Cat's out of the bag: I am pursuing a native FIPS 140-3 validation for the Go standard library.
Trying to do it right, making it seamless and without compromising on security.
First time a Go module is validated. Wish me well. And consider sponsoring!
Want to move to Real World Binary Exploitation? Grab this last opportunity of the year and register to my Windows Exploit Engineering Foundation training at #hexacon https://www.hexacon.fr/trainer/halbronn/
This is a super interesting approach to figuring out how to nagivate paths through parsers written to accept context free languages, when the grammar of the parser is known: break up the grammar into parts and do different complimentary stages of CFG exploration based on those parts of the original grammar
Our latest blog post 📜 shows application developers effective steps they can take to 🛑prevent attacks in a world of rich media client interactions. 👀 Check it out now to learn how to protect your apps!
https://blog.doyensec.com/2024/09/19/phishing-case-study.html
I jokingly said on the #vlang Discord that my IDE setting for tabs is "sin(time)*4-4 spaces", and of course spytheman instantly implemented it in ved
#programming #editor
"The selling point of generative A.I. is that these programs generate vastly more than you put into them, and that is precisely what prevents them from being effective tools for artists."
SAP Hash Cracking Techniques https://redrays.io/blog/sap-hash-cracking-techniques/
good news: I can now publish my work on "RTL debugger", an interactive tool that lets you single-step your hardware design and observe its state, currently integrated into VS Code as an extension but using an open protocol https://github.com/amaranth-lang/rtl-debugger
right now it's in a very early state and not all that useful, but this should change in the coming days
This looks amazing: THE JUNKYARD: An End-Of-Life Pwnathon (February 21-22, 2025) DistrictCon: https://www.districtcon.org/junkyard
new blogpost time!!
this one's a fun writeup on a vulnerability chain i found across multiple google services that earned me a $4133.70 bounty
lots of fun css as usual! i had to recreate a bunch of drive/docs/gmail/youtube UIs c:
have fun!
https://lyra.horse/blog/2024/09/using-youtube-to-steal-your-files/
Thanks to gcc 14's stricter errors, today I learned that the getpwent_r/getspent_r/etc. interfaces on Linux & Solaris have basically opposite return values - on Solaris they return a non-NULL pointer on success, a NULL pointer on failure - while on Linux they return ints - 0 for success, -1 for failure - so checking for == 0 is inverted between the two. Hopefully not a lot of code uses these APIs, but I still wonder how much is broken. For instance, accountsservice gets this wrong on Solaris.
US Government 'Took Control' of a Botnet Run by Chinese Government Hackers, Says FBI Director https://news.slashdot.org/story/24/09/18/1728234/us-government-took-control-of-a-botnet-run-by-chinese-government-hackers-says-fbi-director?utm_source=rss1.0mainlinkanon
Lately my days of exploiting have been:
36 hours spent troubleshooting how broadcast/multicast traffic works on various operating systems
4 hours spent writing the actual exploit and pwning the thing
The unreasonable effectiveness of simple HTML
https://shkspr.mobi/blog/2021/01/the-unreasonable-effectiveness-of-simple-html/
I've told this story at conferences - but due to the general situation I thought I'd retell it here.
A few years ago I was doing policy research in a housing benefits office in London. They are singularly unlovely places. The walls are brightened up with posters offering helpful services for people fleeing domestic violence. The security guards on the door are cautiously indifferent to anyone walking in. The air is filled with tense conversations between partners - drowned out by the noise of screaming kids.
In the middle, a young woman sits on a hard plastic chair. She is surrounded by canvas-bags containing her worldly possessions. She doesn't look like she is in a great emotional place right now. Clutched in her hands is a games console - a PlayStation Portable. She stares at it intensely; blocking out the world with Candy Crush.
Or, at least, that's what I thought.
Walking behind her, I glance at her console and recognise the screen she's on. She's connected to the complementary WiFi and is browsing the GOV.UK pages on Housing Benefit. She's not slicing fruit; she's arming herself with knowledge.
The PSP's web browser is - charitably - pathetic. It is slow, frequently runs out of memory, and can only open 3 tabs at a time.
But the GOV.UK pages are written in simple HTML. They are designed to be lightweight and will work even on rubbish browsers. They have to. This is for everyone.
Not everyone has a big monitor, or a multi-core CPU burning through the teraflops, or a broadband connection.
The photographer Chase Jarvis coined the phrase "the best camera is the one that’s with you". He meant that having a crappy instamatic with you at an important moment is better than having the best camera in the world locked up in your car.
The same is true of web browsers. If you have a smart TV, it probably has a crappy browser.
My old car had a built-in crappy web browser.
Both are painful to use - but they work!
If your laptop and phone both got stolen - how easily could you conduct online life through the worst browser you have? If you have to file an insurance claim online - will you get sent a simple HTML form to fill in, or a DOCX which won't render?
What vital information or services are forbidden to you due to being trapped in PDFs or horrendously complicated web sites?
Are you developing public services? Or a system that people might access when they're in desperate need of help? Plain HTML works. A small bit of simple CSS will make look decent. JavaScript is probably unnecessary - but can be used to progressively enhance stuff. Add alt text to images so people paying per MB can understand what the images are for (and, you know, accessibility).
Go sit in an uncomfortable chair, in an uncomfortable location, and stare at an uncomfortably small screen with an uncomfortably outdated web browser. How easy is it to use the websites you've created?
I chatted briefly to the young woman afterwards. She'd been kicked out by her parents and her friends had given her the bus fare to the housing benefits office. She had nothing but praise for how helpful the staff had been. I asked about the PSP - a hand-me-down from an older brother - and the web browser. Her reply was "It's shit. But it worked."
I think that's all we can strive for.
Here are some stats on games consoles visiting GOV.UK
Matt Hobbs (@TheRealNooshu@hachyderm.io)
@TheRealNooshu
Replying to @TheRealNooshuInterestingly we have 3,574 users visiting GOV.UK on games consoles:
• Xbox - 2,062
• Playstation 4 - 1,457
• Playstation Vita - 25
• Nintendo WiiU - 14
• Nintendo 3DS - 1620/22
❤️ 29💬 1♻️ 010:45 - Mon 01 February 2021
https://shkspr.mobi/blog/2021/01/the-unreasonable-effectiveness-of-simple-html/