The unholy alliance between information security and cynicism wrapped up in storytelling and videos. www.JavvadMalik.com Sole founder of Host Unknown
314 followers 155 following 208 posts
view profile on Bluesky 
Don't forget our Call for Papers (also Rookies and Workshops) is still open! Have you got something original and interesting to share, but need somewhere to do it? ➡️ #BSidesLDN2025 More information and to submit your proposal: cfp.bsides.london/bsides-londo... #Security #BSides #London
🤣🤣🤣🤣
You've allowed yourself to be sucked into the world of fake Zebra news!!!! 😂 I only trust reliable sources like, "Horsesarethebest dot com" or "Neigh for Zebras dot org"
Zebra's are like horses from Temu... there, I said it! :P
Yeah, we're quite spoilt here that we can fall forwards and end up in a different country in Europe. Usually for less than the cost of a monthly SaaS subscription :) It's also quite nice when most people are off during August. Even if you're not off, everyone else is - so peaceful! :D
You sold it so well... and for £28 return... it almost feels like a no-brainer!
Nice, balanced piece. It shows where AI can help in pen testing and the bits that still need human expertise. Worth a read if you’re looking for a grounded view of “AI as co-pilot, human as pilot” rather than hype. api.cyfluencer.com/s/will-ai-re...
Good news: some of Bluesky’s worst scolds have gathered together in the replies to this great joke so that you can block them all at once.
An interesting piece on MFA downgrade attacks. The concept is quite straightforward. When users have multiple authentication methods available (say, a passkey and an SMS code), attackers can manipulate the login process to only show the weaker option. go.j4vv4d.com/0Qv100
I sometimes kind of miss the old days when the whole community was in one place on Twitter. But then again, I do enjoy not being on social media as much too.
US woman jailed for 8yrs for stealing identities to give North Koreans IT jobs. Christina Chapman admitted to stealing the identities of 68 US citizens, then running a laptop farm from her home to help North Koreans work for 300 separate companies. www.bbc.co.uk/news/article...
Nice knowing you B!
Sam Altman telling the Fed he’s worried about AI fraud is like a bear telling the park ranger he’s concerned about all the mauled campers.
European manufacturing is going through its own digital transformation. Think 'Smart Factory meets Security Nightmare.' Worth a read if you're in manufacturing or just enjoy a good 'robots meet reality' story. blog.knowbe4.com/digital-fact...
When your AI chatbot recruiter uses '123456' as a password... This isn't just about McDonald's - it's about how we're rushing to hand over sensitive data to AI Worth a read if you're considering AI automation go.j4vv4d.com/rQ2x8W
While this is from @theonion.com, it's also true. Thanks, infosec.
I’m in a WhatsApp group for Security Copilot with business execs and pattern for months has been exec joins during pilot kickoff, says Security Copilot is amazing, then comes back a month later and asks if anybody knows how to optimize it, then reappears two months later asking how to justify it 😅
Just living like a player who's been stuck in the starting village for 3 years cos I keep getting distracted by "collect 47 random emails" and "attend mysterious meeting that could be important" side quests. Meanwhile the main storyline is like "what am I actually doing with my life?"
Security teams are drowning in vulnerability alerts, but prioritisation alone isn't enough. The real challenge? Moving from knowing WHAT to fix to actually FIXING it. This article shows how AI-driven remediation could be a way to reduce that. go.j4vv4d.com/Gsznqi
Thank you! When in doubt, blame @sirjester.bsky.social ... I would blame @thomlangford.bsky.social, but I've been blaming him for a bit too much lately.
Yep... which is why it's in quotation marks :D
M&S confirmed that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack. www.bleepingcomputer.com/news/securit...
www.buzzsprout.com/2497520/epis...
Was honoured that @gattaca invited me to be a guest on his Chasing Entropy podcast. Was a fun chat.
The "cyber delta" - the gap between perceived vs actual security posture may be one of the biggest hidden risks in M&A deals today. This article explores 11 critical questions every security team needs to ask go.j4vv4d.com/E0mudX
Episode 225 of the host unknown podcast is out, and @thomlangford.bsky.social eloquently explains why the edit takes so long. cc @sirjester.bsky.social
🤦🏻♀️🤦🏻♀️🤦🏻♀️
What is trust? How do we build it? What does it mean? Has AI and social media taken whatever little trust we had in anything? javvadmalik.com/2025/07/01/i...
London is over
Is AI is Rewiring Human Connection? Sarah, a 19-year-old college student has fallen in love. Not with a classmate, not with someone she met at a coffee shop, but with an AI chatbot named Alex. Every morning, she wakes up and immediately reaches for her phone to continue her conversation with Alex,…
Oh. I say what i want about them regardless of whether they're here or not 🤣
Been thinking of this a lot lately...
Firm, but fair!
Episode 224 of the host unknown podcast is out... and I'm not a petty person, I don't go hunting for receipts just to prove a point. But it's not often that @sirjester.bsky.social serves me up the opportunity on a silver platter. For once @thomlangford.bsky.social was safe!
With Google's Veo 3 and similar advancing rapidly, you can now produce high quality short videos, complete with realistic dialogue and sound design. If the content is engaging and the production quality is high, do you care whether it was created by a human or an AI? Is content authenticity valued
Oooh so close. 😎
#OSINTCHALLENGE you'll never guess where I am. Look at that sunshine!
If a person appears to be more productive using an automated tool, but psychologically feels worse and is more downhearted, what has the world gained? What studies are looking at human wellbeing rather than corporate wellbeing?
New from 404 Media: 'FuckLAPD.com' is a website that lets anyone use facial recognition to instantly identify cops. Point camera, take photo, upload to site. It provides their name and salary information. Creator also rebooting their tool for identifying ICE employees www.404media.co/fucklapd-com...
A great post by my wonderful colleague Rebecca Bailey on what to do about repeat clickers. Based on research, interviews, and providing some genuine insights into what makes repeater clickers... click.
This piece does a solid job breaking down why OAuth implementations keep getting compromised, despite the protocol itself being sound. The key insight: it's not OAuth that's flawed—it's how we implement it. go.j4vv4d.com/QepUjJ
I shouldn't be laughing at your post Brian. Sounds like a Violin-t Crime! But looks like the thief orchestrated this well... hope they face the music soon!
Only one way to find out big man!
With such an impassioned intro by @thomlangford.bsky.social - you gotta give the podcast a go Right @sirjester.bsky.social ... special thanks to @brianhonan.bsky.social for his unwitting contribution.
By me @forbes.com: The GOAT of all credentials leaks, all new data (with the exception of 184 million records from May) the researchers say. #kudos @j4vv4d.com for advice. #infosec www.forbes.com/sites/daveyw...
Apparently, over 70% of enterprise breaches STILL involve compromised credentials despite MFA implementation. PKI and FIDO2 are being pushed as the saviors of authentication, but are we just shifting the problem. Orgs will still struggle with complexity and user adoption. go.j4vv4d.com/nLSyKW
NIST cybersecurity framework checklist... quite an easy checklist. go.j4vv4d.com/nJEewG
This is the way
Saw this and it made me laugh.
Interview and onboarding fraud is something that needs to be looked at. But is starting from the assumption that everyone is fake a good starting point for HR colleagues? go.j4vv4d.com/AuyhsJ
How a Fake Cybersecurity Firm Became a Real Threat blog.knowbe4.com/how-a-fake-c... Javvad recounts an APT scheme so devilish that you can't believe the scale of the scheme...and success!
ooh just checked out a video of it... and it looks amazing. And satisfying.
I will nod and pretend I know exactly what dry ice blasting is... :)
haha this made me laugh El Ka-Bong! Don't leave me though man... I'll DM you calf pics 😏
That is... I mean, I can do that, but in reverse... are you sure that's the same part? It looks amazing.
Here's your annual warning about a non-existent threat that has never happened in the real world
How to stop AI from scraping your website. I'll be interested to understand if anyone has tried any of these techniques with any success? Or are AI bots just a law unto themselves? go.j4vv4d.com/QG6gtj
Today's identity landscape is complex. It spans on-prem, cloud, and SaaS with the average company useing 25+ identity systems Four critical identity types to secure: IT admins Workforce Machines (including AI) Developers go.j4vv4d.com/WcL0JE
Every now and then I will try to find podcasts slightly outside of the ones I usually listen to (or the ones different from the kinds I'm involved in) and to be honest, the Palo Alto Threat Vector Podcast is worth a listen. At around 35 mins, it's worth giving it a go. go.j4vv4d.com/HZVzq7
Say whaaat? Scammers stole £47m from the online accounts of 100,000 people after posing as taxpayers, HMRC has revealed. www.bbc.co.uk/news/article...
Good thanks! How about yourself?
• Machine identities (e.g. containers, APIs, IoT devices) outnumber human identities in enterprises. • Unmanaged machine identities pose critical risks • Organisations should focus on automation and treating it as an ongoing security evolution go.j4vv4d.com/a2EZbs
Such a consultant! 🤣
A severe vulnerability (CVE-2025-47949) has been discovered in samlify, a popular SAML 2.0 library for Node.js. Key points: • Affects versions prior to 2.10.0 • Allows complete authentication bypass • Easy to exploit • Upgrade asap go.j4vv4d.com/xwcHkS
I really admire what @thinkstcanary.canary.tools has done over the years, not just in terms of the product, but moreso in how they've operated and grown their business.
(un)fortunately not travelling to Prague that week Tom.
I'm excited for @joetidy.bsky.social upcoming book CTRL+ALT+CHAOS Register to come along to the event and grab yourself a free copy of the book. Hear from the man himself. www.wavenet.co.uk/ctrlaltchaos
• Misconfigurations cause 10-15% of security incidents and can occur across all parts of IT infrastructure • Effective mitigation requires mapping misconfigurations to full attack paths, not just listing individual issues go.j4vv4d.com/BONsWo
Agreed. We can't default to putting the responsibility on the user without considering the path that led them there. On this case, orgs like Google need to do better.
This needs to be printed and put on every security teams wall... well not every, but words to live by!
It's interesting to see how many people ask me for help with DVWA without giving information then don't come back when asked to do a bit of work to answer some basic questions. Its whole point is to be a learning platform, so put in some work and do some learning.
Congratulations and very well deserved my friend!
Last one today by me @forbes.com: Interesting research from @j4vv4d.com and the KnowBe4 folks. #infosec www.forbes.com/sites/daveyw...
You did amazing on it, really well explained. I was pleasantly surprised to see you. We need to do something else for our trilogy! :D
The BBC documentary I was in on the retail cyber attack is now out on iplayer!! It was great to see @j4vv4d.com on there too! It’s a good documentary and should be a salient reminder to all businesses it can happen to anyone so prepare now! www.bbc.co.uk/iplayer/epis...
220 episodes into the host unknown podcast, and @thomlangford.bsky.social still hits random buttons. cc @sirjester.bsky.social Subscribe if you want more shenanigans and the occassional security story.
Watching the BBC programme on the M&S and Coop cyber attacks .. turning into a who do I know exercise... @j4vv4d.com @lisaforte.bsky.social www.bbc.co.uk/iplayer/epis...
Exclusive: Police investigation into UK retail hacks focuses on English-speaking youths. NCA focussing on a notorious cluster of cyber criminals, some of them teenagers. Speaking about the hacks for a BBC doc, cops tell us the group is a key part of their inquiries. www.bbc.co.uk/news/article...
It's either a type of antibiotic. Or it's that payment plan thing. Where if you want to buy something for 90 quid, it splits it into 3 easy monthly payments of 30 quid.
Thanks, that song is from Youtube's Audio library. It's a royalty free license with no attribution needed (I was surprised). But it's by Neffex and the song is "that's what it takes" Just before hitting send I checked and it's available here: youtu.be/UjS1njuD-LE?...
I really enjoy my job and also the opportunity to travel to events. But this video is for my friends and family who often refer to work trips as holidays... they can be fun and productive, but they're definitely not holidays! 🤣 youtu.be/pi93TSwqd4A?...
And by “well researched”, I don't mean PC World or Wirecutter. I mean by people who break systems for a living - applied cryptographers and security engineers. UX is obviously a critical component too, but it's useless absent a solid technical foundation, or against the Hegseth Factor™.
#BBCNews - A letter from the M&S hackers landed in my inbox - this is what happened next www.bbc.com/news/article... #DragonForce By @joetidy.bsky.social
This is where we are. This person is wholly serious and committed to their belief that AI is 'feeling'. This is why people lose their life savings to romance scams that many of us write-off as implausible, because they want to believe something so passionately that they can't be reasoned with.
I talked to the AP about grok's "white genocide" meltdown. A few hours after publication, xAI admitted to hard coding it. This is important accountability journalism because people use AI as an arbiter of truth & here we see AI owners making the tools match their politics apnews.com/article/elon...
www.bloomberg.com/news/article...
Wondering what Attack Path Analysis is and why it matters for cybersecurity? Find out here: go.j4vv4d.com/rlgxpf
Questions to ask your security vendor wrt to bot protection: • How do you measure false positives and negatives? • Can I see live performance data? • Do you have real-time model updates? go.j4vv4d.com/sFGTu3
Well, this is awkward. GlobalX, an airline that specialises in deportation flights, just got removed from its own systems. Just cos you write 'robust cybersecurity' in your annual report doesn't make it true. www.theregister.com/2025/05/12/g...
New research reveals the most common "first day" passwords are already in hackers' hands! "Welcome123" and "Newuser1!" might be more dangerous than you think... Why temporary passwords are a massive security risk go.j4vv4d.com/5JSGlJ
Well done as always good sir. You are a fantastic representative for the industry.
Top 10 Security Concerns Facing Financial Institutions Key highlights: • 65% of financial institutions reported ransomware incidents in 2024 • Phishing attacks targeting finance doubled last year • 76% of organizations carry critical security debt go.j4vv4d.com/sxCLc9
Remote work has opened the door to a growing trend of employees secretly holding multiple full-time jobs, a practice known as polygamous working or being “overemployed.” www.techradar.com/pro/security...
The Rise of AI-Powered Bots in Payment Fraud go.j4vv4d.com/z5fdOq
The Subscription Society In the quaint town of Everyville, USA, Sarah starts her day with a familiar routine. She wakes up in her rented apartment, checks her phone (leased through her mobile plan), and streams her favourite morning playlist on Spotify. As she sips her coffee, brewed from beans…
The LockBit ransomware gang has been hacked, exposing negotiations with victims, revealing that even criminals can overlook security vulnerabilities. Always patch! www.bleepingcomputer.com/news/securit... #CrimeIsBad #YouGotToPatchIt
Meta just landed a $167M verdict against NSO Group for their WhatsApp hack • NSO's Pegasus spyware infected 1,400 WhatsApp users • Zero-click attack (phone to be ON) • Damages awarded = 3x NSO's annual R&D budget • Meta's sharing court depositions publicly www.theregister.com/2025/05/06/n...
Bruce Schneier on AI: 'Did your chatbot recommend that hotel because it's best for YOU, or because someone got a kickback?' • Corporate AI models may manipulate users like search engines do • We need government/academic alternatives for transparency www.theregister.com/2025/05/06/s...
