So I had Trivy workinglast month, but looks I had ripped out close to the compromise, yeeeeesh ​​ not positive itlf it impacted the operator or just CI-run jobs. The story continues to develop it seems.

I had concluded that I can get that data other ways and I didn't need the noise since I don't have the ability/time/resources to act on most of what it finds. No rogue pods/daemonsets/etc are around and no unexplained policy violations have been triggering (the default deny cluster-wide-netpol also helps)

I've already been slowly tightening up things it would already track as violations via other means, and container/dependency CVEs are not a thing I can really do much about without endless chasing upstream.

I'm fairly confident that my current approach to cluster network policies would have stopped the worm from doing much of anything as well. (It would have failed it's outbound connections and appeared on the dashboard)

That is certainly validation the effort I put into getting this networking configured with monitoring on DNS failures + DNS policies

#HomeLab #Kubernetes #Observability #InfoSec

This dumb password rule is from Mobi Bike Share.

Your PIN (which is the password you use to login, which lets you, say, buy hundreds of dollars worth of bike-share subscriptions off the saved credit card) must be four numeric digits. Helpfully, they even give you an example of a PIN: *1234*.

https://dumbpasswordrules.com/sites/mobi-bike-share/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Please boost! Please share! #fedihire #fedihired #jobs #infosec #noai

I am Kim Crawley and I research and write about all areas of cybersecurity. I do it the "old fashioned" way by actually using my brain and doing the work... No Gen AI! Fuck Gen AI! I hate Gen AI! I founded Stop Gen AI!

I've worked for:

- Siemens (Digital Industries World)
- BlackBerry Cylance
- Kaspersky
- Hack The Box
- O'Reilly Media
- Wiley Tech
- AT&T Cybersecurity

My portfolio is here: https://kimcrawley.com

- Whitepapers
- Blogs
- Documentation
- Books
- Threat analysis
- Enterprise cybersecurity instruction and consulting

I'm in Tribe of Hackers.

I cowrote The Pentester Blueprint.

I'm writing Technofascism Survival Guide now, successful Kickstarter is still taking late pledges for $12 USD eBooks: https://www.kickstarter.com/projects/kimcrawley/technofascism-survival-guide

Email me: kim(dot)crawley(at)stopgenai.com

Signal: crowgirl.84

Or reply here.

Alt...

O'REILLY" \ 0," Zero Trust Architecture in Kubernetes h > ° . 7) Kim Crawley [J _ 7,

This dumb password rule is from Ticketmaster.de.

Your password length is limited between 8 and 32 characters.

https://dumbpasswordrules.com/sites/ticketmaster-de/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Canada Revenue Agency.

Password checklist:
- 8 to 16 characters
- At least 1 upper-case character
- At least 1 lower-case character
- At least 1 digit
- No space
- No accented characters
- No special characters except: dot (.), dash (-), underscore (_), and apostrophe (')
- No more than 4 consecutive identical characters

https://dumbpasswordrules.com/sites/canada-revenue-agency/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Taco Bell.

Password may include special characters, except for #.

https://dumbpasswordrules.com/sites/taco-bell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Dell.

Okay at least 6, that's alright I guess.

Oh at least one number and one letter, bit dumb but hey not that dumb.

But hiding the fact that it has a max of 20, now THAT is dumb!

https://dumbpasswordrules.com/sites/dell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Apple.

Can't contain 3 or more consecutive identical characters, nor can it be more than 63 characters long.

https://dumbpasswordrules.com/sites/apple/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@OlivierBurnier @ublockorigin

Mistral: two blocked requests.

Cloudflare Insights ("is the site up") and a single Intercom beacon POST that didn't even retry.

that's it. no Statsig. no tracking GIFs. no Google Analytics. no distributed tracing. no proof-of-work challenge. no KETCHUP_DISCOVERY_CARD. nothing.

a French AI company nobody talks about is running the cleanest frontend in the entire field by a factor of roughly 150x and we're all sleeping on it

les français ont tout compris

#mistral #privacy #infosec

This dumb password rule is from ING Romania's Internet Banking Portal.

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

https://dumbpasswordrules.com/sites/ing-romanias-internet-banking-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Intel.

https://dumbpasswordrules.com/sites/intel/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Cigna.

A max of 12 characters... Can't handle most symbols (only 5 supported). At least they have two factor auth via email or sms **sigh**

https://dumbpasswordrules.com/sites/cigna/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

#Synology just put out the second critical security update for their NAS operating system in four days <https://www.synology.com/en-global/releaseNote/DSM#ver_72806-8>; the previous one was released on the 16th.
The new one is to fix, of all things, a vulnerability in telnetd:
https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
I'm glad they're patching it, but I kind of wish they would just, I dunno, not ship telnetd with their OS? I'm hard-pressed to think of a use-case for telnetd that can't be satisfied with sshd.
#infosec

This dumb password rule is from SielteID.

Sielte is one of the four Italian digital identity providers of level 3 (the highest available).

The rules are as such:
- At least 8 characters
- At most 16 characters
- Must have both lower and upper characters
- Must have one or more digits and one or more of the following "special characters"...

https://dumbpasswordrules.com/sites/sielteid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Wash your hands. Wash your hands. Wash your hands. Wash your hands. Wash your hands.

#infosec

Alt...

A screencap of a tweet in which PoliticsGlobal shows that the location of the French aircraft carrier has been given away by the the sailor using Strava to track his workouts running back and forth on the carrier's deck.

This dumb password rule is from Entwickler.de.

Your password must be 12-20 characters.

https://dumbpasswordrules.com/sites/entwickler-de/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Domainname.shop.

domainname.shop operates under several domains, domene.shop (Norway), domän.shop (Sweeden), domæne.shop (Denmark).
The following characters are allowed: A-Z, a-z, 0-9 and + - * / ! ? . , : ; = # @ $ % & ( ) < >, password length 10-79 chars

https://dumbpasswordrules.com/sites/domainname-shop/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from HSA Bank.

- Must be minimum 12 characters
- Must not be one of user's past 5 passwords
- Must contain uppercase and lowercase letters
- Must contain a number
- Must not be the same as user's account number or login/username

But also...
- Cannot be longer than 20 characters

https://dumbpasswordrules.com/sites/hsa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I have been in infosec for a long time. By some measures it’s over three decades. That’s as many a three tens of years. It’s been a while.

I’d like to take this opportunity to convey some of my hard-earned wisdom to the next generation.

If you want to test EtherNet/IP message forwarding and it isn’t working, be sure you didn’t disable message forwarding to test something else and forgot about it.

This has been “Rob brings you infosec wisdom” episode 8392763.

#infosec #pebkac

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IHG.

4, yes 4, digits only.

https://dumbpasswordrules.com/sites/ihg/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

LLM hallucinated spam slop

Even a parrot would formulate a better set of sentences. This is easily sent to /dev/null

#LLM #slop #AI #InfoSec #spam #unsolicited #email #dev #null

@stefano

I was going to switch to #Proton’s email and calendar services but they don’t integrate with native iOS apps. I understand why but I really need this, especially the calendar. Is there a #privacy-oriented service that does this?
#infosec

This dumb password rule is from Munich Foerdermittel Portal.

You register on their funding portal and receive an email with an activation link to set a password.
The email further informs you about their password policy:
- At least 8, but no more than 20 characters
- At least one lowercase and uppercase letter
- At least two digits (1,2,3,4,5,6,7,8,9,0) or...

https://dumbpasswordrules.com/sites/munich-foerdermittel-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from SunTrust.

At least there are a variety of special characters to choose from.

https://dumbpasswordrules.com/sites/suntrust/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

periodic reminder that if you wouldn’t dream of giving your employer your personal passwords, if you have them saved in chrome, and your chrome profile is a google workspace account - you have already done just that #infosec

Oh I see the absurdly, negligently insecure Tea app is now getting the "hackers hacked" treatment, so that it can comfortably deflect blame to some unspecified scary hackers?

Cool, cool.

*takes out a bullhorn*

📢 Tea kept drivers license photos of thousands of women in an unprotected Google Firebase storage bucket.

📢 Centering "hackers" means helping let those responsible for the horrendous negligence at Tea off the hook.

👏 There is no "hack", only other people's negligence.

#InfoSec #Tea

Alt...

Screenshot of NBC News article headline and lede: Hackers leak 13,000 user photos and IDs from the Tea app, designed as a women's safe space The viral app requires new users to take selfies, which it says it deletes after review.

@delta also #deltaChat natively supports #Proxies, #VPN|s and @torproject / #Tor so not only can people use it that way but also use any other bypass method.

• Obviously, the classic #Sneakernet with people doing uucp with foreign mobile networks near borders works just as well...

I'd not be surprised if delta Chat is also used by #RimjinGang* and #38North** for a "contactless sneakernet" tho I am convinced they won't confirm or deny that for #OpSec, #InfoSec & #ComSec reasons alone...

• I mean, both #Iran and #NorthKorea ain't #Iraq and #Syria where one could just take a phat satellite dish, strap an LTE stick or even external antennas on and just point it at turkish or lebanese radio towers near the border, as owning any satellite equipment in these places is a guarantee to get publicly executed for "espionage"...

This dumb password rule is from Progressive Home by Homesite.

Password must be a minimum of 8 characters.

Passwords must have one lowercase character.

Passwords must have one uppercase character.

Passwords must have one number.

Passwords must have one special character in the following list: `!'#$ ~`!@#$%^&*()-_+=?<,>.{}[]|;:`

Furthermore, when resetti...

https://dumbpasswordrules.com/sites/progressive-home-by-homesite/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from South Western Railway.

Certain special characters disallowed, but notably the phrase " or " is disallowed also. They're probably papering over SQL injection vulnerabilities 🤦

https://dumbpasswordrules.com/sites/south-western-railway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from MySwissLife.

User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.

https://dumbpasswordrules.com/sites/myswisslife/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Easyjet.

No more than 20 characters, use any symbols you like... Oh except #, &, +, or space of course.

https://dumbpasswordrules.com/sites/easyjet/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Williams-Sonoma.

25 maximum characters and disallowing some specials.

https://dumbpasswordrules.com/sites/williams-sonoma/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from United Parcel Service of America.

Your password must:
- Be between 7 and 26 characters long
- Contain at least 1 lowercase character
- Contain at least 1 uppercase character
- Contain at least 1 number character
- Contain one special character (!@#$%*)
- NOT contain first or last name
- NOT contain UPS user ID
- NOT contain email...

https://dumbpasswordrules.com/sites/united-parcel-service-of-america/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Estheticon.

- At least 8 characters but limited to 20 characters at max
- At least 1 digit
- At least one letter (just a letter in general, no specific casing required)
- No special characters at all

https://dumbpasswordrules.com/sites/estheticon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"We’ve been saying this for years now, and we’re going to keep saying it until the message finally sinks in: mandatory age verification creates massive, centralized honeypots of sensitive biometric data that will inevitably be breached. Every single time. And every single time it happens, the politicians who mandated these systems and the companies that built them act shocked—shocked!—that collecting enormous databases of government IDs, facial scans, and biometric data from millions of people turns out to be a security nightmare."

https://www.techdirt.com/2026/02/25/hackers-expose-the-massive-surveillance-stack-hiding-inside-your-age-verification-check/

#Discord #AgeVerification #Infosec

This dumb password rule is from MobileIron MDM.

You can't make this up - no dictionary words, no more than 2 repeating
characters, no alphabetic sequences, no whitespace, 3 character sets,
maximum of 32 characters.

https://dumbpasswordrules.com/sites/mobileiron-mdm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules