Pinned toot

I didn't announce this here before, so:

github.com/epidemics-scepticis

I used HTTP headers to cause Tor onion sites to resolve attacker supplied hostnames to get them to leak DNS, with the potential for deanonymization and uncovered (or rediscovered) a ring of dodgy sites offering fake services in the process.

Example code to do this yourself is supplied in the write-up.

The browser plugin and phone apps would be called Advanced/Expert 2FA Manager. There would be a premium version of questionable value.

A quick and easy way to undo many gains in end user security in recent years is to publish a Browser Plugin, JavaScript and PHP Library that, when given an image of a QRCode, produce the corresponding TOTP code. Optionally gives ones for future times too.

People who unironically ever say “job creator” are unwell and should be guided towards some form of medical assistance or treatment.

Watching episode 1 of Nightflyers.

I swear they’re just using sets and props from The Expanse...

🇬🇧 Politics 

Featherduster is a cool cryptanalysis tool and library that I didn’t know existed and would have saved me a good bit of work if I had.

github.com/nccgroup/featherdus

Oh god. Go to the CCC account on YouTube and watch one of the tech talks there. Press c. Actually watch the talk and while doing so read the subtitles. 😂

Why don’t secure messenger apps have a QRCode pre-shared key option for physically sharing PSKs? You can mix the PSK into the crypto and use it to make it post-quantum secure if it can be shared OOB.

“You have to fight fascism with everything you’ve got.” - Raffi

Yes, that Raffi, of “Banana Phone” and “Wheels on the Bus” fame.

What a time, etc.

when ur watchin hacking on a show on Netflix nd ur like dam i hav that exact same usb. am i a fraud too?

politics 

My mind is still blown that my birdsite account was one of the “few dozen” targeted by Saudi’s birdsite insider nytimes.com/2018/10/20/us/poli

*galaxy brain*: signal should use the safety number verification process to establish a symmetric shared secret between the partys that's mixed into the key generation process so that signal messages are post-quantum safe.

Oh... wow:
arstechnica.com/gaming/2018/02

Flight-sim devs say hidden password-dump tool was used to fight pirates
Installer ran a "Chrome Password Dump" tool on copies suspected of piracy.

Show more
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!