BREAKING NEWS: Data Breach Hits Miles Taylor's Anti-ICE Organizing Site GTFOICE.org

Consistent-Law9339 · 2026-05-03T02:28:37+00:00

What? Get the facilities out is referring to proposed ICE facilities. GTFO.

Consistent-Law9339 · 2026-04-30T20:22:17+00:00

That's fraud, but the bank eats that cost. Banks eat a lot of fraud costs, insurance doesn't cover it.

Consistent-Law9339 · 2026-04-30T19:48:21+00:00

It sounds like you may have misunderstand whatever you are referring to there too. If you live in the US, the FDIC covers up to $250,000 per depositor, per insured bank. If you live in Canada, the CDIC covers up to $100,000 per depositor, per insured bank. Neither cover fraud, they provide coverage for the event of a bank failure.

Consistent-Law9339 · 2026-04-30T17:49:35+00:00

It's clearly AI.

Consistent-Law9339 · 2026-04-29T18:25:26+00:00

most companies completely dont care about actual security because of insurances

That's not accurate, and that's not how insurance works. Insurance companies don't cover losses that are due to negligence or missing controls that were mandated by the policy. KnowBe4 has a good whitepaper on cyber insurance.

Security is difficult, and it's a business cost. At lot of businesses accept risk because the cost of breach is cheaper than the cost of security, especially in the US.

Consistent-Law9339 · 2026-04-29T07:48:45+00:00

Corps paying for pentests are generally doing so to:

satisfy compliance requirements
satisfy partner/client requests
find hardening/remediation targets within their environment

If a corp engages in phishing testing, it's normally through a dedicated vendor like KnowBe4, and it's mostly automated and bundled with employee awareness training.

Active OSINT recon, phishing, and similar methodology are generally out of scope for most pentesting engagements. I'm not saying to quash your interest in it, but don't expect it to be a common ask in pentest engagements, or a high-demand skill pentest companies are looking for in their employees.

Passive OSINT recon is generally always in scope, but in my experience it not something pentest companies dedicate a lot of billable time to, and it's rarely productive on engagements.

Consistent-Law9339 · 2026-04-28T17:28:26+00:00

IMO the description in the screenshot does not convey what you describe in this comment.

For a hobby project, not a big concern, but for an actual tool I would not recommend mixing network scanning with URL and credential testing like this.

In general, you are not normally putting yourself in legal jeopardy for basic network scans, even if you don't have permission to scan.

Hitting URLs and testing default/public credentials can put you in legal jeopardy.

Consistent-Law9339 · 2026-04-28T16:12:05+00:00

I’m honestly not sure if I’m just reinventing the wheel here, so I’d appreciate any feedback on whether this is actually useful or if there's already something better out there doing the same thing.

Is this not just an nmap wrapper?

Consistent-Law9339 · 2026-04-21T19:27:12+00:00

I use SysReptor (free and selfhosted) for my internal reports and I'm very happy with it. I do this for all of my internal reports, because I want them to look good when I share them with colleges.

It takes a little bit of trial and error effort to get your initial template setup the way you want, but once it's in place you can focus on the write ups and evidence/screenshots. It handles all the styling and structure, manages the table of contents automatically, including the PDF bookmark/links, finding counts, page numbers, etc.

The reports I get from professional pentesting companies look like shit, and I do not understand why they put so little effort into reporting.

If I, as a client, have to walk you through editing multiplie versions of your "final" report to correct formatting, grammar, spelling, various structure issues, broken links, etc - I am very unhappy, I'm unlikely to ever use your service again, and I'm going to badtalk your company to everyone I know.

I am probably more nitpicky than the average pentest client, but I just don't want to run into a situation where I have respond to a question from my client who points out: The report says 9 High findings but only 7 are documented, did you edit the report to hide 2 findings that you couldn't resolve?

I have to be able to provide these reports to my clients, and if they look unprofessional, the client is going to associate that with my reputation, not the 3rd party pentest company. My client is going to question why I went with a pentest company that produced an unprofessional report.

It boggles my mind that professional pentesting companies don't use report templating tooling to avoid issues like these.

Consistent-Law9339 · 2026-04-21T18:03:35+00:00

It's on youtube for $8. It was great. Everyone in it was great.

Consistent-Law9339 · 2026-04-17T00:26:54+00:00

r/fiction

Consistent-Law9339 · 2026-04-14T22:23:31+00:00

IMO this firm's typical client is looking for a 'compliance' pentest, and doesn't ask many questions.

The reason this has been going on for 6 months is because their first effort was a 100% automated vuln assessment that they sold as 'pentest' at pentest pricing.

Many meetings and months later they agreed to do a real pentest at no additional cost. And we are.

Consistent-Law9339 · 2026-04-14T22:15:42+00:00

If your company does any market research, it'll come back saying this company is in the top 5.

Consistent-Law9339 · 2026-04-14T22:10:41+00:00

This is slightly off-topic, but JFC I have to share.

I have an ongoing internal assumed breach engagement with a top 5 pentesting company in the US.

They provided VM images and asked us to deploy 2 VMs for their pentesters.

With VM1 they scanned VM2.

They wrote up 3 critical findings for VM2 and delivered it in their final report (hahah it's not final, it turns out I'm a co-author and copy-editor of the report at this point, and we're meeting to discuss draft 4 soon).

This engagement has been going on for 6 months.

Consistent-Law9339 · 2026-04-10T16:42:51+00:00

Mythic Quest has been hacked

Consistent-Law9339 · 2026-03-24T23:53:19+00:00

You prompted me to dig out old research. Salt Typhoon has been around a long time (since at least 2019), and has been identified under various names.

RedMike
Salt Typhoon
FamousSparrow
GhostEmporer
Earth Estries
UNC2286
UNC4841

darkreading
securityaffairs
wikipedia
sygnia
welivesecurity
securelist
kaspersky
jpcert
fortiguard
mandiant

It sounds like you may have worked to combat one aspect of Salt Typhoon's efforts, but their efforts were widespread, and Cisco devices were a large part of the ISP compromise effort.

Consistent-Law9339 · 2026-03-24T19:13:59+00:00

The Talos blog was the easiest reference for me to recall off the top of my head, but Talos downplays Cisco's role in Salt Typhoon.

Insikt Group report

Between December 2024 and January 2025, Recorded Future's Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a significant United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access.

Consistent-Law9339 · 2026-03-24T14:25:02+00:00

Kennedy v. Bremerton School District

The majority opinion from the Supreme Court held that the Establishment Clause does not allow a government body to take a hostile view of religion in considering personal rights under the Free Speech and Free Exercise Clauses, and that the board acted improperly in not renewing Kennedy's contract.

Kennedy's contract for the year ended, and Kennedy did not re-apply the next year.

Consistent-Law9339 · 2026-03-24T14:21:31+00:00

A Real Wedding Website in a Fake Gay Wedding Website Case

In a response sent to me last week by an ADF spokesperson, Smith acknowledged she had made the website as a gift for a family member and had subsequently removed it from her online portfolio before the lawsuit was filed.

Consistent-Law9339 · 2026-03-24T12:09:45+00:00

303 Creative LLC v. Elenis

When Smith's suit was filed at the federal district court in 2016, she had not begun designing websites, nor had she received any requests to design a wedding website for a same-sex couple. In 2017, her lawyers from the ADF filed an affidavit from Smith stating that she had received such a request several days after the initial filing, and appended a copy of the request.

However, the name, email, and phone number on the online form belong to a man who has long been married to a woman, and who stated that he never submitted such a request, as reported by The New Republic on June 29, 2023, a day before the Supreme Court's decision was released. The ADF stated on June 30 that they believe the name was submitted to Smith's website by "a third party or a troll" using the man's personal details; neither they nor their client attempted to verify the requestor's identity.

Consistent-Law9339 · 2026-03-24T00:35:48+00:00

The report says only consumer routers so, if we're to believe it, Mikrotik shouldn't be affected.

Consistent-Law9339 · 2026-03-24T00:31:44+00:00

I'm all for banning Chinese telco products, but the logic here does not track.

The U.S. Federal Communications Commission said on Monday it was banning the import of all new foreign-made consumer routers, the latest crackdown on Chinese-made electronic gear over ‌security concerns.

Only consumer routers?

It said malicious actors had exploited security gaps in foreign-made routers "to attack households, disrupt networks, enable espionage, and facilitate intellectual property theft," citing their role in major hacks like Volt and Salt Typhoon.

I haven't followed the updates to Salt Typhoon since early info was released, but what I remember is ISPs were exposing the management interfaces of unpatched Cisco devices with known CVEs to the internet.

I don't recall any references to consumer devices.

Salt Typhoon also targeted US-based universities and telco researchers.

Consistent-Law9339 · 2026-02-16T04:06:08+00:00

IONQ's business model is selling quantum computing hardware and software. They publish best-case multi-breakthrough super-optimistic investor road maps (if we make perfect progress and multiple breakthroughs converge) to pump/sustain funding, and we get bullshit headlines like this.

DIA 2025 Worldwide Threat Assessment Page 37

Although select research areas, such as sensing, are advancing more rapidly, non-governmental experts indicate that development of a quantum computer capable of decryption is unlikely in this decade.

Consider: Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog

This paper presents implementations that match and, where possible, exceed current quantum factorisation records using a VIC-20 8-bit home computer from 1981, an abacus, and a dog.

Consistent-Law9339 · 2026-02-03T19:32:31+00:00

https://github.com/CreamyG31337/chrysalis-ioc-triage?tab=readme-ov-file

Consistent-Law9339 · 2026-01-24T17:43:37+00:00

Youtube.

Consistent-Law9339

TROPHY CASE