Darryl Nixon 

@[email protected]
143 Followers
114 Following
165 Posts

I'm a vulnerability researcher, a home chef, a Ph.D. candidate, and a dad. 

7-ish years in VR, firmware analysis, DFIR, development, hunt, mitigations, and various in betweens. Previous lives in firmware engineering, incident response, and healthcare IT.

I should blog. One day.

#vulnerabilityresearch #cybersecurity #infosec #vulnerabilities #dfir #hunt #cooking

Keyoxidehttps://keyoxide.org/fffffffff8587e3ac7f9da9ad7ebefccb80506e5
Darryl Nixon Aug 3, 2023

Let's see how this goes. In my ever-growing fear of getting locked out of my life from losing access to my Google and/or Apple accounts, I threw together a few things for self-hosting my own e-mail.

I purchased the lifetime 10GB storage, unlimited domains/emails deal from #MXRoute for $99. I installed getmail, dovecot-imapd, and dovecot-submissiond on my home server.

getmail uses POP-SSL to check for new e-mails every 5 minutes, retrieve them, and delete them from MXRoute's mailbox. I have a separate getmailrc file for each mailbox. These are transformed into Maildir structure/format in a ZFS pool. The 10GB storage in MXRoute is now just a receiving buffer and should be plenty in the case of local downtime.

Meanwhile, dovecot serves IMAP-SSL and SMTP-SSL using certificates generated by Caddy for my other services. The IMAP piece retrieves passwords by invoking pass, but submissiond (the SMTP-SSL relay submission server added to Dovecot in 2.3) seems not to have the same password_command functionality as Dovecot's other features (yet?), so that's unfortunately in permissed plaintext for a relay e-mail account only used for sending (no inbox).

Next step are a few management scripts as there's some duplication between configurations, but overall I'm happy with how quick it was to set up.

Show threadDarryl Nixon Jun 2, 2023

That said, I've heard #GPT4 flexes pretty hard on #GPT3, so I might subscribe to ChatGPT proper for a month to get my measly 25 messages per 3 hours.

I've heard #Bing uses GPT4 so folks are using that as a sort of bypass, but I imagine there's a tradeoff they're making in i/o privacy and retention guarantees. Any other recommendations?

Show threadDarryl Nixon Jun 2, 2023
I'm no JavaScript wizard, so #GPT3 has been great for authoring fairly advanced Frida hooks for mobile #reverseengineering. It also pretty quickly helped me throw together a simple man-in-the-middle injector with aiohttp and something related with #FastAPI.
Show threadDarryl Nixon Jun 2, 2023

I have a YakGPT instance exposed to some family that also use it, but I noticed that the #ChatGPT UI now has options that offer the same data retention/usage guarantees that the API did (no training on i/o, 30 day retention for AUP enforcement audit).

On my MBP, I picked up Machato to have something macOS-native running. It functions well but I'm getting some lag with many chats open and I don't necessarily love the UX.

GitHub - yakGPT/yakGPT: Locally running, hands-free ChatGPT UI

Locally running, hands-free ChatGPT UI. Contribute to yakGPT/yakGPT development by creating an account on GitHub.

GitHub
Darryl Nixon Jun 2, 2023
I used #OpenAI GPT-3.5 API throughout May for research assistance, coursework brainstorming, and random things that had come out (e.g., skeleton prompts for bedtime stories, discussing areas for buying a home). It only cost me $3.43. What does your use of #ChatGPT -likes look like?
Darryl Nixon Jan 24, 2023

I just received a 1Password popup in the macOS app that my secret key or password had recently changed and I'd need to re-enter my password. The secret key was autofilled correctly and, after restarting the app, my normal password still works.

I haven't changed either in years. Anyone else encounter this?

Darryl Nixon Jan 24, 2023

I purchased ProxyMan for my Mac with their generous student discount because it's cheaper than Burp Suite, and I can't/don't use my work licenses for self-directed research and academia.

It's nice. The UI/UX is intuitive and macOS-like, making it stand out for me against the likes of mitmproxy, Burp, and ZAP. It took a handful of straightforward in-app clicks to set the system proxy, trust their root CA certificate for specific domains, and pass-thru everything else.

My license also unlocked premium features for their mobile app, which I just learned of but am now interested in checking out. I'm glad there's still room for competition in the MITM space.

Proxyman · Debug, intercept & mock HTTP with Proxyman

Proxyman is a native, high-performance macOS app, which enables developers to capture, inspect, and manipulate HTTP/HTTPS requests/responses with ease. Support iOS and Android Simulator and Physical Device.

Proxyman
Show threadDarryl Nixon Jan 24, 2023

Oops, forgot the attachment. 

I suppose I shouldn't link PDFs directly to "people like us", so here's X41's own blog post with links to the audit report. Great for VR newbies and veterans alike.

I found this through a HackerNews post linking this blog post where @LitchiPi@BirdPlace looks at it through a "Rust-y" lense. This is also a nice and brief read. \---/

X41 Audited Git

X41 releases the audit report of Git

X41 D-SEC
Darryl Nixon Jan 24, 2023
I haven't tooted much in the past few weeks but I promise I'm not cheating with the bird place! We've had some family health issues that resulted in full-time dadding. Returning to the mouse and keyboard is bittersweet because my toddler is so heckin' awesome.
Darryl Nixon Jan 24, 2023

The OSTIF-sponsored git source code audit by X41+Gitlab is refreshingly brief without losing necessary technical detail. It's also quite aesthetically pleasing, which I've found helpful with my ADHD attention span.

I'm inspired. What are your favorite reports and whitepapers? I'll take both eloquent and eye-catching.