If you haven’t read Lord of the Flies it’s basically #infosec leaders using hearsay as woke currency while creatively retrofitting narratives to suite either character assassination, self promotion and or straw man arguments. 2021 LETS GOOOO
MS told me I would not receive ANY bug bounty unless I agreed not to impose ANY deadline, ever.
I did not agree. MS fixed all my bugs in time. I never released any 0-day. I got an MSRC sweater and a Top 100 Security Researchers mention as a thank you. #BugBountyLife🤑🤑
Microsoft is releasing a new registry key for DHCP WPAD:
"DisableProxyAuthenticationSchemes"-> 0x00000004 = DISABLE NTLM
Only implemented on Windows 2022 & 11 right now.
This is why it makes sense to have reasonable disclosure deadlines: it guarantees vendors either pay attention or pay for not paying attention.
Disclosure informs the public of the security risks a vendor exposes its customers to and incentives the vendor to do better.
I wanted to find a MS Office DLL that exported a specific symbol. So I written a script that recursively scans PE imports/exports and prints them nicely:
Example pic shows Exports in Office DLLs which names indicate they might exec something.
While we didn’t “work” for John Deere, definitely know what it’s like to not get paid by a vendor, along with the other 195 reportees that are in their Charity Program
22 days since their last resolution 😬
CURRENT ACTIVIY: On October 24, 2021, Network Time Protocol servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive. Learn more: bit.ly/30IR0s1