Ron Bowes's Avatar

Ron Bowes

@iagox86.bsky.social

Principal Security Researcher at GreyNoise. https://skullsecurity.org Mostly post about work stuff, maybe some improv stuff and maybe even magic some day. Seattle-based (originally Canadian), queer, cybersecurity nerd. (He/him)

3,257 Followers  |  748 Following  |  1,233 Posts  |  Joined: 23.05.2023  |  2.0223

Latest posts by iagox86.bsky.social on Bluesky

I've been reading Mike Close's books on magic ("Workers"), and something he said really resonated: all the tricks marketed by magic sellers advertise "EASY!", and "LEARN INSTANTLY", but what's the fun in that? I want to learn things that are hard, not easy!

#magic

04.02.2026 17:05 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I write a lot of internal tools at work I always name them the first stupid thing I think of, then I get to enjoy hearing my now and coworkers using my dumb names

04.02.2026 00:42 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.

Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.

One deploys cryptominers. The other opens reverse shells.

We dug into the infrastructure. What we found goes back to 2020.

03.02.2026 21:04 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

They can turn it off, or there can be a bypass. It seems like such a good default option

03.02.2026 05:21 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I don't get why this isn't the default

03.02.2026 02:02 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Just went to settings β€”-> accessibility β€”-> turned on β€œrequire alt text before posting” so I won’t keep forgetting to add it.

02.02.2026 21:37 β€” πŸ‘ 151    πŸ” 18    πŸ’¬ 10    πŸ“Œ 3

Are those two guys twins?

02.02.2026 22:58 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I know a lot of executives who've convinced themselves that their employees are loving and using AI and telling that to everyone, despite it not being true

02.02.2026 22:55 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I remain skeptical, since I've intercepted a lot of traffic (particularly when I worked there) and they never sent voice date. Maybe they tried to hide it, but more likely it was probably either a small accidental leak or they're settling because it's easier

02.02.2026 20:28 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

One of the smartest marketing coups was convincing people that the ads are the best part of a big sporting event

I look forward to "watch this amazing Superbowl ad!!!" being over - an ad's an ad, block it

02.02.2026 16:57 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I got 4:26 typing into a phone

02.02.2026 15:29 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

vibecoded web apps have such boring security bugs. "the whole database was wide open". oh. ok.

at least have some class and write some sql-injectable php. maybe a little stack buffer overflow as a treat.

01.02.2026 14:47 β€” πŸ‘ 632    πŸ” 88    πŸ’¬ 15    πŸ“Œ 4

I stopped bothering to report because it didn't seem like it mattered - I never say blatant bots stopped. I just started blocking instead

31.01.2026 18:10 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

"ICE's account evolved" is a nice way to say "ICE lied"

31.01.2026 18:09 β€” πŸ‘ 8    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1

I want to make fun of them, but "you can upload malicious things to their extension repository" is no different from chrome, Android, npm, cargo, etc etc. Seems like kind of a pointless article

31.01.2026 15:47 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
From the sciencefiction community on Reddit: My e-Reader Just Created the Shortest Horror Story Ever Explore this post and more from the sciencefiction community

Dun dun daaah

31.01.2026 09:39 β€” πŸ‘ 85    πŸ” 13    πŸ’¬ 0    πŸ“Œ 1

This is such a good article!

blog.mikeswanson.com/backseat-sof...

31.01.2026 07:01 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Screenshot from ArsTechnica article where we learn that our colleagues formally from CoalFire who were arrested on a legit pen test are finally over their ordeal with the conclusion of the civil matter

Screenshot from ArsTechnica article where we learn that our colleagues formally from CoalFire who were arrested on a legit pen test are finally over their ordeal with the conclusion of the civil matter

Hell yes!Β Β Many of us have been following this story from the beginning, and I'm SO glad to see it resolved finally...

arstechnica.com/security/202...

29.01.2026 20:49 β€” πŸ‘ 444    πŸ” 88    πŸ’¬ 18    πŸ“Œ 10
Preview
Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure? – GreyNoise Labs GreyNoise detected a 100x surge in Ivanti Connect Secure reconnaissance targeting CVE-2025-0282 (EPSS 93%). Analysis reveals two distinct campaigns: an aggressive AS213790-based operation generating 3...

πŸ‘€ Seeing who’s poking Ivanti Connect Secure?

GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.

We broke down the infra + what defenders should do next. πŸ‘‡

29.01.2026 17:25 β€” πŸ‘ 8    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0

However, it's important to have a health interest in other fields and especially in others' interests. I just find it hard to retain stuff if I'm not immersed in it :)

29.01.2026 17:15 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I've kinda taken the opposite approach - just based on how my brain works, I've realized that if I want to learn something, I'm gonna spend years on the topic and become a world expert. Or, I'm gonna learn a bit and forget it in a couple days. There isn't really an in-between

29.01.2026 17:15 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

"What Lin and Cursor achieved was to show that an AI agent can generate millions of lines of code that’s lifted from other projects, and that don’t compile, let alone work."

Cursor lies about vibe-coding a web browser with AI

28.01.2026 10:00 β€” πŸ‘ 85    πŸ” 17    πŸ’¬ 3    πŸ“Œ 2
Preview
GreyNoise Introduces Recall: Time-Series Intelligence for GreyNoise Query Language Recall is a time-series capability that enables customers to query GreyNoise data over specific historical ranges. Instead of a static summary of current IP behavior, Recall allows you to see exactly ...

Most attacker behavior only makes sense over time. πŸ•°οΈ
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.

28.01.2026 19:02 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
A digital intelligence brief from GreyNoise titled β€œAT THE EDGE,” dated January 19–23, 2026, summarizing three coordinated cyber campaigns under the headline β€œThree Campaigns. One Fingerprint.” The top of the graphic highlights key statistics in large text: 1.7M React attacks, 506K VPN targets, 1.8M router attempts, and a note that 3 IPs are responsible for 99% of observed activity. Below, four text blocks describe: (1) React exploitation attempts related to CVE-2025-55182, including real command injection, a Metasploit module, and one hosting provider generating 57% of traffic; (2) sustained attacks on enterprise VPNs (Fortinet SSL VPN and Palo Alto GlobalProtect) with 506K sessions, a 25% increase over baseline for Fortinet, and emphasis that VPN credentials are valuable for ransomware; (3) router attacks where three IPs drive 1.8M attempts, focusing on a MikroTik RouterOS brute-force campaign with a 64,000:1 session-to-IP ratio and noting compromised routers as pivot points and botnet nodes; and (4) an explanation that a shared JA1T network fingerprint links the React RCE, VPN brute force, and environment crawling to common infrastructure, suggesting organized operations rather than random scanning. The bottom banner invites GreyNoise customers to access the full brief, mentioning complete IOCs, attribution, detection guidance, and weekly role-based recommendations, with a contact URL β€œgreynoise.io/contact” and a small 2026 GreyNoise, Inc. copyright notice.

A digital intelligence brief from GreyNoise titled β€œAT THE EDGE,” dated January 19–23, 2026, summarizing three coordinated cyber campaigns under the headline β€œThree Campaigns. One Fingerprint.” The top of the graphic highlights key statistics in large text: 1.7M React attacks, 506K VPN targets, 1.8M router attempts, and a note that 3 IPs are responsible for 99% of observed activity. Below, four text blocks describe: (1) React exploitation attempts related to CVE-2025-55182, including real command injection, a Metasploit module, and one hosting provider generating 57% of traffic; (2) sustained attacks on enterprise VPNs (Fortinet SSL VPN and Palo Alto GlobalProtect) with 506K sessions, a 25% increase over baseline for Fortinet, and emphasis that VPN credentials are valuable for ransomware; (3) router attacks where three IPs drive 1.8M attempts, focusing on a MikroTik RouterOS brute-force campaign with a 64,000:1 session-to-IP ratio and noting compromised routers as pivot points and botnet nodes; and (4) an explanation that a shared JA1T network fingerprint links the React RCE, VPN brute force, and environment crawling to common infrastructure, suggesting organized operations rather than random scanning. The bottom banner invites GreyNoise customers to access the full brief, mentioning complete IOCs, attribution, detection guidance, and weekly role-based recommendations, with a contact URL β€œgreynoise.io/contact” and a small 2026 GreyNoise, Inc. copyright notice.

Three campaigns. One fingerprint.
React RCE, VPN brute forcing, and router scanningβ€”all linked to the same infrastructure.β†’ 1.7M React attacks
β†’ 506K VPN targets
β†’ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact

27.01.2026 22:33 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

We used the wrong Just Happy to Be Here logo on our poster!! Here's the right one!

27.01.2026 23:29 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Passive voice bullshit

28.01.2026 00:42 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I got a popup from Zoom saying "your high CPU usage might affect the quality of this meeting"

How did it know what @ntkramer.bsky.social was gonna say???

27.01.2026 20:15 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

So I'm looking for a technical leadership class along the lines of "leading without authority" - like how to effectively be the most senior team member / representative at work.

Does anybody have any good sources (where I'm not gonna wind up joining a cult and selling Amway afterwards)?

27.01.2026 18:15 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I wish so much it was either on by default, or at least obvious when creating an account!

27.01.2026 02:21 β€” πŸ‘ 13    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

@iagox86 is following 20 prominent accounts