Fastly's 4th anniversary this week. Time party like you're 4.

LINKZ

MatterMost - Open source Slack alternative. I begrudgingly started using Slack and found that it does beat out other common chat solutions (e.g. IRC) in a lot of situations. So, this project is worth keeping any eye on if the existing cloud-based Slack doesn't appeal.

Remote exploitation via CUPS - ref counting error triggered via XSS

Tavis v. ESET Anti-Virus - guess who wins

A tool to detect and crash Cuckoo sandbox - trolololo

Finding Tor exit nodes that sniff passwords - Do not download executables over Tor. Do not login to accounts over Tor. Do not taunt Happy Fun Tor.

Font vuln writeup from j00ru - Hard core as usual. Rich attack surface, attacked.

Specifically, I focused on the handling of so-called “CharStrings”, which are essentially binary encoded PostScript programs with a dedicated set of instructions and a specific execution environment, responsible for drawing the shape of each glyph at a particular point size.

Getting up to speed during first month at a high-growth tech startup

Bad write-up, legit attack

Scraps is fine

Bro grabs.

Includes an interesting vuln in OSX (but not iOS) keychain:

Apparently, the attack can only succeed when the attributes of the victim’s keychain item are predictable. This is mostly the case and the attributes typically remain constant for specific apps or services. Also, the attacker needs to create the keychain item first. These restrictions, however, turn out to be unnecessary: we found that the attributes of any keychain item are actually public, though their con-tent (credential) is protected. And most importantly, we found a second flaw in keychain that an existing keychain item can be deleted by an unauthorized sandboxed app. As a result, all the attacker needs to do is just identifying an existing item, removing it from the keychain and creating a new one of its own with the same attributes to wait for the target app to put its secret there.

I readed some today

List of tech engineering blogs - I should read these now that I am officially an engineer again

RCE in samsung swift key - includes tips on turning an arbitrary system file write into remote code execution on Android. Nice.

Predicting good test cases for zzuf - they use manfuzzer to infer commandline (which isn't perfect, but good enough I guess) and fuzzing project's corpus to automate zzuf. The ML classification technique turned out to be better at predicting unproductive test cases, so they use it to cull the input set. Interesting/good work, but overall I'm glad this isn't my day job anymore. At least for now :)

tptacek password manager rant on HN

Tidioute in the New York Times

Was helping a friend with something and came across these gems.

Tourist Approach to the Kinzua Dam (1964)

An Answer To Prayer In Water Made Pure (1989)

Nothing too novel here, but as usual highly understandable, well-written summary of the topic from waitbutwhy.com

Seems like the idea is to include a hash of a script that is included cross-domain (including scripts that are sourced from a CDN) when you present a web page to the user. The user's browser then checks the hash against a hash of the returned content.

So, as it stands, this does help if you are including script from something like JQuery's CDN or a random github repo (via their CDN), but not if a transparent CDN node that you are hosting a whole site from gets compromised.