Console.delight
Tinkering with CSS / SVG / etc in devtools.
https://frontendmasters.com/blog/console-delight/
@DevMisc
#javanoscript #web #learn
Tinkering with CSS / SVG / etc in devtools.
https://frontendmasters.com/blog/console-delight/
@DevMisc
#javanoscript #web #learn
😐2❤1🦄1
Motion Canvas
A TypeScript library for creating animated videos using the Canvas API.
https://motioncanvas.io/
@DevMisc
#typenoscript #video #misc
A TypeScript library for creating animated videos using the Canvas API.
https://motioncanvas.io/
@DevMisc
#typenoscript #video #misc
❤4👍1
Supabase
Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subnoscriptions, Storage, and Vector embeddings.
https://supabase.com/
@DevMisc
#tools #framework #misc
Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subnoscriptions, Storage, and Vector embeddings.
https://supabase.com/
@DevMisc
#tools #framework #misc
❤2
How an empty S3 bucket can make your AWS bill explode
Imagine you create an empty, private AWS S3 bucket in a region of your preference. What will your AWWS bill be the next morning?
https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1
@DevMisc
#aws #devops #fun
Imagine you create an empty, private AWS S3 bucket in a region of your preference. What will your AWWS bill be the next morning?
https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1
@DevMisc
#aws #devops #fun
🤯1
Hardest Problem in Computer Science: Centering Things
https://tonsky.me/blog/centering/
@DevMisc
#web #css #learn
https://tonsky.me/blog/centering/
@DevMisc
#web #css #learn
❤2
How to read C type declarations
http://www.unixwiz.net/techtips/reading-cdecl.html
@DevMisc
#c #learn #misc
http://www.unixwiz.net/techtips/reading-cdecl.html
@DevMisc
#c #learn #misc
🔥2😁1
Python's many command-line utilities
Every command-line tool included with Python. These can be run with python -m module_name.
https://www.pythonmorsels.com/cli-tools/
@DevMisc
#python #utils #cli
Every command-line tool included with Python. These can be run with python -m module_name.
https://www.pythonmorsels.com/cli-tools/
@DevMisc
#python #utils #cli
❤3👍1
Hacking Millions of Modems (and Investigating Who Hacked My Modem)
https://samcurry.net/hacking-millions-of-modems
@DevMisc
#security #writeup #misc
The author discovered that someone was intercepting and replaying his web traffic, which indicated his home network or modem had been compromised. After investigating, he found the IP address belonged to DigitalOcean and had previously been used for phishing and malware campaigns. The author was unable to keep the potentially compromised modem when getting a replacement, so he had to give it back to his ISP, Cox. Years later, the author's cybersecurity friends looked into the incident further and discovered the IP address was part of a domain generation algorithm used by malware. They also found that the Cox business portal had an exposed API that could be used to access and control customer modems without authorization. The author reported the vulnerabilities to Cox, who quickly fixed the issues.
https://samcurry.net/hacking-millions-of-modems
@DevMisc
#security #writeup #misc
🔥3
Sei pays out $2M bug bounty
https://usmannkhan.com/bug%20reports/2024/06/17/sei-bug-report.html
@DevMisc
#security #crypto #misc
In April 2024, the author discovered and reported two critical bugs to the Sei Network blockchain. The first bug would have caused the chain to halt if exploited, while the second bug would have allowed an attacker to freely transfer funds out of any account. The Sei Foundation awarded the author $75,000 and $2,000,000 respectively for these reports. The issues were caught after auditing but before being deployed to mainnet, preventing any funds from being put at risk. The author provided detailed technical explanations of how the bugs worked and how they were ultimately fixed by the Sei team.
https://usmannkhan.com/bug%20reports/2024/06/17/sei-bug-report.html
@DevMisc
#security #crypto #misc
🔥6
⚠️ RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
@DevMisc (🟠 comments)
#security #ssh #linux
- The vulnerability is a regression of a previous issue (CVE-2006-5051) that was introduced in OpenSSH 8.5p1 in October 2020.
- The vulnerability allows for remote code execution as root on glibc-based Linux systems due to the SIGALRM handler calling non-async-signal-safe functions like syslog().
- Older vulnerable OpenSSH versions like 3.4p1 and 4.2p1 can be exploited by interrupting free() calls and leveraging heap corruption techniques like unlink() and House of Mind.
- Newer vulnerable versions like 9.2p1 can be exploited by interrupting malloc() calls and corrupting FILE structures to gain arbitrary code execution.
- Precise timing and network delay mitigation techniques are critical to winning the signal handler race condition.
- The exploit requires carefully crafting the heap layout and leveraging leftover data from previous allocations.
- OpenBSD is not vulnerable because it uses a safer syslog_r() function in its SIGALRM handler.
- The vulnerability is present in the default configuration of OpenSSH and affects the privileged sshd process.
- Significant effort and multiple iterations were required to develop reliable exploits for the different OpenSSH versions.
- The research demonstrates the continued need for vigilance in secure software development, as even a well-designed system like OpenSSH can have subtle regressions that introduce critical vulnerabilities.
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
@DevMisc (
#security #ssh #linux
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥2
Reverse Engineering Ticketmaster's Rotating Barcodes
https://conduition.io/coding/ticketmaster/
@DevMisc
#web #rev #misc
- TicketMaster has moved away from traditional printable PDF tickets in favor of a proprietary "SafeTix" system that uses rotating barcodes displayed on a mobile device.
- The rotating barcodes are meant to prevent ticket fraud, but the author argues they create significant usability issues, especially when cell service is poor at venues.
- TicketMaster markets SafeTix as a solution to ticket scalping and fraud, but the author believes the real motivations are to lock users into TicketMaster's ecosystem and make it harder to resell tickets outside their platform.
- The author was able to reverse engineer the SafeTix system and discovered it uses Time-based One-Time Passwords (TOTPs) along with a static bearer token to authenticate tickets.
- With the TOTP secrets and bearer token, the author could theoretically generate valid barcodes and bypass TicketMaster's security measures.
- TicketMaster makes it easy to extract the necessary token information by printing it to the browser console when the barcode is loaded.
- The author is uncertain about the lifetime of the TOTP tokens, but believes they may only be valid for up to 20 hours before the event based on TicketMaster's documentation.
- The author developed a tool called "TicketGimp" that can render valid SafeTix barcodes using the extracted token information.
- The author is highly critical of TicketMaster's practices, accusing them of using technology to exclude and disadvantage customers for their own financial gain.
- The author calls on TicketMaster's developers to have more integrity and use their technical skills responsibly, rather than enabling TicketMaster's "cruel business practices".
https://conduition.io/coding/ticketmaster/
@DevMisc
#web #rev #misc
❤2👍2