Noah Kim @noahbkim@rat.party

Over many years, I have been gradually replacing all of the paragraphs in the Ship of Theseus Wikipedia article.

The CIA is using their secret gun on me that makes your dick come out of your pants at the mall

When your kid asks for a switch for Christmas.

#Christmas #switch #gaming

The struggle is real

A user on the cybercrime forum Breached is selling what they claim is info scraped via Twitter APIs from 400 million Twitter profiles, including email, name, account name, follower count and in many cases phone number. This was first brought to my attention by Alon Gal at Hudson Rock. https://www.linkedin.com/in/alon-gal-utb/

The seller told me they scraped the data using the same set of weaknesses in Birdsite APIs that allowed the scraping (and publishing) early this year of profile data on 5.4M Twitter users.

https://www.bleepingcomputer.com/news/security/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately/

They said they scraped the data via an exploit that was patched earlier this year, in the login api, and specifically the part of it that checks for duplicate accounts.

That, according to the seller, leaked the Twitter user ID, which was then converted via another Twitter API into a username. They also said that same iterative process worked for user telephone numbers.

The vulnerability that was reportedly used to scrape the previously dumped 5.4M twitter user data set was reported to Hacker One on Jan. 1, 2022.

https://hackerone.com/reports/1439026

The seller released 1,000 new records as a teaser, and is trying to get Twitter to buy the data for an undisclosed amount.

They also pasted a number of "celebrity" accounts directly into the sales thread. Curiously, this record set does not have the phone number associated w/ my Twitter account. But it was in the 5.4M scrape that got released on the same forum last month. However, I removed the burner phone number from my profile around the time the seller said they scraped this data (beginning of 2022).

The data in both the teaser and the 1,000 user file includes follower counts for each user, and a spot check on about a half dozen of them show follower numbers consistent with what Archive.org and Sociable says about follower accounts at the beginning of Jan 2022/end of December.

They are selling it through the escrow service set up by the administrators of the forum, which is what you'd expect to see in a real offering for this volume of data.

i am a gentle man, with sweetness in my soul, and so it grieves me severely to say that every time i read a post on here about how mastodon is an arcadian paradise of philosophical discourse and goodwill it makes me want to post even more absolute horse shit

sapiosexuals be like,,, two in the pink, one in the think

🦇

This server has two mods. One only tells the truth, and one only tells lies

The paradox of Mastodon is no one (not even mastodon.social) likes mastodon.social dominating the network, or Eugen G being the sole arbiter of extensions to the common protocol,

but on the other hand, ultimately, the reason we all use Mastodon (IE, the part of the Fediverse people think of as "Mastodon", modeled on the Mastodon extensions to ActivityPub) instead of Secure Scuttlebutt or identi.ca or whatever is because Mastodon was the AP implementation that had one person's singular vision.