Between 2014 and 2022, DigitalOcean sent free t-shirts to developers who completed the Hacktoberfest challenge. For entirely sensible reasons related to sustainability and spammy entrants, they stopped doing physical merchandise in 2023. I'm the sort of hip fashionista who only wears free conference t-shirts. GDS@GDSTeamWe support open source. And we’ve got the t-shirts to prove it (thanks @…
Continue reading →
For boring and totally not nefarious reasons, I want to read all the data contained in my passport's NFC chip using Linux. After a long and annoying search, I settled on roeften's pypassport. I can now read all the passport information, including biometrics. Table of ContentsBackgroundRecreating the MRZPython code to generate an MRZCan you read a cancelled passport?Cryptography and other…
Continue reading →
It looks like everyone's favourite FIDO token provider might have an unpatchable vulnerability! Much Sturm und Drang from the usual sources. But how bad is it really? Not so bad - but it does expose some weaknesses in the very idea of having physical tokens. First up, as the research paper's abstract says: The attack requires physical access to the secure element So, straight off the bat,…
Continue reading →
This book is outstanding. It's the mid 1980s, you're administrating a nascent fleet of UNIX boxen, and you are tasked with accounting for a 75¢ billing discrepancy. Naturally that eventually leads into an international conspiracy involving the FBI, NSA, and an excellent recipe for chocolate chip cookies. It is a fast paced, high-tension, page turner. There's also a sweet moral core to the story …
Continue reading →
A bit of a thought experiment - similar to my Minimum Viable XSS and SVG injection investigations. I recently found a popular website which echoed back user input. It correctly sanitised < to < to prevent any HTML injection. Except… It let through <h2> elements unaltered! Why? I suspect because the output was: <h2>Your search for ... returned no results</h2> And, somehow, the parser was g…
Continue reading →
This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Verdicts Some of the lab tasks were impossible without looking at the cheat sheet. I got stuck on one because the question told me to go to one URl, but I had to guess the one which was vulnerable. Felt like a …
Continue reading →
This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! The penultimate day. Try not to worry about the upcoming exam! Today was lots of HTTP, TLS, and other low-ish level stuff like that. But mostly focussed on common website attacks. Verdict Bit of a repeat of…
Continue reading →
This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Day 3 - the day I was dreading most of all… Windows! I've been avoiding M$ WinDoze (LOL!!!) since long before it was fashionable. Even at my earliest jobs, I'd find a way to convince the IT department to let m…
Continue reading →
This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Day 1 was all about password cracking and metasploit. Today? Linux Hacking! Sadly, we aren't learning anything to do with distributing 1337 cracks for warez (so 1998!). One point to note is that the questions…
Continue reading →
As part of my MSc, I have to take three "Professional Practice" courses. The course provider, QA.com, let me choose anything from their online catalogue. The first I'm doing is Certified in The Art of Hacking. As regular readers will know, I'm pretty reasonable at hacking. I have received bug bounties from Google, Twitter, Samsung, and a bunch of others. I don't claim to be an expert - and I…
Continue reading →
This is a two-part blog post about rewriting the rules. I hated playing sports as a teenager quelle surprise. In a vain attempt to get me to love the beautiful game, a PE teacher once made me team captain for a kickabout. My rival? Sporty Dave. Head boy, house captain, and conqueror of puberty. The PE teacher made us pick our teams. I went first and, naturally, chose the weakest of my…
Continue reading →
Last year, I blogged about why I make my work calendar public. It is useful to have a public website where people can see if I'm free or busy. But the version I created relied on Google Calendar which, sadly, isn't that great. It doesn't look wonderful, especially on small screens, and is limited to only one calendar feed. So I used the mighty power of Open Source to build my own! …
Continue reading →
