> Krebs’s article is based entirely on the sellers description of the (imaginary) product, rather than actual observation
I noticed. While researching I had a feeling of "is this just makeup on a pig?". Anyone can make pretty graphics or make claims. I tried reading a few selling points and I was weary.
One claimed to handle a MFA token handover and then somehow got access to the token and they could proxy it for you? The user types in the MFA token, they get the token. I cant figure out how they would bypass all browser protections to pass on the highly-secured token via a proxy. I've been online for 25 years, I understand on a deep level on the internet works and the web and what is happening in this situation, as I'm sure most here are.
Without a 0day, this just doesn't make sense. But this is pretty technical, and unless you hang out here then the above sounds perfectly reasonable but to us sounds like bullshit.
> he didn’t bother to source reasonable quality screenshots for the story
Also noted. Quickly found better quality versions myself with a quick search.
To suggest another decompression / interesting podcast, "The Fall of Civilizations" by Paul Cooper. I do like the visual episodes he releases later on YT - its not just random stock photos but directly relevant to what's being discussed, but they release awhile after the audio. The audio is splendid as well though.
For comparison I wanted to write on how Google handles MoE archs with its TPUv4 arch.
They use Optical Circuit Switches, operating via MEMS mirrors, to create highly reconfigurable, high-bandwidth 3D torus topologies. The OCS fabric allows 4,096 chips to be connected in a single pod, with the ability to dynamically rewire the cluster to match the communication patterns of specific MoE models.
The 3D torus connects 64-chip cubes with 6 neighbors each. TPUv4 also contains 2 SparseCores which specialize handling high-bandwidth, non-contiguous memory accesses.
Of course this is a DC level system, not something on a chip for your pc, but just want to express the scale here.
This is so odd. I tried to verify your claim and I give up. It might be but I really hate how information is becoming like this. There is other reporting out there on "Starkiller" (the phishing kit in kerbs most recent post) and I can find other articles on it, but sources seem to be circular. The source mentions Jinkusu forums, which do seem to be real, but any links I find aren't loading for me and still no conclusive findings of Starkiller.
These forums are mostly private, but Krebs certainly has access to them. There can really be no excuse for how he handled this.
There are multiple posts by people in different places claiming to have bought this phishing kit, and then being delivered totally non-functional vibecoded garbage. The vibecoded garbage is not the advertised product though, as the author never managed to get the AI to finish his project.
Krebs lack any sort of real credibility. He's pushing out slop with a govern-mentalist propaganda. Tech journalists are the worst form to gather any actual information.
JSYK, Venmo and Paypal support a Visa+ Payname (configure it in each app). The Visa+ Payname thing is Visa's attempt to allow cross-app payments but AFAICT only Paypal and Venmo support it....
But if you ever need to send money to a Venmo account from Paypal, or receive money from a Venmo account in Paypal, you can do so with the Visa+ Payname.
I have some friends who are unbanked and banned from a lot of apps, this little work around has saved a few on occasion.
This is why the big names pay MarkMonitor $250-$1000 per domain with a minimum $10,00/yr spend.
They have a good reputation, lock down the domain technically at all levels, and have the connections and people/social skills to take care of any domain issues involving person-to-person contact.
Which is not easy, I recall spending months like a decade ago on email/phone attempting (successfully) to get my personal domain out of expiry hell (made more complicated by wrong records).
While they do not have direct SLAs, they still have to comply with rules enforced by browser vendors, as they will remove you from CT checks and you'll be marked retired/untrusted (you can find some in the above list).
This means a 99% uptime on a 90 day rolling average, a 1 minute update frequency for new entries (24 hours on an older RFC). No split views, strict append-only, sharding by year, etc.
X509 certificates published in CT logs are "pre-certificates". They contains a poison extension so you don't be able to use them with your private key.
The final certificate (without poison and with SCT proof) is usually not published in any CT logs but you can submit it yourself if you wish.
OP idea won't work unless OP will submit final certificate himself to CT logs.
The only step missing from their description is having the app- or company- specific app installed. For Apple, that is the Apple Store app which everyone has. If you have BT enabled, it can detect the iBeacon and Apple Store can send that back for tracking.
I noticed. While researching I had a feeling of "is this just makeup on a pig?". Anyone can make pretty graphics or make claims. I tried reading a few selling points and I was weary.
One claimed to handle a MFA token handover and then somehow got access to the token and they could proxy it for you? The user types in the MFA token, they get the token. I cant figure out how they would bypass all browser protections to pass on the highly-secured token via a proxy. I've been online for 25 years, I understand on a deep level on the internet works and the web and what is happening in this situation, as I'm sure most here are.
Without a 0day, this just doesn't make sense. But this is pretty technical, and unless you hang out here then the above sounds perfectly reasonable but to us sounds like bullshit.
> he didn’t bother to source reasonable quality screenshots for the story
Also noted. Quickly found better quality versions myself with a quick search.
reply