Matthias Luft's Avatar

Matthias Luft

@uchi-mata.bsky.social

Infosec Enthusiast & Practitioner. Opinions are my own. Pentest→Research→Leading→Security Engineering. Love Martial Arts, Outdoors, Dogs. infosec.exchange/@uchi_mata www.rational-security.io

58 Followers  |  90 Following  |  20 Posts  |  Joined: 21.11.2024  |  2.0703

Latest posts by uchi-mata.bsky.social on Bluesky

Post image

#NoKings in Munich, Germany.

14.06.2025 19:51 — 👍 1    🔁 0    💬 0    📌 0

Regarding U2F: It is a small detail, but I learned to love the pattern of requiring additional verification for truly sensitive actions. Drastically reduces admin ATO impact.

04.06.2025 13:01 — 👍 0    🔁 0    💬 1    📌 0

Not from the US, but is that this “why did the chicken cross the road” thing?

29.05.2025 06:19 — 👍 0    🔁 0    💬 0    📌 0
Post image

Well well well...
It's all starting to make sense now!

28.05.2025 18:39 — 👍 80    🔁 21    💬 8    📌 1

#TACO started by @megancnbc.bsky.social - and she has way too few followers for that, let’s change that.

29.05.2025 06:12 — 👍 0    🔁 0    💬 0    📌 0

TACO.

29.05.2025 02:20 — 👍 11952    🔁 1468    💬 472    📌 93
Preview
linux_smb_vunlerability_prompt.txt linux_smb_vunlerability_prompt.txt. GitHub Gist: instantly share code, notes, and snippets.

If you read the post about O3 finding a SMB bug in the Linux Kernel, I did a few tests and I what I suspected looks true: Gemini 2.5 PRO can more easily identify the vulnerability. My success rate is so high that running the following prompt a few times is enough: gist.github.com/antirez/8b76...

25.05.2025 10:06 — 👍 33    🔁 6    💬 3    📌 0

It’s funny that you can go through 20 years of schooling without ever seeing the idea that writing is a tool for thinking.

20.05.2025 14:31 — 👍 64    🔁 9    💬 8    📌 1
Post image

YES!

03.05.2025 02:37 — 👍 468    🔁 95    💬 28    📌 7
Post image 30.04.2025 12:14 — 👍 2    🔁 1    💬 0    📌 0

Most companies are getting AI implementation wrong.

They’re focused on using it to *replace* humans rather than *enhance* humans.

The ones that recognize this now will gain a massive lead in this race.

28.04.2025 14:44 — 👍 3    🔁 1    💬 0    📌 0
Cap or no cap

I wrote up some more information on the differences between adding SYS_ADMIN and CAP_SYS_ADMIN to pods in Kubernetes. It highlights some new things I learned about how the CRI you use can affect how pods are run. raesene.github.io/blog/2025/04...

23.04.2025 10:43 — 👍 5    🔁 2    💬 0    📌 0
Staying Ahead of AI Policy and Governance with a Global Framework
YouTube video by World Wide Technology Staying Ahead of AI Policy and Governance with a Global Framework

Trustworthy and Responsible AI....it's a real thing!

www.youtube.com/watch?v=fhcY...

10.04.2025 12:21 — 👍 0    🔁 1    💬 0    📌 0
Preview
ls-lint An extremely fast file and directory name linter - Bring some structure to your project filesystem

I didn't even think about this yet, but linting file- and directory names in project structures makes a lot of sense - and there is of course a tool for it:

ls-lint.org

10.04.2025 07:39 — 👍 0    🔁 0    💬 0    📌 0

Alright AKS, pick a lane:

Kubenet: Pods receive IP from an overlay network. Retires March 2028

Azure CNI Standard: Pods receive IP from VNET

Azure CNI Overlay: Pods receive IP from an overlay network.

02.04.2025 09:00 — 👍 0    🔁 0    💬 0    📌 0
IssueOps: Automate CI/CD (and more!) with GitHub Issues and Actions A look into building IssueOps workflows on GitHub to do everything from CI/CD to handling approvals and more.

Great article on using GitHub as a workflow platform:

github.blog/engineering/...

Can absolutely recommend for security workflows and management as well!

01.04.2025 13:00 — 👍 0    🔁 0    💬 0    📌 0

Quick note on exploits trying to use `nginx.ingress.kubernetes.io/server-snippet`: That annotation has been identified as an issue before and has been disabled to mitigate CVE-2021-25742.

31.03.2025 08:40 — 👍 0    🔁 0    💬 0    📌 0
Preview
GitHub - hakaioffsec/IngressNightmare-PoC: This is a PoC code to exploit the IngressNightmare vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974). This is a PoC code to exploit the IngressNightmare vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974). - hakaioffsec/IngressNightmare-PoC

Quite some #IngressNightmare #CVE-2025-1974 PoCs on GitHub now that look good at a cursory review:

github.com/hakaioffsec/...

github.com/yoshino-s/CV...

github.com/Esonhugh/ing...

github.com/hi-unc1e/CVE...

github.com/lufeirider/I...

github.com/zwxxb/CVE-20...

github.com/rjhaikal/POC...

31.03.2025 08:39 — 👍 0    🔁 0    💬 1    📌 0
Post image 30.03.2025 02:25 — 👍 185    🔁 24    💬 3    📌 1
Preview
IngressNightmare: Kubernetes Ingress-NGINX Vulnerabilities Explained | Averlon Discover how IngressNightmare — including CVE-2025-1974 — exploits internal exposure in Kubernetes. See what’s at risk and how to secure your ingress path.

I wrote up some details on exploiting #IngressNightmare #CVE-2025-1974:
www.averlon.ai/blog/kuberne...

Where are we at with releasing a full PoC?

28.03.2025 09:06 — 👍 0    🔁 0    💬 0    📌 0
Preview
The 'IngressNightmare' vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation | Datadog Security Labs Learn how the Kubernetes Ingress NGINX Controller vulnerabilities work, how to detect and remediate them.

Great #IngressNightmare CVE-2025-1974 write-up:
securitylabs.datadoghq.com/articles/ing...

Key point missing from many other sources: Exploitation from Internet is non-default and unlikely, but privilege escalation within cluster is by default possible.

26.03.2025 11:09 — 👍 1    🔁 0    💬 0    📌 0
Post image

Last week we launched a free webapp that shows the tens of thousands of UK companies whose ownership is being hidden, in most cases unlawfully.

It's now easier to use, faster, and has way more features. Quick thread.

24.03.2025 09:34 — 👍 270    🔁 119    💬 8    📌 3
Preview
GitHub - FFmpeg/asm-lessons: FFMPEG Assembly Language Lessons FFMPEG Assembly Language Lessons. Contribute to FFmpeg/asm-lessons development by creating an account on GitHub.

TIL that because the FFmpeg project has gained so much experience in hand-writing assembly code to provide huge speedups, they now are putting together a series of lessons for learning assembly:

Vibe coding is fun and all, but this is probably a better use of time!

github.com/FFmpeg/asm-l...

24.03.2025 06:24 — 👍 290    🔁 85    💬 5    📌 1
Preview
About webhooks - GitHub Docs Webhooks provide a way for notifications to be delivered to an external web server whenever certain events occur on GitHub.

Wow, GitHub not supporting IPv6 for Webhooks:

docs.github.com/en/webhooks/...

18.03.2025 07:02 — 👍 2    🔁 0    💬 0    📌 0

In an effort to bring here what little of value is still on the birdsite, allow me to present some absolutely bonkers corporate espionage, in which Deel's execs had a spy at rival Rippling. The complaint is a gripping must-read! rippling2.imgix.net/Complaint.pdf

17.03.2025 19:19 — 👍 33    🔁 4    💬 4    📌 1
Preview
GitHub - uchi-mata/dostainer Contribute to uchi-mata/dostainer development by creating an account on GitHub.

I updated my #Kubernetes resource exhaustion testing tool to include inode exhaustion:
github.com/uchi-mata/do...

11.03.2025 07:52 — 👍 0    🔁 0    💬 0    📌 0
Post image 26.02.2025 02:19 — 👍 277    🔁 41    💬 10    📌 2
Video thumbnail

Trump vs Gov of Maine.

Watch this

21.02.2025 19:48 — 👍 400    🔁 98    💬 78    📌 37

German elections on Sunday as well, we might well join you in that sentiment 😅

20.02.2025 16:03 — 👍 2    🔁 0    💬 0    📌 0

@uchi-mata is following 20 prominent accounts