I decided to chat with a spammer/scammer. I found them to be pretty honest and forthcoming.

Apple's Liquid Glass was cool for like 1 minute.

I have debated declaring email bankruptcy many times. Haven't done it... yet.

My "Death by Dashboards" talk from WWHF is up!

Months of battling, and I won. Inbox zero.
... for now.

Microsoft created Get-KerbEncryptionUsage.ps1 (see link in article) to query the event log to see which encryption types Kerberos used within your environment.
Run this, find the ones that MUST use RC4, and burn the rest. Then figure out how to upgrade the others from RC4 or pick a great password.

The ones here are obnoxious. But there’s a charm about Wisconsin alcoholics that Minnesota alcoholics just don’t have.

I can't spell that stupid word correctly... ever

Beyond RC4 for Windows authentication As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.

"By mid-2026, ... Windows Server 2008 and later to only allow AES-SHA1 encryption. RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it."
www.microsoft.com/en-us/window...

I love WI airports.
Concourse beers are not only legal, but it’s encouraged with signs all over the airport.

“Killer” lol
So bad. ;)

I'm home after teaching Offense for Defense at NineStart Connect. They offered free (yes, free) training to whomever wanted to attend. I can't thank them enough for offering this to our community!

The class is available here: training.redsiege.com (affordable, not free... sorry you missed out 😉)

Wrapping up @defcon.bsky.social Bahrain at the ICS Village.
Not my best picture, but excellent photo bomb.

Damn.
I’m never going to find this room.

Two days of teaching Pen Testing: Beyond the Basics ✅
Two hour Kerberos workshop ✅
Talk ✅
Tomorrow, time to be a full time booth babe.

Last year at @wildwesthackinfest.bsky.social a few packages arrived late (not mine). The maintenance staff regularly receives packages and thought it was theirs. They opened it, found a pack of stickers.
They have been putting them on their stuff and the hotel.
"We wondered who that guy was"

Senior Security Consultant Justin Palk tells you everything you need to know about getting started with proxy chains in this blog 🔗 redsiege.com/proxychains

#hacking #infosec #cybersecurity

The booth is hopping! Stop by to get tons of stickers, a shirt, and get entered to win a framed autographed picture from Hackers.

Join us tomorrow!

Anti-Cast: Close Security Gaps, Pass Audits, Stay Secure with Kimber Amos - Antisyphon Training Join Kimber Amos for a free one-hour training on cutting through compliance theater and running reviews that actually strengthen defenses and keep auditors happy.

Live now with pre-show banter with @mzbat.bsky.social (Kimber) and @antisyphontraining.bsky.social.

Close Security Gaps, Pass Audits, Stay Secure w/ Kimber Amos and @redsiege.com
www.antisyphontraining.com/event/anti-c...

I desperately want to know how long it took the bad guys to crack it. My intel/rumor mill says it took at least a week (or more). If that were the case, my guess is pen testers wouldn't have cracked it, so it is just an informational finding in the report.

I think about this often.
What is a real world bad guy's level of effort for cracking?
How long do they spend?
How big is their cracker?
Do they have multiple crackers?
How do they distribute the load?

If it was in the report, then that's a really bad look.
Of course, this assumes they had pen test and the pen testers successfully cracked it.

Green Day - Wake Me Up When September Ends (Official Audio) YouTube video by Green Day

BRB, going to wake up Billie Joe.
www.youtube.com/watch?v=pGhw...

Join me next week on the Thursday Defensive (thursdef.com) next Thursday at 1:30 ET on Offensive for Defense - How defenders can use offensive tools to test themselves.

Couldn't agree more. How many high/crit PHP findings in your vuln scan reports that are meaningless because that function isn't used (or used with user input). Teams work hard remediate issues that have 0 impact, largely because it shows up in a dashboard, metrics, or KPIs... not because it matters.

Really cool to be interviewed and quoted in this article.

So by proxy, RC4 with Kerberos is bad.

RC4 used with Kerberos isn't the fundemental flaw we think. Yes, RC4 is deprecated, but the real issue is the key generation for AES v RC4 for cracking (Kerberoasting). With RC4 the key = password hash. With AES it is 4096 rounds of hashing of hash+username+domain. The 4096 rounds matters, a lot!

I'm looking forward to @wildwesthackinfest.bsky.social. I also have a Kerberos workshop there, so check that out.
Oh, and we'll have tons of swag at the @redsiege.com booth, so stop by if you're in-person!