jfk

Technical Analyst / Pentester @usdAG.

Pwning #LLM for fun (and sometimes profit).

I try to maintain a high signal-to-noise ratio, here.

#infosec #hacking #reverseengineering #privacy

jfk boosted:
2025-07-24

A bug bounty program is economically beneficial to a firm when the firm has low in-house efficiency in finding a vulnerability

*or*

when the firm faces a high proportion of coopetitive hackers (bug reporters who would otherwise pose a security risk by misusing vulnerability information).

Paper: papers.ssrn.com/sol3/papers.cf

@maehw Try throwing the APK into JADX. It has a full-text search on the decompilation that should find the URL.

jfk boosted:
2025-07-19

Mildly cursed factoid about UNC paths:

- UNC Paths can contain IP addresses such as \\192.168.1.1\share
- IPv6 addresses are supported as well
- IPv6 addresses contain colons
- can't have colons in Windows paths since colons are reserved for drive letters

So Microsoft came up with the the ipv6-literal.net domain that's special-cased by Windows so you can to write IPv6 addresses in UNC paths as 2a0e-3c0--21.ipv6-literal.net without it hitting any resolvers.

jfk boosted:
2025-07-18

In a real sense, OSS is one of the most democratic things humanity has ever done, while also collectively representing far and away the most complex thing it has ever created. That’s actually kind of incredible. The optimism my coworker feels is not about OSS specifically, much less its present state or economics, but about what its existence tells us about Humanity.

I find that to be a remarkable thought.

jfk boosted:
Alec Muffettalecmuffett
2025-07-17

July 15th 1991: 34 years ago I published the first “modern” password cracker…
alecmuffett.com/article/113704

jfk boosted:
Stephen Rees-Carter :laravel:valorin@phpc.social
2025-07-16

It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks!

You should be using a timing attack safe string comparison function like hash_equals()!

securinglaravel.com/security-t #Laravel

jfk boosted:
2025-07-16

After... more than a year? at this point, our paper on the Apple Watch is finally public! Your one-stop resource for Apple Watch protocol docs & Android interoperability ✨

Take a look: arxiv.org/abs/2507.07210

preview of the linked paper
jfk boosted:
jiska 🦄:fairydust:jiska@chaos.social
2025-07-16

The Apple Watch has a closed down ecosystem, only compatible with the iPhone. @trusted_device reverse engineered its interfaces and opened it up for compatibility with Android! ✨ WatchWitch ✨ allows you using your Apple Watch ⌚ on Android devices, interpreting your health data, answering messages on the Watch and more.

Demo video: youtube.com/watch?v=dHz8NHMhtL
Read the full paper: arxiv.org/abs/2507.07210

The WatchWitch app in context, showing the Apple Watch and the paired iPhone as well as the Android phone running the app.
jfk boosted:
2025-07-16

Model Context Protocol security issues allow attackers to bypass protections through line jumping and ANSI terminal code injection.

Join our technical deep-dive on July 29 @ 1:00 PM ET with security experts from Trail of Bits and OWASP to learn about security advancements and new tools soon to be released that will help you secure your implementation.

Register here: app.getcontrast.io/register/tr

jfk boosted:
daniel:// stenberg://bagder
2025-07-14
jfk boosted:
2025-07-14

This is fun. Google Gemini’s “Summarize email” function is vulnerable to invisible prompt injection utilized to deceive users, including with fake security alerts.

#infosec #cybersecurity #blueteam

0din.ai/blog/phishing-for-gemi

jfk boosted:
2025-07-10

People are out here pitching devtools to enterprises like "this will make your workflow easier and faster", and I'm like ... have you MET an enterprise? newsletter.goodtechthings.com/

jfk boosted:
2025-07-10

I'm going to business hell for this one

A "demystified" Gartner hype cycle graph including points like "trough of zero real adoption" and "slope of enterprise marketers jumping on the bandwagon too late"
jfk boosted:
2025-07-10

As an old fart in #xdev, I get asked often, mostly by young coworkers, how to get into binary exploitation in 2025. I looked around, and here’s my recommendation:

pwn.college

#pwncollege is a huge collection of free #lectures and practical #challenges maintained by a team of #hackers at the Arizona State University. Check it out!

— Just overflow the shellcode on the stack and jump to it
— Sure grandma let's get you to bed

@mhoye Extra points if combined with Firefox's search syntax!

Simply put the site's search results URL into the URL field, with a %s as a placeholder for your search term (for many sites this can be done from the context menu when right-clicking on a search field). E.g., openstreetmap.org/search?query

Some examples from my bookmarks:

- dict <word> opens search results for that word in dict.cc

- yt <word> searches youtube

- wiki and code: searches company wiki and gitlab respectively

jfk boosted:

TIL that if you set `git config tag.sort -version:refname` tags will be listed in reverse semver order
So you don't have to scroll a lot to find the latest semantic version tag.

You can also do this on the fly with `git tag -l --sort -version:refname`

jfk boosted:
2025-07-06

in the past I've provided expert advice for inclusion in guidelines for domain owners. Often that advice is mangled once published. So I wrote my own guidelines a few yrs ago.
#dns #domains #domainnames

kalfeher.com/secure-practices-

jfk boosted:
Ivan Ožić Bebekobivan@infosec.exchange
2025-07-03
jfk boosted:
Stefan F. Kellersfkeller
2025-07-03

New blog post about "The coolest way to find shaded paths: Vampire routing on routing.osm.ch".

See sosm.ch/the-coolest-way-to-fin

The usual, shortest route compared to the “vampire route” from Zurich main station to the Polyterrasse at ETH
jfk boosted:
Christoffer S.nopatience@swecyb.com
2025-07-03

The number of websites lacking proper RSS/Atom feeds is too damn high.

#RSS #Web #Atom

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst