Today was ... interesting. If you followed me for the past months over on the shitbird site, you might have seen a bunch of angry German words, lots of graphs, and the occassional news paper, radio, or TV snippet with yours truely. Let me explain.

In Austria, inflation is way above the EU average. There's no end in sight. This is especially true for basic needs like energy and food.

Our government stated in May that they'd build a food price database together with the big grocery chains. But..

On this evening of September 11, I am pleased to announce that I have tagged a Ditto alpha1 release and deployed it to

Ditto LIVES. Here's what you need to know:

- It's Soapbox on Nostr.
- Ditto pretends to be a Mastodon server while using the Nostr protocol.
- You can use Mastodon apps other than Soapbox (but you need to obtain a Nostr private key first).
- ActivityPub is not supported yet, but it will be. It's part of what makes Ditto, Ditto.
- Ditto is about building communities on Nostr, similar to ActivityPub.
- Nostr uses private keys. There is still a lot of work to do in Soapbox to improve this experience.
- This is not optimized. Please excuse any slowness or glitches. If something isn't working, try refreshing the page. I will improve this.
- It's still a demo. This is just for poking around, so don't get too attached.

This is just the beginning. alpha1 is just BARELY usable. But I want to get the ball rolling. Things are going to change a lot in both Soapbox and Ditto. These things take time, but we will win. Thank you all for your patience, enthusiasm, and support!

Follow along with #ditto here:


A butthurt user reported one of my toots that refuted a claim that Bitcoin is a scam.

But here's the thing: I'm a sovereign Mastodon user. I administer my own server (

After a thorough investigation I have determined that I followed my own rules! 🤣

I've been running my own private Mastodon instance for over a year now, and I will say that it's quite reliable. Haven't had a single instance of unplanned downtime, nor have I spent any time on server maintenance!

Cybersecurity isn't about computers it's about people.

Who don't report to you or care what you think and just want to play Korean MMOs on their CAD workstation.

tl;dr: Only tourists look up in a new town.

Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage). Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.
Introducing our new Sensitive Command Canarytoken."

Show thread

"There is no patch for stupidity."

- Kevin Mitnick


After an initial run in June I'm offering another in person course on October 10th to help you learn how to contribute to Bitcoin Core.

It's right before the #BitcoinAmsterdam conference. Utrecht is a just a 20-30 minute train ride away and much nicer anyway, as you'll find out during a quick sightseeing tour around lunch.

I'm looking for up to ten participants, but a smaller group is fine too.

You should already have programming experience and no command line phobia.

It is *intense* just how badly the JS/React brainworms have infected the frontend community.

Every single NYT story page has *both* a 437KiB (1.5MiB unzipped) *and* a 474KiB (1.7MiB) JS file, to display ~50K of text. It isn't ad bloat. It isn't tracking. It's this sort of bunk:

Ad blockers are also cybersecurity. Say it with me.

They reduce malvertising, watering hole attacks, and general malicious script execution. It’s not all about you, ad firms.

Long rant/observation....

You know what secretly holds much of the financially-oriented cybercrime world together? It's the relatively few evil code wizards who are really good at making malware look benign. They call them cryptors, or encryptors, and their services are known as "crypting."

Crypting is a core method by which malware purveyors try to evade antivirus and security tools, and virtually all serious malware that is deployed for use in data stealing at some point needs to be crypted. Because if you're not doing stuff to obfuscate your malware before sending it out, it's probably going to mostly get caught by antivirus. So, if you're not crypting it yourself (challenging), you probably need to pay someone else to do that.

There are countless cybercriminals who've hung out their shingles as crypting service providers, but most of these people are really not very good at what they do, and are soon out of business. Still, there are a fair number of crypting services that have been around for a while and do a passable job, with somewhat unreliable results.

However, it's crazy how many different big time cybercrime outfits turn to a fairly small number of super-scary crytpers who've been doing malware a LONG time (15-20+ years).

One thing I have discovered in all my lurking on the forums is that the best cryptors are independent contractors who tend to have arrangements with multiple, often competing cybercriminal operations.

In short, if you want to really kneecap a number of cybercrime enterprises all at once, go after the top crypting service providers, and take them off the board.

There are some interesting lessons to learn from the relationship of US bomber command and the use of tracers in the ammunition mix for machine gunners. Basically, they got rid of it because it was doing more harm than good. And then they solved the real problem that tracers illuminated (pun very much intended)

#Google just announced that going forward, any account not logged into for two years gets deleted.

This means huge amounts of rare or unique #video is about to disappear from #YouTube as accounts get flagged as inactive, such as when the user dies. Families' #HomeMovies (often posted by an older relative for their family's benefit), historical footage, rare #television clips, etc. What an incalculable loss to human #history and culture!

If there are videos important to you on someone else's video channel, find a way to download them. And if you have rare #media of historical importance, consider leaving it to institutional #archives or lending it to archives for digital preservation.

I guess Mastodon will henceforth be my platform of choice for infosec news.

My latest Post, available at:

FBI officials on Tuesday dropped a major bombshell: After spending years monitoring exceptionally stealthy malware that one of the Kremlin’s most advanced hacker units had installed on hundreds of computers around the world, agents unloaded a payload that caused the malware to disable itself.

The counter-hack took aim at Snake, the name of a sprawling piece of cross-platform malware that for more than two decades has been in use for espionage and sabotage. Snake is developed and operated by Turla, one of the world's most sophisticated APTs, short for advanced persistent threats, a term for long-running hacking outfits sponsored by nation-states.
Inside jokes, taunts, and mythical dragons

If nation-sponsored hacking was baseball, then Turla would not just be a Major League team—it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of the US Department of Defense in 2008, and more recently the German Foreign Office and France's military. The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations.

One of the most powerful tools in Turla’s arsenal is Snake, a digital Swiss Army knife of sorts that runs on Windows, macOS, and Linux. Written in the C programming language, Snake comes as a highly modular series of pieces that are built on top of a massive peer-to-peer network that covertly links one infected computer with another. Snake, the FBI said, has to date spread to more than 50 countries and infected computers belonging to NATO member governments, a US journalist who has covered Russia, and sectors involving critical infrastructure, communications, and education.

Snake is among the most sophisticated pieces of malware ever found, the FBI said. The modular design, custom encryption layers, and high-caliber quality of the code base have made it hard if not impossible for antivirus software to detect. As FBI agents continued to monitor Snake, however, they slowly uncovered some surprising weaknesses. For one, there was a critical cryptographic key with a prime length of just 128 bits, making it vulnerable to factoring attacks that expose the secret key. This weak key was used in Diffie-Hellman key exchanges that allowed each infected machine to have a unique key when communicating with another machine.

In another slipup, Snake developers forgot to scrub the finished code for a new version of programming artifacts. The failure provided important new insights into how the malware worked because it exposed function names, strings in clear text, and developer comments.

Juice jacking, the frightening attack that hacks your phone when you do nothing more than plug it into a public charging station, has become the Halley's Comet of cybersecurity scares. This baseless superstition has circulated on and off for more than a decade, despite there not be a single documented case of it ever happening in the wild.

I'll post a detailed article about precisely what hackers can and can't do when you plug in your phone on Monday.

In the meantime, here's an interview I recently did with tech reporter @richontech about the echo chamber that allows this myth to fester and why people should instead focus on real threats. The segment begins at 18:15

Show older

This server is a private instance for Jameson Lopp by Jameson Lopp