Every day we use a programming pattern that makes software needlessly expensive to build and maintain. It causes countless bugs and security vulnerabilities. It needs constant refactoring. It’s difficult to test, it’s tedious to document, and it’s flexibility makes every implementation a unique snowflake that leads to unending code duplication.
It’s the function.
More specifically, it’s the interface we expose which is commonly a collection of functions.
On the surface, WASM looks immature, niche, and barely usable. You can’t even send text strings between a WASM guest and host, only numbers. Below that surface is a community on fire. Teams are sprinting at breakneck speeds to create runtimes, host environments, cloud solutions, system bindings…
I’m super excited to release Hackium, shift-refactor, and shift-interpreter — three tools that I’ve been using to analyze, automate, and manipulate web sites for the past year. These projects have been a long time in the making, they incorporate techniques I started playing with 20+ years ago. Granted, those techniques were little more than a hacky HTTP proxy and dozens of regular expressions, but the spirit was there.
Hackium is a command line tool, a browser, and a framework. That’s the elevator pitch, anyway. Technically, Hackium is a nodejs library that extends puppeteer to control a bundled version of Chromium…
I wouldn’t say I have a problem. I have an inclination. I like to take things apart and change how they work. As a kid I’d stay on the computer all night poking at bits in memory trying to change a program’s behavior. Most programs would just break. Sometimes you’d hit the right bit and be rewarded with infinite cash in a computer game.
Fast forward a few decades and this inclination led to a career in software development and web security. Websites are perfect for the curious. You can view source code, inspect every request, and tweak an app…
This is my experience getting started with deepfakes using DeepFaceLab. This article chronicles the general steps I went through to create a deepfake video to demonstrate how advanced the technology has gotten and how simple it is to use. This is not a step-by-step tutorial but it will point you to where you need to go.
I am beyond fascinated with deepfakes. From the videos of celebrity mashups like Jim Carrey’s face transferred onto Alison Brie’s body…
…to the implications fake video and audio will have on the world in general…
The serverless trend is the latest evolution of network application architecture. You no longer need to think about the hardware, the OS, or even the running application. Deploy nothing more than the lines of code you need to run wrapped in a node.js function.
Deploying serverless functions to Google’s Cloud Platform (GCP) is not difficult but it requires using and understanding the
gcloud command line tool. The
gcloudtool enables you to administer your Google Cloud setup via the command line.
gcloud command line tool by downloading the Google Cloud SDK. Make sure the executables are located in your…
For the last few weeks I have live streamed several reverse engineering and deobfuscation sessions. In these sessions I’ve been using an up-til-now unpublished library.
Today I am publishing a preview version of
shift-refactor that you can install via npm:
$ npm install shift-refactor
On July 12th Harry Garrood posted a personal blog entry outlining deliberate sabotage aimed at the PureScript installer. Two separate dependencies, both owned by a user who goes by @shinnn, targeted the npm package
purescript-installer with malicious code using techniques that I've seen in exploits by other attackers. Shinnn claims his account was compromised and that these packages were published without his knowledge.
Any stereotypical hacker scene shown in a movie or on TV will, 100% of the time, show someone sitting in front of a terminal typing out cryptic commands on…
I work at a Shape Security, the company founded by the guy who coined “credential stuffing.” This post clarifies a misconception about credential stuffing as it relates to 2FA. You should still enable 2FA whenever possible — it is an effective method for reducing account takeovers — it just doesn’t stop credential stuffing attacks.
There’s a great post on the Google Security blog entitled “How effective is basic account hygiene at preventing hijacking.” The post provides insight into two-factor authentication and its effectiveness at Google scale. …