Profile picture
Jake Williams @MalwareJake
, 3 tweets, 1 min read Read on Twitter
There's been a claim that the GA state "My Voter" site is vulnerable. I'm not poking at it any more than looking at visible source (too pretty for jail and all). But it implements client side filtering and allows backticks in the name fields. 1/n
Even with identical server side filtering, that could lead to eventual command injection, depending on how the data is used. Remember that the command injection could happen later, long after it is originally inserted in a database. 2/n
Client side filtering isn't all bad, but if it's used as a replacement for server side filtering, that's where you can get into trouble. When we see client side filtering in penetration tests, it's about even odds that there's no server side input validation (or it's broken) 3/3
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
Read 7 tweets

Related threads

Profile picture
Members of #BryanKemp's voting system commission, SAFE meet Wednesday, December 12 to decide on HACKABLE VOTING MACHINES for #Georgia.
Only permitting public comment AFTER decision.
Ask your state reps to attend.
10 to 4 at 237 Coliseum Dr, Macon GA
#PaperBallots #GApol
THREAD
Find your #GA State Rep here: house.ga.gov/Documents/Info…
Senators: senate.ga.gov/senators/en-US…
&
Let Georgia's SAFE Commission know that paper ballots WITHOUT BARCODES are the only reasonable choice for elections.
Emails below.
#PaperBallots #GApol
Call to Action thread from @IndivisibleGAco
Commission will meet to choose how to spend as much as $100 MILLION on new equipment for Georgia elections. That equipment may be no better than what they are replacing!
➡️
Read 5 tweets
Profile picture
state.gov/r/pa/prs/dpb/2…
MR PALLADINO: Hi, guys. A couple things for the top. We have an update on–for you all on the Global Engagement Center and their efforts to counter foreign disinformation. At the end of September, the Global Engagement Center obligated 40 million to support initiatives to counter
disinformation and propaganda spread by foreign countries abroad. That funding included an extra 20 million provided to the Global Engagement Center by Congress in the Fiscal Year 2018 omnibus spending bill and 20 million from the Department of Defense transferred to the State...
Read 37 tweets
Profile picture
It couldn’t be any clearer what Republicans in states like GA and TX are doing. They are purposely undermining voting rights for Black and Latino Americans. Here’s how they’re doing it:
1. #GA Republicans are holding up the voter registration of 53,000, mostly Black people. The state’s Secretary of State Brian Kemp who oversees the voting roll is in a race for governor against Democrat @StaceyAbrams: nbcnews.com/politics/elect…
2. Florida has barred ex-felons who have completed their sentences from voting in the state denying 1.5 million people the right to vote. A referendum on the ballot in November would restore voting rights to these people: nytimes.com/2018/09/26/mag…
Read 9 tweets
Profile picture
More inconsistencies with #ChristineBlaseyFord!

The problem with a lie, especially when involving other people, is that it's hard to repeat the lie consistently and have various accounts match up. I will do a deeper thread on the overall #DeepState attack on #JudgeKavanaugh...
which is what the smear campaign really is. Let me outline the items in #Fords' accusations that are either SPECIFIC contradictions or don't match with common sense. I will start with her corroborations:
1. Despite the "party," which was really a small get-together, only...
having five people in attendance (as of her most-recent account), including Ford, NOT ONE of those people identified as being at the event recalls the event. This was not a "typical" event as she claims two men tried to rape her, and she fled the scene without telling her one...
Read 31 tweets
Profile picture
Voter turnout (latest election) among countries with non-compulsory voting (as % of voting-age population).
Sweden: 87.2%
Denmark: 80.3%
Netherlands: 77.3%
Finland: 73.1%
Norway: 70.6%
France: 67.9%
UK: 63.2%
Germany: 66.1%
Canada: 62.1%
USA: 55.7%
(Pew)
What makes US voter turnout as % of voting-age population (55.7%) so awful is that US ranks as one of best countries in terms of voter turnout among REGISTERED voters (86.8%). US just makes it more difficult to register/vote than most OECD countries w/hard impact on working poor.
Ways Sweden gets 87.2% voter turnout:
* All citizens over 18 automatically registered
* "Advance voting locations" open in Sweden 18 days before election where people can vote early
* Some hospitals form election committees where patients, doctors can vote
* Election on a Sunday
Read 4 tweets
Profile picture
growth, in 4 years via @RidePeloton:

$80m of bikes sold (at cost)
$470k MRR (streaming revs)
12k daily rides

startups.co/articles/strea…
a 🚴🏻 platform on 🔥

2015: $50m in revs
2016: $170m in revs, 0.3% rider churn

axios.com/peloton-ceo-jo…
.@GoZwift releasing market data today, positioning themselves as “fitness entertainment co.” (note not just cycling)
Read 25 tweets

Trending hashtags

#NBERday #Antonopoulos #Nasr #Ochsenreiter #Meyssan #LaRouche #ChristineBlaseyFord #Infowars #Carlson #MSM #PaulMcCartney #DigitalSherlocks #Anitfa #TheBeatles #Flynn #Pool #StopCrossCheck #trolls #FPIC #Crypto #Wight #AIM #foodsecurity #Brandherd #Fairbanks

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!