Monday, February 6, 2023
968 Posts In Total
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer
There is a special circle in Hell for the people doing OSdev-ing on a MacBook M1 and I have booked my place there. Fuck Apple, fuck M1 and fuck Tim Cook.
We’re in terminal stages of the biggest disease known to mankind: the internet.
Fujitsu FM R-30HX, 1988
Humans can only understand the world through analogy, this is why simulation theory exists, reality is just too big for people, so they need to shrink it down to a model they can understand. Nowadays it’s video games and computers, a few thousand years ago it was tapestries and thread-weavers.
I just started watching Three-Body and let me tell you, it’s an amazing movie (with an amazing soundtrack). Make sure you read the books too.
Curio is a static code analysis tool (SAST) that scans your source code to discover security risks and vulnerabilities that put your sensitive data at risk (PHI, PD, PII). Open Source SAST to protect sensitive data in your code
The HP 200LX Palmtop PC, 1994
I seem to place more value on my life than you place on yours.
Turn your Android phone into real Amateur Radio HF/VHF/UHF APRS enabled Codec2 DV (digital voice) and/or FreeDV handheld transceiver.
Requires additional hardware (e.g. AFSK/LoRa), software (e.g. Direwolf) radio modem or analog transceiver with USB audio + VOX/USB CAT PTT control, such as MCHF or ICOM
For more information about FreeDV and Codec2 visit https://github.com/drowe67/codec2.
This is the second part of the blog I wrote 3 days back on proxying DLL loads to hide suspicious stack traces leading to a user allocated RX region. I won’t be going in depth on how stack works, because I already covered that in the previous blog which can be accessed from the above link. We previously saw that we can manipulate the
jmpinstructions to request windows callbacks into calling
LoadLibraryAPI call. However, stack tracing detections go far beyond just hunting DLL loads. When you inject a reflective DLL into local or remote process, you have to call API calls such as
VirtualProtectExwhich indirectly calls
NtProtectVirtualMemory. However, when you check the call stack of the legitimate API calls, you will notice that WINAPIs like
VirtualProtectare mostly called by non-windows DLL functions. Majority of windows DLLs will call
NtProtectVirtualMemorydirectly. Below is a quick example of the callstack for
NtProtectVirtualMemorywhen you call
RtlAllocateHeap. Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
The lowest common denominator and the path of least resistance mainstream the most carnal of human inclinations. The corruptibility of human nature is boundless.
Here it is again, that deep sense of peace. Ever feel like you’re watching yourself from above?
If you want to be a good writer, you’ll need to understand all kinds of people. That doesn’t mean you should be a people-pleaser by agreeing with everyone, but you should extend even your worst enemies the maximum amount of empathy you can muster.
I grew up with BASIC and Turbo Pascal. My first programs were very simple graphical games. I still miss the era of BGI and BASIC’s painting commands. Those graphics were neither beautiful nor fast, but they were simple. Simple enough for a kid with only elemental geometry knowledge to build something exciting.
Even today, whenever I want to prototype or visualise something, to experiment with generative art or to write a toy graphical app – I feel nostalgic for the old days.
When I discovered WebAuthn three years ago a quirky idea came to me: “what if you could also protect data with a security key?” The idea of a physical authenticator being used to encrypt and decrypt information stuck with me, even after I came to understand that WebAuthn couldn’t be used in that way.
Fast forward to 2023. The recent addition of the prf extension to the WebAuthn L3 Draft spec is introducing functionality to WebAuthn that makes my crazy idea possible! Imagine it: a quick tap to encrypt a super secret message, a short journey via sneakernet, then a quick tap to decrypt the message… Encrypting Data in the Browser Using WebAuthn
Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.
The tool also allows searching for and thoroughly enumerating public repositories that utilize self-hosted runners. GitHub recommends that self-hosted runners only be utilized for private repositories, however, there are thousands of organizations that utilize self-hosted runners. Gato (Github Attack TOolkit)
The deeplink handler for
/l/task/:appIdin Microsoft Teams can load an arbitrary URL in webview/iframe. An attacker can leverage this with teams RPC’s functionality to get code execution outside the sandbox. 2022 Microsoft Teams RCE
PNG is my favourite file format of all time. Version 1.0 of the specification was released in 1996 (before I was born!) and the format remains widely used to this day.
I think the best way to get to grips with a file format is to write code for reading or writing it. In this instance we’re going to write a PNG, because we can choose to focus on the simplest subset of PNG features. Hello, PNG!
Code signing of applications is an essential element of macOS security. Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root. Bad things come in large packages: .pkg signature verification bypass on macOS