this post was submitted on 17 Apr 2025
44 points (100.0% liked)
Technology
38596 readers
319 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Never, EVER, do anything security related while sleep deprived, drunk, high, having sex, or all of the above.
After that... no, don't trust. Zero trust.
There are basic hygiene measures to run anything related to any exploit — including "just" PoCs — depending on how risky a total pwn would be:
Reading through the code is nice, and should be done anyway from an educational point of view... but even when "sure", basic hygiene still applies.
Keeping tokens in one VM (or a few), while running the exploit in another, is also a good idea. Stuff like ”Windows → WSL2 → Docker", works wonders (but beware of VSCode's pass-through containers). Bonus points if passkeys and a fingerprint reader get involved. Extra bonus points for logging out before testing (if it asks to unlock any passkey... well, don't), then logging out again afterwards.
What I'm not so sure about, is deleting the siphoned data without alerting the potential victims. Everyone kind of failed at security, but still. A heads up to rotate all keys, would be nice.