Mikina

It depends on how well segmented is their network, but all you might need for that is a Raspbery PI with ethernet and GSM.

I've done some engagements where we sent someone into the company to get in as an air conditioning tech, and when they got in he planted that device between a printer and the network. It was set up to forward all traffic, but also allowed us to connect through GSM and get into the network.

It takes like a few seconds to plant it.

Or if it's really bad, then you might be able to reach it from the WiFi.

I've done exactly that, worked as a Red Team Lead, and the success rate is pretty disturbing. That, and vishing - calling people from the company you find on Linkedin from a spoofed number of their IT that they fucked something up and need to download and run this .exe to fix it before The Audit that's currently happening notices it.

Even if we do internal infrastructure tests where they let you in, switch AVs to "detect mode" instead of "block mode" and the goal is to find as many unpatched systems/vulnerabilities as you can (instead of, well, testing the AV solution), what we usually do is run a password spray for all domain accounts with a combinations (you can try like 3 to not lock the accounts) of "" we every single time got at least few accounts.

Fortunately this kind of tests are getting more popular, and passwords such as this should've definitely been caught in some kind of security test. But it is also pretty depressing, when you repeat the same test next year, and 80% of the passwords are still the same, and vulnerabilities are still not patched.

unless they’re running GrapheneOS.

Nice, this is good to know.

There's a lot of them "handmade" on etsy...

Because it's sold on Aliexpress for dirt cheap. So, save money and get it from the source.

From a very quick glanceit looks similar to https://logseq.com/, which I've been using for some time now and absolutely enjoy.

The querying stuf and "referenced by" box on pages is awesome, and I like the journalling format.

Once I solved sync troubles (with a git repo), it was great.

Definitely, but the issue is that even the security companies that actually do the assesments also seem to be heavily transitioning towards AI.

To be fair, in some cases, ML is actually really good (i.e in EDRs. Bypassing a ML-trained EDR is really annoying, since you can't easily see what was it that triggered the detection, and that's good), and that will carry most of the prevention and compensate for the vulnerable and buggy software. A good EDR and WAF can stop a lot. That is, assuming you can afford such an EDR, AV won't do shit - but unless we get another Wannacry, no-one cares that a few dozen of people got hacked through random game/app, "it's probably their fault for installing random crap anyway".

I've also already seen a lot of people either writing reports with, or building whole tools that run "agentic penetration tests". So, instead of a Nessus scan, or an actual Red Teamer building a scenario themselves, you get a LLM to write and decide a random course of action, and they just trust the results.

Most of the cybersecurity SaaS corporates didn't care about the quality of the work before, just like the companies that are actually getting the services didn't care (but had to check a checkbox). There's not really an incentive for them to do so, worst case you get into a finger-pointing scenario ("We did have it pentested" -> "But our contract says that we can't 100% find everything, and this wasn't found because XYZ... Here's a report with our methodology that we did everything right"), or the modern equivalent of "It was the AI's fault", maybe get a slap on the wrist, but I think that it will not get more important, but way, way more depressing than it already was three years ago.

I'd estimate it will take around a decade of unusable software and dozens of extremely major security breaches before any of the large corporations (on any side) concedes that AI was really, really stupid idea. And at that time they'll probably also realize that they can just get away with buggy vulnerable software and not care, since breaches will be pretty common place, and probably won't affect larger companies with good (and expensive) frontline mitigation tools.

I have worked as a pentester and eventually a Red Team lead before leaving foe gamedev, and oh god this is so horrifiying to read.

The state of the industry was alredy extremely depressing, which is why I left. Even without all of this AI craze, the fact that I was able to get from a junior to Red Team Lead, in a corporation with hundreds of employees, in a span of 4 years is already fucked up, solely because Red Teaming was starting to be a buzz word, and I had passion for the field and for Shadowrun while also being good at presentations that customers liked.

When I got into the team, the "inhouse custom malware" was a web server with a script that pools it for commands to run with cmd.exe. It had a pretty involved custom obfuscation, but it took me lile two engagements and the guy responsible for it to leave before I even (during my own research) found out that WinAPI is a thing, and that you actually should run stuff from memory and why. And I was just a junior at the time, and this "revelation" got me eventually a unofficial RT Lead position, with 2 MDs per month for learning and internal development, rest had to be on engagements.

And even then, we were able to do kind of OK in engagements, because the customers didn't know and also didn't care. I was always able to come up with "lessons learned", and we always found out some glaring sec policy issues, even with limited tools, but the thing is - they still did not care. We reported something, and two years ago they still had the same bruteforcable kerberos tickets. It already felt like the industry is just a scam done for appearances, and if it's now just AIs talking to the AIs then, well, I don't think much would change.

But it sucks. I love offensive security, it was really interresting few years of my carreer, but ot was so sad to do, if you wanted to do it well :(

I also highly recommend looking into https://www.winboat.app/

It might be a pain to setup on Bazzite (it's probably better to just use ostree-rpm for the prerequisities), but it's exactly the same kind of magic, but for Windows apps!

That's literally the plot of Watch Dogs, no?

I hope we'll also get Dedsec with it. While the game had it's flaws, the Dedsec broadcasts are such a cool visual feat.

https://m.youtube.com/watch?v=SoDM9wwYpFw

The market situation is really difficult, unless you are really really lucky. We've continued with a college project and eventually managed to release a hand-drawn coop top-down shooter, around 2 hours of story-based gameplay, that was locally pretty successful as far as marketing goes - we were in local national television, have several "best indie game" awards from conferences, even including Czech Game of the Year in student category. We had czech streamers playing the game, had reviews and even were featured in a Microsoft article about student gamedev, and we were featured in the New and Noteworthy on Steam for quite a bit.

We've eventually managed to get around 6000 wishlists, and the reception was generally positive.

After almost half a year after realease, we have only dozens of sales.

We don't have any investors we own money to, and never really made it for profit, but it is still difficult to see 6 years of your work that you though was going pretty well end up like this. I'm not really surprised, because it is local-multiplayer only story based game (although Steam Remote works), which will limit the target audience size by quite a bit, but I definitely won't be ever making a game where I expect that it will sell, and rather focus on smaller experiements, gamejams, and making games for making games sake.

Tying money into your gamedev is a recipe for disappointment.

The best thing I ever done in relation to my gamedev dream/career was to make sure I don't ever get into a situation, where my livelygood depends on the art/games I make. That's a recipe for disapointment.

It doesn't matter if it's only working in gamedev instead of general software development, because that's where you get way less money for basically the same code-monkey crunching Jira tickets job, only there's now a bunch of exec exploiting your passion and underpaying you, or if it's more bold attempt to save up money and be able to afford to make a game on my own, because then you have to sell it, and that sucks if your livelyhood is on the line.

The best course of action I could come up with is to just go work to a generic corporate in software development/cybersecurity, get a part time job (which will get you basically the same money as fulltime in a gamedev company), and use the free time for my own personal gamedev projects that I don't have to tie in any way to my income. Finding a comunity of similarly minded students or art collectives also helps.

I've mostly given up on larger projects, because that exactly a ton more work, and now focus on a short gamejams here and there (usually two to three days, a week or two max). Being extremely limited by time means that the project usually fits into my short attention span, I can experiment with the obscurest of game designs, and you get to meet cool people, especially when the gamejam is onsite. So, if you're at all interrested in trying out gamedev, I highly recommend looking into those - it will take a weekend of your time, and if it doesn't work or isn't fun for you, then you won't loose much.

I've been having issues with Battle.net, or rather - WoW getting stuck at endless black screen, in a window that's minimizing and maximizing it.

Just doing a Bazzite rollback fixed it, but I also tried a lot of different runners to no success, so it might not be it. I was also able to launch the game in dx11, but it did not recognize my NVIDIA card, and only ran on the CPU emulation at like 1 FPS, so it sounds like a deeper driver issue. Other games worked fine, though.

Hopefully this will fix it, having to rollback all the time, since I CBA to figure out how to rollback permanently isn't fun.