Eric Mann @ericmann@tekton.network

I publish open source tools for free. If you find my tools useful, please contribute to keeping them free: http://paypal.me/eam :-)

I spend my free time auditing code, publishing FOSS security tools, and tracking down accidentally exposed credentials. This helps keep a small corner of the Internet safe. Support my efforts by backing me via Patreon => https://www.patreon.com/user?u=16402577

1. Email company to responsibly disclose leaked customer API keys.
2. We don't have a disclosure process. No bounty. We'll let you know if that changes.
3. :silence:
4. Email company to disclose more leaked keys. Also ask on bounty updates.
5. Thanks, but because you didn't fill out this other form, no bounty.
6. Point out they never disclosed the disclosure form.
7. "Oops. Too bad."

This is why responsible disclosure sucks...

I like to think I'm a good person and that I'll always do the right thing. But it's ... hard to go out of my way to do the right thing when there's zero financial incentive (and the high potential of legal threats) involved.

But ... I _really_ wish there were an incentive to doing this.

This time, it was almost a dozen API keys for Mandrill that I found. Added to the half dozen I reported last summer. I'm confident the team there will shut things down and take appropriate action with their customers.

Imagine someone calling the cops on you because you picked their wallet up off the ground and handed it to them. Same thing. Makes me really _not_ want to help at all sometimes.

Thing is ... I do this on my own time and on my own dime and, more often than not, people freak out thinking I hacked them and threaten me with legal action. For helping them out.

Every now and then I get bored and start poking around looking for publicly exposed API keys and credentials. I ALWAYS find something. It's kind of sad. I want to help developers be better :-(

Changing the oil in the Kia was simultaneously easier and harder than the Toyota...

Also ... I made a mess :-(

I will die on this hill. If you feel attacked by calling out toxic masculinity as toxic, I want you nowhere near me, my family, or my life.

Principles are worth fighting for.

Who forgot to pay Portland's heating bill? Sheesh! #pdxtst

Spending the day at one of my favorite places on Earth...

It's been a week, hasn't it?

I meet my wife at 5ish so we can commute home. There's a Starbucks in the ground floor of her office. It closes at 5.

Even if I show up at 4:45 they've already thrown all the food out and are snarky if I order a drink.

Why TF are you open til 5 then?!?

Random DMs starting with "we've learned you'll be attending CES and would love to meet you in person" have me wondering: Does someone know something I don't?

OH:
"What if we had a Yelp for prisons?"

...

"That's just Yelp."

Oh that's rich.

Just got a spam intercept of a message where my addy was in both the from and to fields, but was sent through another popped server (looks like an elementary school).

"This account has been hacked! I send you an email from YOUR hacked account!"

Kind of hilarious ... but also sad because I know a lot of people would fall for this nonsense.

WP Session Manager v4.1.0 is tagged and released. Fixes a couple of database race conditions, adds a cron to auto-clean up sessions under some more conservative configurations, and aborts early if running PHP <7.1

https://github.com/ericmann/wp-session-manager/releases/tag/4.1.0

Took down the Christmas tree. My living room is once again liveable.

Want WP Session Manager to work on PHP 5.6. I'll do it, but only if the community pays for the time the extra support takes.

Contribute here => https://ttmm.io/wp-session-manager-support/