Chronicle has a lot of great resources. I’ve been out of Java for a few years but when I had to write high perf code, the libraries and blog insights were invaluable. A lot of the advice is good in general - keeping…
Pretty much this. We see CF hosted/protected content all the time. CF does nothing for days or weeks. By then the campaign is gone and on a new account etc. Tycoon and Kratos are two phish kits that heavily use CF. CF…
Given how little they do now to stop malicious content hosted behind/by Cloudflare, the bare minimum if anything.
> "GitHub only gets better if people who give a shit stick around to make it better" At a basic level I appreciate this sentiment. However, the common dysfunction I see in large corporation is its not the lack of people…
Yes. In the past I helped sort out tooling like this for competitive analysts. There are a few ways this is done: 1) Check the businesses’ MX record. Often this points to a third party provider like Microsoft or Google.…
Yes. I remember listening to it on the radio. The DJ used the handle Hard Hat Mack. It was pretty awesome to hear SID music over the radio. I found this archive that has some of the shows recorded, and set playlists…
Tools like Playwright and Puppeteer are abstractions on top of CDP. The other use case is when these frameworks don’t expose or don’t use a CDP command you need (often they hide some parameters for cross browser…
I’ve had a similar thing happen to me recently. 500$ tariff on $130 of stuff. The tariff should have been like $20. UPS has been completely non responsive and still won’t show me the customs forms. Total scam.
I work a product that involves a security crawler (phish, malware detection, etc). It’s just a new arms race. Crawlers will adapt. Cloudflare is already heavily abused by threat actors to host, and gate their malicious…
Oh fun. I can’t wait. Now phishing sites will be protected with Turnstile and this garbage.
Interesting. Looks really neat! How do you deal with anti bot stuff like Fingerprintjs, Cloudflare turnstile, etc? Maybe you’re new enough to not get flagged but I find this (and CDP) a challenge at times with these…
Google search results are full of garbage pages populated with LLM generated content (the pages exist solely to serve ads and capture search results). Search spam is not new, but the use of LLMs simplifies the ability…
Neat optimization! Would it have been feasible to spend a bit of cpu/memory and tag headers as internal upon the request construction? That way filtering on output is trivial.
They could police their content. Or if they don’t want to, they could meaningfully partner with the security industry - create a “security bots” program, respond to takedown requests in days not months, etc.
You can. Sort of. The good bots list is basically driven by a fixed user agent. And customers can set their preference to not allow “good bots”. Not so good for security work. It’s similar to their abuse reporting. They…
I’m really mixed on this. Anti bot stuff is increasingly a pain point for security research. Working in this space, I have to work against these systems. Threat actors use Cloudflare and other services to gate their…
Cool library. This sounds like SWAR (simd within a register). I’ve seen these techniques give a nice speed up especially when SIMD isn’t available or a pain (eg in Java pre-Panama). One random sample:…
I was looking at [1] recently to understand omicron variant positivity length and they cite a few other papers. The article [1] is publicly available. I haven’t checked if all of the others are. * Routsias JG , Mavrouli…
The Inkplate 10 is great. I haven’t gotten a lot done other than toy stuff, but so far it’s been a mostly good experience. Another nice entry point is micropython. Some of the getting started stuff has gaps but overall…
In a past job I’ve seen crappy crawlers from badly designed security applications do stuff like this. An an example one customer was using Trend CAS to scan all URLs in their inbound email. This causes big bursts of…
Having worked in anti-abuse for nearly 20 years this is spot on. Even if it were possible, publishing “the algorithm” isn’t going to solve anything. It’s not like it can be published in secret or avoid being instantly…
Definitely. Twitter seems to have not been doing a lot of standard best practices for a company of their size. My intent was pointing out that engineers with high level access to their dev machines is pretty common in…
In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it. Instead you had an org with massive amounts of technical and…
Vanilla Java is a great resource. The work that Chronicle does got me into low latency Java as well (not doing java now though). Some other great resources I used: * http://psy-lob-saw.blogspot.com/ - Not updated since…
For reference, here’s what we have: 36KBTU AIRHANDLER/HEATPUMP HI-STATIC M SERIES DUCTED SYSTEM INDOOR MOD# SVZ-KP36NA OUTDOOR MOD# SUZ-KA36NA2 It’s a slightly older model as we had height restrictions to work around.…
Chronicle has a lot of great resources. I’ve been out of Java for a few years but when I had to write high perf code, the libraries and blog insights were invaluable. A lot of the advice is good in general - keeping…
Pretty much this. We see CF hosted/protected content all the time. CF does nothing for days or weeks. By then the campaign is gone and on a new account etc. Tycoon and Kratos are two phish kits that heavily use CF. CF…
Given how little they do now to stop malicious content hosted behind/by Cloudflare, the bare minimum if anything.
> "GitHub only gets better if people who give a shit stick around to make it better" At a basic level I appreciate this sentiment. However, the common dysfunction I see in large corporation is its not the lack of people…
Yes. In the past I helped sort out tooling like this for competitive analysts. There are a few ways this is done: 1) Check the businesses’ MX record. Often this points to a third party provider like Microsoft or Google.…
Yes. I remember listening to it on the radio. The DJ used the handle Hard Hat Mack. It was pretty awesome to hear SID music over the radio. I found this archive that has some of the shows recorded, and set playlists…
Tools like Playwright and Puppeteer are abstractions on top of CDP. The other use case is when these frameworks don’t expose or don’t use a CDP command you need (often they hide some parameters for cross browser…
I’ve had a similar thing happen to me recently. 500$ tariff on $130 of stuff. The tariff should have been like $20. UPS has been completely non responsive and still won’t show me the customs forms. Total scam.
I work a product that involves a security crawler (phish, malware detection, etc). It’s just a new arms race. Crawlers will adapt. Cloudflare is already heavily abused by threat actors to host, and gate their malicious…
Oh fun. I can’t wait. Now phishing sites will be protected with Turnstile and this garbage.
Interesting. Looks really neat! How do you deal with anti bot stuff like Fingerprintjs, Cloudflare turnstile, etc? Maybe you’re new enough to not get flagged but I find this (and CDP) a challenge at times with these…
Google search results are full of garbage pages populated with LLM generated content (the pages exist solely to serve ads and capture search results). Search spam is not new, but the use of LLMs simplifies the ability…
Neat optimization! Would it have been feasible to spend a bit of cpu/memory and tag headers as internal upon the request construction? That way filtering on output is trivial.
They could police their content. Or if they don’t want to, they could meaningfully partner with the security industry - create a “security bots” program, respond to takedown requests in days not months, etc.
You can. Sort of. The good bots list is basically driven by a fixed user agent. And customers can set their preference to not allow “good bots”. Not so good for security work. It’s similar to their abuse reporting. They…
I’m really mixed on this. Anti bot stuff is increasingly a pain point for security research. Working in this space, I have to work against these systems. Threat actors use Cloudflare and other services to gate their…
Cool library. This sounds like SWAR (simd within a register). I’ve seen these techniques give a nice speed up especially when SIMD isn’t available or a pain (eg in Java pre-Panama). One random sample:…
I was looking at [1] recently to understand omicron variant positivity length and they cite a few other papers. The article [1] is publicly available. I haven’t checked if all of the others are. * Routsias JG , Mavrouli…
The Inkplate 10 is great. I haven’t gotten a lot done other than toy stuff, but so far it’s been a mostly good experience. Another nice entry point is micropython. Some of the getting started stuff has gaps but overall…
In a past job I’ve seen crappy crawlers from badly designed security applications do stuff like this. An an example one customer was using Trend CAS to scan all URLs in their inbound email. This causes big bursts of…
Having worked in anti-abuse for nearly 20 years this is spot on. Even if it were possible, publishing “the algorithm” isn’t going to solve anything. It’s not like it can be published in secret or avoid being instantly…
Definitely. Twitter seems to have not been doing a lot of standard best practices for a company of their size. My intent was pointing out that engineers with high level access to their dev machines is pretty common in…
In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it. Instead you had an org with massive amounts of technical and…
Vanilla Java is a great resource. The work that Chronicle does got me into low latency Java as well (not doing java now though). Some other great resources I used: * http://psy-lob-saw.blogspot.com/ - Not updated since…
For reference, here’s what we have: 36KBTU AIRHANDLER/HEATPUMP HI-STATIC M SERIES DUCTED SYSTEM INDOOR MOD# SVZ-KP36NA OUTDOOR MOD# SUZ-KA36NA2 It’s a slightly older model as we had height restrictions to work around.…