Jernej Simončič �

@jernej__s@infosec.exchange
260 Followers
146 Following
21.7K Posts
Websitehttps://eternallybored.org/
Jernej Simončič �2h ago
Show threadGraham Sutherland / Polynomial2h ago

I wish VPN CEOs a very merry Klämrisk

https://chaos.social/@root42/114912810967498606

root42 (@root42@chaos.social)

Attached: 1 image New fear unlocked: Klämrisk.

chaos.social
Jernej Simončič �2h ago
Graham Sutherland / Polynomial2h ago
so how long do we reckon it'll be until we see a story about a VPN company having quietly thrown a bunch of money into lobbying for the online safety act, knowing full well that it'll net them thousands of customers?
Jernej Simončič �2h ago
Show threadPaul Armstrong13h ago

@ska @kloenk @navi Before that, the custom kernels had patches to allow for longer argv. I no longer remember what limit was set in those patches. Those were the days of /proc/bogdan

For those interested in a little fun Google history, Bogdan was a key figure in the platforms team and renowned for saying no to everything (which was, mostly, the correct call, there was a lot of outlandishness at the time). Someone added /proc/bogdan, which would just return "no" when catted.

Jernej Simončič �2h ago
witch_t *navi1d ago
https://stackoverflow.com/questions/33051108/how-to-get-around-the-linux-too-many-arguments-limit/33278482

> I have to pass 256Kb of text as an argument to the "aws sqs"

what, uhhh, what

> MAX_ARG_STRLEN is defined as 32 times the page size in linux/include/uapi/linux/binfmts.h:
> The default page size is 4 KB so you cannot pass arguments longer than 128 KB.
> I modified linux/include/uapi/linux/binfmts.h to #define MAX_ARG_STRLEN (PAGE_SIZE * 64), recompiled my kernel and now your code produces

casually patching the kernel to send a quarter megabyte as a *single* argument oh my god i'm laughing hard
Jernej Simončič �2h ago
Show threadLaurent Bercot1d ago

@kloenk @navi Back when 128 kB was the limit for argv+envp, Google was hitting it too because they passed all the configuration for their whole software stack on the command line as --long-option=value switches.

Their solution? Compress the command line. So every binary started by ungzipping argv[1] and parsing it to get the configuration.

The person explaining this to me saw my horrified face, and said with the perfect Hide The Pain Harold smile: "a series of individually completely rational and reasonable decisions led to this." and I have been thinking a lot about it since.

Jernej Simončič �3h ago
Graham Sutherland / Polynomial3h ago

something hands me a Google Cloud Storage signed URL with an Expires option set. I can upload stuff to it with a PUT.

if I complete the upload before the expiry time, it uploads successfully. if I start the upload before the expiry time, but it finishes after the expiry time, it fails.

anyone know if there's a trick where you can get that last case to succeed? I vaguely recall that there are some fancy alternative upload schemes (chunking?) and I'm wondering if they can trick the expiry.

Jernej Simončič �3h ago
Show thread🇺🇦 haxadecimal3h ago
@GossiTheDog
Yesterday, a web site asked me to select whether I was under or over 18. I was baffled. I'm under 18 meters tall, but over 18 kg weight.
Show threadJernej Simončič �3h ago
@da_667 There's a better way, with Image File Execution Options\Debugger you can prevent Edge from starting altogether.
Two Minute Drill: Configuring a Debugger using Image File Execution Options | Microsoft Community Hub

First published on TECHNET on Dec 12, 2008 There are times when tools such as DebugDiag, ADPlus or UserDump fail to capture a dump when a process terminates...

TECHCOMMUNITY.MICROSOFT.COM
Jernej Simončič �4h ago
evacide4h ago
I just learned that this app existed a day ago, so of course today it has been breached by bros who are excited about the cache of womens' ID documents that Tea failed to protect. https://www.404media.co/women-dating-safety-app-tea-breached-users-ids-posted-to-4chan/
Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan

“DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!” the thread read before being deleted.

404 Media
Jernej Simončič �4h ago
Fesshole 🧻5h ago
When I was a kid, I used to use Arnold Schwarzenegger soundboards to prank call any Sarah Connor I could find in a phone book
×
Adam KentJul 14
Fun* thing I just noticed, the bulleted list markers in the Qantas "you got breached" email? 717kB PNG file.
Show threadtjhowseJul 14
@akent Fuckin' rofl.
Show threadGeorge HaritonidisJul 14
@akent yep, it’s a big-ass PNG, that’s for sure. https://ecm.loyalty.qantas.com/imgproxy/img/3004766859/bull.png
Show threadRetJul 14
@georgeharito @akent also some amusing URL enumeration fun to be had with those URLs... The image name doesn't matter, just the ID.
Show threadNegative12DollarBillJul 14
@ret @georgeharito @akent
We need to check out all the other image URLs between 0000000001 and 3004766859 to see what they are.
Show threadRetJul 14

@negative12dollarbill @georgeharito @akent if somebody engaged in that it would be entirely embarked upon under their own volition. My indication of the potential for URL enumeration is not a suggestion to exploit such a vulnerability should it exist.

uwu.

Forced browsing | OWASP Foundation

Forced browsing on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

Show threadcamwilsonJul 14
@akent lmaoo
Show threadThe Sizzle by Cam WilsonJul 14
@akent I put several of these in each edition
Show threadJames MorrisJul 14
@akent They are good at computer.
Show threadeggsJul 14
@akent Equal parts lmao and witaf
Show threadMike Lynch Jul 14
@akent bull dot png, emphasis on the bull
Show threadstibbonsJul 14
@akent
Tired: ul
Wired: table
Show threadsenJul 14
@akent @lyndaljane I’ve just imagined explaining to my three decades younger self that we’ll regularly not care about sending an email that link to files that we would only be able to fit two of on a floppy, and they’re just the list element dingbats.
Show threadStephen CollinsJul 14
@akent @daedalus clearly basic HTML is beyond their ken.
Show threadibkJul 14
@akent I did wonder how they got them to look so smooth.
Show threadDeborah PickettJul 14
@akent You discovered the black hole that is sucking up all the entropy of the universe. Nice find! Don't get too close to the event horizon.
Show threadRobin FroushegerJul 14
@akent remember when tracking elements used to be a 1x1px gif?
Show threadLapo LuchiniJul 14
@akent How did they manage to fail to compress an image that looks so easily compress-able? 🤣
Show thread HyperSoop Jul 14
@akent That's 717 kB wasted. Literally a single unicode character would have sufficed here
Show threadJos GelukJul 14
@akent what information is in there, did you look? (Beside the 144 pixels)
Show threadAdam KentJul 14

@josgeluk It's 1024x1024 8 bit RGBA so more than 144 pixels... but good question -- there is also a bunch of metadata that looks like signing keys or something: https://pastebin.com/raw/WUgadPyf

Check the png here direct if you like: https://ecm.loyalty.qantas.com/imgproxy/img/3004766859/bull.png

I smell some "vibe" coding.

Show threadDuale "Wale" SiadJul 14
@akent @josgeluk The fact that they (may) have used ChatGPT to generate a bullet point is nothing short of crazy.
Show threadOzzelotJul 14
@wale @akent @josgeluk It has made me groan loudly.
Show threadarmseligJul 14
@akent The image has been optimised for future Retina displays and Safari.
Show threadJustin ScholzJul 14
@akent @bert_hubert things that would have never 🥁 🥁 flown 🥁 🥁 20 years ago due to internet bandwidth constraints :)
Show threadJPJul 14
@akent and it appears to have OpenAI/GPT-4o fingerprint info in the metadata. As well as TruePic Lens things. Bizarre.
Show threadAdam KentJul 14
@daedalus I also just found this too. I smell some vibe coding.
Show threadCarsten RaddatzJul 14
Of course! Why waste an opportunity to track mail openings when reaching out to your audience could go unmeasured instead?
But yeah, this is absurd, given less than one hundred bytes of SVG would to, if going fancy, or a simple or something.
Show threadBart-Jan VrielinkJul 14
@akent they saved 2 bytes by shortening the name to bull.png.
Show threadJordan BiserkovJul 14
@bartjan @akent 4 bytes, if you know what I mean ;-)
Show threadsotolfJul 14
@akent That's two times pokémon red, for a dot..
Show threadJulian FoadJul 14
@akent There must be a name for this stupid kind of data bloat. Using pictures as a substitute for text. Using HTML in email. Reminiscent of how MS Word stretches a hundred word "text" document to a megabyte of file size by attaching unwanted repetetive metadata like "spacing-adjustment=-0.0; colour-scheme=microsoft" to every actual word of text (paraphrased; have blissfully avoided touching Microsoft stuff for years and hate it when people occasionally inveigle me to do so).
Show threadsvenkJul 14

@julian @akent "there must be a name" -> https://en.wikipedia.org/wiki/Software_bloat#Types_of_bloat -> "This section needs expansion with: more on the topic: these are not the only forms of bloat. You can help by adding to it. (July 2024)"

We should come up with a name 😂. Because of citogenesis https://xkcd.com/978/

Software bloat - Wikipedia

Show threadSimon HewisonJul 14
@akent Is there some silly steganography going on with almost but not quite shades of black in there?
You have to try really hard to create a png that badly compressed.
Show threadWill RichardsonJul 14
@akent chuck loading=lazy on those bad boys and you've got scroll tracking
Show threadGrumble 🇺🇸 🇺🇦Jul 14
@akent This is a company who takes "control your supply chain" seriously.
Show threadChristof Damian 💙💛Jul 14
@akent
That would nearly fill an Amiga floppy disk!
Show threadVelvet (P R O U T)Jul 14
@akent How. Why. What. The fuck?!
Show threadabadideaJul 14
@akent @GossiTheDog did they go out of their way to reduce the png compression to the lowest possible setting
Show threadstibJul 14
@akent
But they'll charge you $15 if your carry-on is 500g over. The cheek of it.
Show threadEdJul 14
@akent please say its a different PNG for each item as well?
Show threadSnuffleupadonJul 14

@akent while the png is oversized this is a fairly relevant way to code emails (although I agree with other commenters I would have used • myself.) Email clients are very inconsistent in rendering and lists are one of the things that has historically been a pain to get right across clients. The mantra in the email world has long been, "code it like it's 1999." It's been very slowly getting better as older clients roll off but I don't think it's ever going to be on-par with the state of the art Web HTML.

I just wanted to dispel some of the commentary here in the replies because it's clear most people here haven't coded many emails and are making assumptions about it.