests containing personal information of those who have submitted them to their abusers, and they have zero financial incentive to stop the flow of traffic. THIS INCLUDES MALWARE, THERE IS SO MUCH FUCKING MALWARE USING CLOUDFLARE. They are a default DoH provider choice in the major browsers that support it.
-Transaction ID is always set to zero for DoH requests to improve caching. This is actually written into the protocol. Y'all know why the transaction ID/DNS ID exists, right? This opens up attack paths for man in the middle attacks. Think QUANTUM and PRISM-type bullshit, where the answer to your DNS query is changed but you'll never know.
-The only goal of the protocol was to move DNS resolution to the browser, so that the browser is cognizant of how domains are being resolved. Its anti-adblocking tech.
-Think about who the major players are behind DoH - It was driven by Cloudflare, Mozilla, and Google. and while I like Firefox, they all have financial incentive to see how domain resolution is occuring and ensure ads are delivered to clients. Y'all are aware of google's Web Integrity web DRM shit, right? How much you wanna bet that if it becomes a standard, there will be websites popping up whereby resolution via DoH is required for viewing the content? I wonder why that would be?
-Flow analysis easily reveals which HTTPS traffic is likely to be DoH traffic. You can't hide connection metadata.
-Several tools have been developed to used DoH as C2, and even file storage, if you're brave enough.
da_667@da_667@infosec.exchange
I would also like to note that all of these points apply to the "privacy minded individual", and not necessarily to "Enterprise Ops/Security".
When I first started talking shit about DoH being bad, I got told that I'm not cypherpunk. Sounds pretty fuckin' cypherpunk, giving corporate entities who have proven they give zero fucks about you even more of your data.
But I digress. From the point of view of systems administration and support, its also a fucking nightmare for enforcing policy, and troubleshooting connectivity problems, because the web browser now believes it has the right to be handling DNS resolutions independent of your operating system settings.
On top of that, you have no idea what domains are being resolved, how they're being resolved, or where to even start to troubleshooting the problem.
From a network security perspective, its pretty much the same can of worms. DoH providers are allowed to have your DNS queries, but you aren't allowed to have that for trying to figure out if any of your hosts are infected, and calling back to a C2 somewhere in the middle of Russia.
DNS logs have always been a troubleshooting tool. The fact is, you're making them opaque, and given them to an external entity. "Its always DNS" is a joke until it isn't and you have to figure out whats wrong. Only the DNS queries are opaque now, making this shit much more difficult than it needs to be.