This is the story of how I used Microsoft Teams's own design against itself.
We all kinda know that Electron apps are dangerous—at least to our RAM, am I right??
But seriously, these cross-platform apps, because of how they get installed, present a tasty spot for attackers to take up residence and even inject malicious code into trusted applications, with the poor user being none the wiser.
Here's how it works.
POV: You're performing a pentest/red team engagement against a fairly hardened environment. You have, through creativity and perseverance, landed an implant on a workstation. Your session has low privileges, but the user may have local admin or associated higher-priv accounts. You're trying to remain stealthy, and normal lateral movement techniques might get detected. You need creds, but how to get them when everyone's watching you?
Answer: use SSO against itself by listening in on the browser.
Look, it's not original thinking to be concerned about the future of social media with a megalomaniacal billionaire threatening to impose regressive policies. Enough ink has already been spilled on what might or might not happen with Twitter as the new owner molds it in his image. The debate rages on about whether Twitter is a town square, whether it ought to be, or whether something that functions as a public service should in fact be driven by profit. But that debate misses the fact that some folks have already created a truly free alternative. It didn't require government intervention. As always in the open source software world, it simply took the conviction, creativity, and hard work of a community.
Or in this case, a federation of communities. This last week, I dove back into the Fediverse by way of Mastodon. Mastodon is a free and open alternative to Twitter—or "the birdsite," as users of Mastodon call it. What I've found has not just made me want to stay, but made me question my assumptions about social media in general.
Let's explore how your entry into the Fediverse might proceed.
During a recent talk I gave on self-teaching in tech, I shared my 4 "Maxims" for teaching and learning. These were the distillation of a career in education. Of the four, the most important was this: You can't learn if you don't feel safe..
But some folks disagreed vehemently.
Recently on a stream, I was asked whether I thought someone should get a degree in cybersecurity, or straight computer science if they were interested in a career in tech. This question is both nuanced and critical, so I felt it deserved more than an off-the-cuff attempt live on air. I don't pretend to have the answer that makes sense for everyone, but I would like to provide a few points to consider for all who might be facing this exact question.