MeLikeFish @melikefish - Tumblr Blog

I am sorry, but what the fuck? CIA's DMARC record is set to none. For those who do not know, DMARC is a thing that prevents people from sending emails from your email address. This basically means that anyone could (although illegally, and logs would be kept on CIA's servers) send emails from, for example, [email protected]. Are they trying to trap & catch criminals? Or did they just... forget to set it back to reject spoofed emails?

melikefish

So I wanted to look into how many other US .gov domains have bad DMARC records or none at all. I got a full list of all US .gov domains (https://github.com/cisagov/dotgov-data/blob/main/current-full.csv), and built a python script to separate the text from the domain, then scanned the domains for DMARC records, and then if they are set to none (let spoofed emails through) or null (no DMARC record) to add them to a list. There are 1024 .gov domains with bad DMARC records. There could be even more, as my script only checked if p=reject. If, for example, a domain had p=reject but sp=none, or it had pct lower than 100, that domain would also be vulnerable. This means that you could send spoofed emails from 1024 .gov domains. This list includes security agencies, cities, states, federal agencies, programs, initiatives, and a lot more. Here is the list for those that want to laugh at the US government gist.github.com/MeLikeFish/e0a772b751ba84cba3cd6e9a9c7bd1bd

melikefish

Update:

The CIA fixed their DMARC records. Now spoofed emails go to spam.

melikefish

So, the US definitely isn’t the only one. For example, the Czech state police and the justice system also has invalid dmarc records.

This seems to be a wide spread issue with most systems, entities, or governments, that never felt the need to contract a pentester to test their systems. The fact that google, Microsoft, and most domain providers never say anything about the invalid DMARC records also doesn’t help the problem.

#cybersecurity #dmarc #email #what could go wrong #czech #czech republic #czechia #email security #goverment #police

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming

melikefish

I am sorry, but what the fuck? CIA's DMARC record is set to none. For those who do not know, DMARC is a thing that prevents people from sending emails from your email address. This basically means that anyone could (although illegally, and logs would be kept on CIA's servers) send emails from, for example, [email protected]. Are they trying to trap & catch criminals? Or did they just... forget to set it back to reject spoofed emails?

melikefish

So I wanted to look into how many other US .gov domains have bad DMARC records or none at all. I got a full list of all US .gov domains (https://github.com/cisagov/dotgov-data/blob/main/current-full.csv), and built a python script to separate the text from the domain, then scanned the domains for DMARC records, and then if they are set to none (let spoofed emails through) or null (no DMARC record) to add them to a list. There are 1024 .gov domains with bad DMARC records. There could be even more, as my script only checked if p=reject. If, for example, a domain had p=reject but sp=none, or it had pct lower than 100, that domain would also be vulnerable. This means that you could send spoofed emails from 1024 .gov domains. This list includes security agencies, cities, states, federal agencies, programs, initiatives, and a lot more. Here is the list for those that want to laugh at the US government gist.github.com/MeLikeFish/e0a772b751ba84cba3cd6e9a9c7bd1bd

melikefish

Update:

The CIA fixed their DMARC records. Now spoofed emails go to spam.

Brave browser is no longer trustable

TLDR: Brave is manipulating what your browser does to profit the developers personally, sacrificing your security, privacy, bandwidth, and computer resources…. Again

#cybersecurity #fuck up #internet #browser #privacy #security #internet security #spyware #brave #brave browser #chrome #chrome browser

elfgrove

New Things to Beware on the Internet

On May 3rd, Google released 8 new top-level domains (TLDs) -- these are new values like .com, .org, .biz, domain names. These new TLDs were made available for public registration via any domain registrar on May 10th.

Usually, this should be a cool info, move on with your life and largely ignore it moment.

Except a couple of these new domain names are common file type extensions: ".zip" and ".mov".

This means typing out a file name could resolve into a link that takes you to one of these new URLs, whether it's in an email, on your tumblr blog post, a tweet, or in file explorer on your desktop.

What was previously plain text could now resolve as link and go to a malicious website where people are expecting to go to a file and therefore download malware without realizing it.

Folk monitoring these new domain registrations are already seeing some clearly malicious actors registering and setting this up. Some are squatting the domain names trying to point out what a bad idea this was. Some already trying to steal your login in credentials and personal info.

This is what we're seeing only 12 days into the domains being available. Only 5 days being publicly available.

What can you do? For now, be very careful where you type in .zip or .mov, watch what website URLs you're on, don't enable automatic downloads, be very careful when visiting any site on these new domains, and do not type in file names without spaces or other interrupters.

I'm seeing security officers for companies talking about wholesale blocking .zip and .mov domains from within the company's internet, and that's probably wise.

Be cautious out there.

elfgrove

I really want to reiterate how this can go wrong frequently and fast, folks.

A malicious actor sets up a page with an auto-downloader squatting on a domain name that matches a common zip file name like photos DOT zip. This website is set up to start an auto downloader upon being visited, downloading a zip file with the same name as the URL which contains malicious software (virus, worm, keylogger, etc).

Scenario.

Someone you know well sends you an email or text with promised photos attached. The email even reads something like this.

Because .zip is now a TLD, that plain text is automatically formatted into a link to malicious actor's website without them having to send you anything.

Folk with family with iPhones or iPads that are sent multiple photos in one go might be familiar with iCloud's tendency to automatically compile them into zip file for the sender and less savvy tech users have trouble NOT doing that.

These same less savvy users, or even just someone just not thinking in the moment, will click that .zip link, not realizing it isn't the the same as clicking on the promised attachment.

They download a file that matches the name they expected. They open it because they were expecting that file and it's from a trusted source. Except the file they downloaded isn't the one that was sent by their trusted source and now they have malware.

Another Scenario.

An IT person tries to send you an email with instructions on how to resolve a problem with a commonly used filename like install-repair DOT zip or to install new software like microsoft-office DOT zip.

The email may start with instructions of where to go get the legitimate file to do the install or repair, but now a line later in the instructions is also has a link to a .zip URL. A user, already frazzled by IT problems, may click it to ensure they have the right file. Again, they download malicious code from a squatting website or it prompts them with a fake login and now the squatting website has stolen their login credentials for a legitimate site. All due to an expected email from a trusted source.

Above you can see microsoft-office DOT zip is already out there with a fake Microsoft login screen waiting to steal your credentials.

These risks are already out there now because the TLD has been activated.

Plain text on old post are already being resolved into links to the new websites.

Here you can see a tweet from 2021, long before .zip was a domain name, now resolves that plan text into a clickable link. You'll start seeing this everywhere, and malicious actors do not have to lift a finger to send it to you.

Yes, a lot of users aren't going to click that, but a lot of folk will. Whomever is squatting on photos DOT zip domain name has made a one time payment to have access to anyone that ever sees that file name typed out.

In an example of an existing squatter site, clientdocs DOT zip is exactly one such pre-setup .zip domain name that initiates an automatic download. This one may be harmless, but the set ups are already out there and waiting to catch folk.

It's an unnecessary and risky can of worms that's been opened up.

Holy Unforced Errors, Batman.

just-shower-thoughts

Streaming companies are the landlords of media. You will rent in perpetuity, and never actually own anything.

fuck-you-showerthoughts

✨🏴‍☠️ PIRATE AND DOWNLOAD YOUR FAVORITE MEDIA IMMEDIATELY. PIRATE AND DOWNLOAD YOUR FAVORITE MEDIA IMMEDIATELY 🏴‍☠️✨

fuck-you-showerthoughts

1. Download Firefox

2. Add the following extensions: uBlock Origin, AdBlocker Ultimate, Privacy Badger, Privacy Possum, minerBlock (ClearURLs and Don’t track me Google also recommended but not necessary for this)

3. Go forth brave soldier

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming

Sometimes I go to Starbucks, and when I arrive I realise that I forgot to order my beverage beforehand in the app. Just to avoid human interaction, I stand there in a corner on my phone, open the app, and stare the barista straight into the eyes as I put in a online order.

#introvert #introversion #starbucks #awkward

Florida Senate Bill 254 (https://www.flsenate.gov/Session/Bill/2023/254) and Florida House Bill 1421 (https://www.myfloridahouse.gov/Sections/Bills/billsdetail.aspx?BillId=78266).

Assuming that they would pass (which is unlikely), Bill 254 would allow Florida to take custody of a kid from ANY state as long as they are “suspected of” being “at risk” of receiving gender affirming care, or any kind of transition care.

But adults are affected too. Bill 1421 would also ban doctors from practicing any kind of trans related care and also ban changing your gender legally.

The wording “at risk” also means that the child’s siblings could be taken custody of as well, because they were exposed to someone trans.

As this bill also ignores all custody agreements, this could be used, by for example a vengeful ex, to remove someone’s custody.

#transgender #trans rights #transrightarehumanrights #human rights

melikefish

I am sorry, but what the fuck? CIA's DMARC record is set to none. For those who do not know, DMARC is a thing that prevents people from sending emails from your email address. This basically means that anyone could (although illegally, and logs would be kept on CIA's servers) send emails from, for example, [email protected]. Are they trying to trap & catch criminals? Or did they just... forget to set it back to reject spoofed emails?

melikefish

So I wanted to look into how many other US .gov domains have bad DMARC records or none at all. I got a full list of all US .gov domains (https://github.com/cisagov/dotgov-data/blob/main/current-full.csv), and built a python script to separate the text from the domain, then scanned the domains for DMARC records, and then if they are set to none (let spoofed emails through) or null (no DMARC record) to add them to a list. There are 1024 .gov domains with bad DMARC records. There could be even more, as my script only checked if p=reject. If, for example, a domain had p=reject but sp=none, or it had pct lower than 100, that domain would also be vulnerable. This means that you could send spoofed emails from 1024 .gov domains. This list includes security agencies, cities, states, federal agencies, programs, initiatives, and a lot more. Here is the list for those that want to laugh at the US government https://github.com/Nygosaki/Gov-DMARC-Checker

#cia #cybersecurity #internet #internet security #email #email security #us #usa #us goverment #us govt #technology #fuck up #face palm #lol wtf #wtf #the great usa

I am sorry, but what the fuck? CIA's DMARC record is set to none. For those who do not know, DMARC is a thing that prevents people from sending emails from your email address. This basically means that anyone could (although illegally, and logs would be kept on CIA's servers) send emails from, for example, [email protected]. Are they trying to trap & catch criminals? Or did they just... forget to set it back to reject spoofed emails?

#cybersecurity #cia #dmarc #email #fuck up #what could go wrong #email security #usa #us #goverment #us goverment #us govt #security #internet security #internet

It seems like OpenAI has patched most jailbreaks :/

It has, however, introduced some more contradictory statements in it’s responses.

#openai #chatgpt #chat gpt #ai #chat ai

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming

homunculus-argument

The adulthood vibe of understanding that your parents did the best they could, but also knowing for certain that you could do better than that. But also making it clear that you don't ever want to have your own kids, because the best that you could do still isn't worth jack shit, and a child would deserve better than that.

melikefish

And on top of that you hate children

#relatable

I work in cyber security. While I agree that getting a VPN is a good idea, most people have misconceptions about it. I am here to dumb down as much as I can how a VPN works and undo some of the misconceptions.

The way your internet works usually is “Device —> Modem —> ISP —> Servers of the place you are trying to reach”. Now, your Device sends a request which is then enhanced by your modem and sent off to your ISP.

Basically, your computer makes & packs the package and adds the sender info (local ip, mac adress, etc) and the recepient info (the server where the request needs to be delivered to). Your modem then adds some other sender info such as your IP and then send it off to the ISP. Your ISP will then keep a copy of the package (request) and send the original to the recipient server. Now, if the tech team of the company did not fuck up and used https, the contents of the package itself should be encrypted, meaning that the ISP can’t see what you see, can’t see the password that you typed in, etc. and the package should be figuratively closed. They should only be able to see the sender and recipient information alongside all the other identifying info. Now, if the tech tram *did* fuck up and used http, your ISP can see the contents of the website you are visiting, can see the password that you entered, etc. and the package is figuratively left open and anyone can look in and see you know, the password you entered and stuff.

Now also, there could be someone in between your devices and your modem like this “Device —> Middle Man —> Modem —> ISP —> Servers of the place you are trying to reach”, the middle man will be able to read the same info as the ISP but that’s besides the point right now.

What a VPN does is, that it encrypts the request and puts it into a different request that is headed to the VPN’s servers. The request’s pathway will look something like this “Device (encrypted by a VPN) —> Modem —> ISP —> Servers of VPN (here the request is decrypted) —> Servers of the place you are trying to reach“. Using figuratively language, the VPN put your package inside another box, another package which is closed. So no-one can see the recipient & sender information of the original package, and if the original package was open no-one can see what is inside of that package. So the outer box/package now heads to the VPN’s servers, and once it arrives there, the VPN’s servers will unpack the outer box/package and send the original package to the original recipient

Now let’s point out some key points.

1. The VPN essentially becomes your ISP, it can read the request as if the encryption never existed.

2. By this complicated process, the IP from which you are sending the request changes to the IP of the VPN’s server.

3. Your ISP CAN NOT read your requests most of the time even without a VPN. If your browser has a lock icon next to the search bar, your requests are already encrypted, the website is using https, and the box is closed.

4. The only thing a VPN does, is make it seem like your requests are coming from a different IP, hides the original recipient info from your ISP & Man in the Middle attacks, hides the original sender information from the recipient server, and encrypts the contents… again. NOTHING MORE NOTHING LESS. If a VPN does something more (such as ad-blocking) they will advertise it separately, it is not a thing that comes by default.

Wrote this at 1AM on my phone in bed as a non-native English speaker. Sorry fir the bad grammar.

#vpn #vpn security #vpn software #vpn service #cybersecurity #internet #misconceptions #thought you should know #helpful #tech #security #privacy #internet security #internet privacy

Trending Blogs

Last Seen Blogs

MeLikeFish