vasuki's comments

I can relate to that very much. Your former friend sounds exactly like one of my friends with whom I am trying to not end friendship and be as empathetic and helpful as I can be.

> while at the same time those same sources get used easily for their own arguments

100% this!

Telegram channels and Substack seem to be super popular for this sort of propaganda. I also did a technical analysis of many of the websites shared in these channels and found:

- they use very heavy trackers

- keylogging for webpages is common

- they all use privacy shields for `whois` info

- third party cookies

You can find some of these if you want to take a look in https://github.com/Langer81/Summer-REU-Research

Do you have any go-to public tools for fact-checking or any internal tools that you might have had access to in the past?

More generally speaking, how do you defend yourself against PsyOp in this age with heavily degraded trust in the government and judiciary system in the west particularly?

I have not responded without listening to what he said, I followed him for quite some time to see what exactly he had to say.

I do not like censoring by big tech as well, but when they take down outright lies which actually get viral and change people's opinions, I am no longer sure. Nuanced facts, data does not go viral. Tweets with controversial information do.

Serious side-effects, risk-benefit calculations, are very nuanced and take much more effort to bring up and share [1]. He presents a very one-sides story, every single day. That is not helpful.

He took very selective parts of news which aligns with his opinions and tweeted just that. Thanks to twitter's censoring, I can't even share those :facepalm: but you can look up archived data [2]. It is not even a single person, they have a pretty good group doing it every single day (Peter McCullough, I am sure you heard of him) [3] [4].

Also look at how viral this stuff gets [5].

1. https://news.ycombinator.com/item?id=29749381

2. https://childrenshealthdefense.org/defender/mrna-technology-...

3. https://www.reuters.com/article/factcheck-pilot-vaccinefalse...

4. https://twitter.com/P_McCulloughMD/status/148679283709416244...

5. https://www.trendsmap.com/twitter/tweet/1486792837094162442

It is misinformation because it is outright wrong. Follow Malone for a couple of weeks and you will see he has nothing else to share but: Vaccines are bad, Vaccines are killing people.

- https://www.politifact.com/article/2022/jan/06/who-robert-ma...

- https://factcheck.afp.com/http%253A%252F%252Fdoc.afp.com%252...

> As we prevent three deaths by vaccinating, we incur two deaths.

> "Are we headed for the situation where the ~30% unvaxxed will be devoting their lives to operating whatever is left of the economic infrastructure and serving as caretakers for the vaxxed?"

This is what got him banned from twitter.

Why don't you try to investigate a bit yourself? People with credentials can have no other motive to spread misinformation and all the motive to "save the humanity" ? Sad to see this on HN.

WHO: "As a matter of global equity, as long as many parts of the world are facing extreme vaccine shortages, countries that have achieved high vaccine coverage in their high-risk populations should prioritize global sharing of COVID-19 vaccines through the COVAX facility before proceeding to vaccination of children and adolescents who are at low risk for severe disease."

- https://www.who.int/news/item/24-11-2021-interim-statement-o...

Germany: "Since children and adolescents have a relatively low risk of getting seriously ill with COVID-19, the risk-benefit assessment of illness or vaccination is different than for adults. Therefore, the STIKO has not issued a general recommendation to vaccinate all children from the age of 12, but recommends that children and adolescents with certain underlying conditions who are particularly at risk get the coronavirus vaccination"

- https://www.zusammengegencorona.de/en/corona-schutzimpfung-a...

France: "In the light of these elements and taking into account the evolution of the epidemic, the HAS considers that the individual benefit of the vaccination has been established for children aged 5 to 11 years with comorbidities and who are at risk of severe forms of Covid-19 and death. In total, this concerns a little over 360,000 children in France."

- https://www.has-sante.fr/jcms/p_3302411/fr/covid-19-la-has-r...

This is definitely not precise. I confirmed that the lookup is also performed by Proton servers for mails sent to third party mail services, not just from third party mail services. Are they also scanned?

Source IP I got in my test: 185.70.43.80

```

# whois.ripe.net

inetnum: 185.70.40.0 - 185.70.43.255

netname: CH-PROTONMAIL-20140915

mnt-by: protonmail-mnt

org-name: Proton AG

```

From privacy policy https://protonmail.com/privacy-policy

> We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to ProtonMail are scanned for Spam and Viruses to pursue the legitimate interest of the protection of our users.

very disappointing.

It might be because of path normalization by your http client. For example, with `curl` you will also need to use `--path-as-is` to correctly test traversal. Another reason could be path normalization by the reverse proxy/WAF.

> --path-as-is

> Tell curl to not handle sequences of /../ or /./ in the given URL path. Normally curl will squash or merge

> them according to standards but with

>this option set you tell it not to do that.

> Added in 7.42.0.

Thank you for the detailed writeup. This is a topic which I think is not discussed much.

> We will split public-facing CI from release infrastructure and internal CI infrastructure. (teleport#8268)

Did you also consider some form of out-of-band approval mechanism for production environment access? (via a chatbot / push notification etc). I think something like that might work technically, but scalability might be a challenge. It might be easier to manage in comparison to a self-managed complete second CI system though. I have been pondering over it for some time to be able to utilize Gitlab CD without providing Gitlab all keys to the kingdom.

Not that we have public evidence to prove whether it was a nation-state or not, but in my experience as a vulnerability researcher, finding high-impact flaws in popular tools (closed + open source) and government services is much more easier than people realize.

Take a look at the number of vulnerabilities reported to US Department of Defense via Hackerone: https://hackerone.com/deptofdefense/hacktivity?filter=type%3... (and these are just the ones publicly disclosed, a lot of them remain undisclosed, you can change the filter to see how many are reported in last few days/hours)

And taking this single report as example: https://hackerone.com/reports/761790

Reported at: December 19, 2019 4:19pm +0000 Resolved: 1 Month ago

And this is when there is no bounty attached to these, just some Hackerone points which help you gain higher reputation and possibly win some private program invitations. Imagine how many reports a monetary reward would bring in. I would really be surprised to know that adversaries are not already hoarding the flaws, especially when this is their daily business.

Pursuing research in different fields (especially computational physics, bioinformatics) in personal capacity.

I had once asked the same question to a scientist friend who actually wanted to switch back from research to engineering to find some practical implementation of the things he had been working. I guess it was partly because organizational research does confine you within certain bounds and most of the times its taxpayer money so you have that in the back of your head to make sure you do not abuse it and actually perform relevant research which is "useful". This is why I have explicitly mentioned "personal capacity".

> regularhours.net and holdmydoor.com appeared on a Turkish CERT list in November 2019

> we observed MONARCHY and SNEAKY KESTREL continue to use these domain names in attacks through August 2020.

Interesting to see that the malicious hosts are not in any standard blacklist or safe browsing databases for browsers while Turkey's CERT has been sink-holing them via ISPs on a national level since at least 2019.

> I sent random requests using intruder with a CSRF token and random emails with a new password to this endpoint /savepassword

So this endpoint simply allowed setting up a new password with a POST request for the specified email address and he was able to guess the email .. ¯\_(ツ)_/¯

I have been trying to reach out via the contact email provided on the website but never received a response. How may I disclose a security vulnerability related to simplepay.cloud ?

Thanks!