doryokuka

This is it. Everything learned spending millions on longevity. From: Your Immortal Unc and Auntie. To: Our Immortal nieces and nephews. 0. Sleep is the world's most powerful drug. 1. Be in your bed for 8 hours 2. Same bedtime every night, any time before midnight 3. Don’t eat right before bed 4. Calm foods for dinner 5. No screens 1 hour before bed 6. Avoid added sugar (be aware it’s in everything) 7. Avoid all things in an American convenience store 8. Avoid fried foods 9. Shoes off at the door 10. Eat whole foods, particularly veggies fruits nuts legumes berries 11. Walk a little after meals or air squats 12. Get your heart rate high routinely 13. Lift heavy things 14. Stretch daily 15. Water pik, floss, brush, tongue scrape, morning and night 16. Make an effort to drink water 17. Get sunlight when you wake up (UV is low) 18. Protect skin in midday sun 19. Stand up straight 20. See at least one friend once a week 21. Avoid plastic where you can (in all things) 22. Circulate air in rooms 23. When stressed, breathe, learn to calm your body 24. Go to the dentist 25. Avoid sitting for long times 26. Protect your hearing, the world is too loud 27. Alcohol is bad for you 28. Finish coffee before noon 29. Avoid bright lights after sunset 30. If obese, look into a GLP 31. Sleep in a cold room 32. Texting while driving is dangerous 33. Turn off all notifications 34. Limit social media use 35. Don’t smoke anything 36. If you struggle to sleep, read a physical book before bed 37. 1 hour before bed have a calm wind down routine: bath, read, light walk, listen to music 38. The body is a clock and loves routine. Have a daily morning and evening schedule. 39. Avoid long distance travel where you can 40. Baby steps first: incorporate new things slowly 41. Do less… most things don’t work. Bonus points if you get your blood checked. Start here, it will change your life.

Society was built to make money. Indifferent to your health and sanity. For example, we did not evolve to: + sit 10 hours a day + have our attention fractured 300 times daily + compare ourselves to millions of others + travel 9 time zones in 13 hours + tolerate sounds above 85 dB causing hearing loss + outsmart algorithms hijacking our reward system + breathe fine particulate air pollution + live under 16+ hrs of artificial light a day + have 3 courses of antibiotics before age 2 + eat ultra-processed foods for 60% of daily calories + consume 17 teaspoons of added sugar a day So if you're feeling down in the dumps, maybe fatigued, a little or a lot depressed, anxious, that's why.

Lunch today. Here's the recipe and instructions: Pesto Veggies with Black Lentils and Sweet Potato 1–2 servings
 Prep: 15 min
 Cook: 25–30 min Total : 40–45 min Ingredients Veggie pesto: * 1 packed cup fresh basil leaves * 2 tablespoons olive oil * 2 tablespoons pine nuts * 1 small garlic clove * 1 to 2 tablespoons water, as needed Vegetables: * 1 cup cauliflower florets * 1 cup broccoli florets * 1/4 cup sliced red onion * 1 small garlic clove, minced * 1 cup cherry tomatoes, halved * 1 medium zucchini, sliced * 1 tablespoon avocado oil or and high smoke point oil Lentils and sweet potato: * 1 cup cooked black lentils, cooked in vegetable broth * 1 small sweet potato, peeled if desired and cut into cubes * Water for steaming or boiling Finishing: * 2 oz sliced black Kalamata olives * 1 teaspoon truffle oil, optional * Microgreens for garnish, optional Instructions: 1. Make the pesto * Add basil, olive oil, pine nuts, garlic, and a small splash of water to a blender or food processor. * Blend until smooth or slightly textured, depending on preference. * If needed, add a little more water to help it blend. * Taste and adjust seasoning if using salt. 2. Cook the lentils * Rinse the black lentils if needed. * Cook 1 cup of black lentils in vegetable broth according to package directions until tender but not mushy. * Drain any excess liquid if necessary and set aside. 3. Steam the sweet potato * Place the cubed sweet potato in a steamer basket or small pot with a little water. * Steam until fork-tender, about 10 to 12 minutes. * Set aside. 4. Sauté the vegetables * Heat 1 tablespoon oil in a large skillet over medium heat. * Add the red onion and garlic first and cook for 1 to 2 minutes. * Add cauliflower and broccoli and cook for 4 to 5 minutes. * Add zucchini and cherry tomatoes and continue cooking for another 4 to 6 minutes, until the vegetables are tender but still vibrant. 5. Combine with pesto * Turn the heat to low. * Add the pesto to the vegetables and stir well to coat everything evenly. * If the mixture is too thick, add a small splash of water to loosen it. 6. Assemble the dish * Spoon the cooked black lentils onto plates or into bowls. * Add the steamed sweet potato. * Top with the pesto vegetables. * Add sliced Kalamata olives over the top. * Drizzle with truffle oil if using. * Finish with microgreens for garnish. Serving Suggestion * Serve warm as a main dish for 1 hearty serving or as 2 lighter servings. * This dish also works well with extra lemon juice on top if you want brightness. Health Benefits * Black lentils provide plant-based protein, fiber, iron, and slow-digesting carbohydrates that support fullness and steady energy. * Broccoli and cauliflower supply vitamin C, vitamin K, and glucosinolates, which support antioxidant and detoxification pathways. * Zucchini, tomatoes, red onion, and garlic add antioxidants and phytonutrients that support overall cellular health. * Sweet potato provides beta-carotene, potassium, and fiber, supporting immune and digestive health. * Basil, pine nuts, and olive oil contribute healthy fats and aromatic compounds that support satiety and flavor. * Kalamata olives add heart-healthy monounsaturated fats and a savory finish. * Microgreens add concentrated micronutrients and a fresh garnish.

Bodybuilders use the peptide CJC-1295 to grow muscle. I tried it for two weeks. Unexpectedly, it changed how my body responded to 200°F sauna protocol. First, the good. I spent more total time above the heat shock protein (HSPs) threshold. This is when my core body temperature reaches 102.2°F and heat shock proteins are released. Before CJC, total time in HSP land was 9 minutes (with face cooling). On day 9 of CJC, it rose to 15 minutes. Resulting in more HSP exposure per session. Now the bad. It took me 13 minutes longer to reach the target heat shock threshold of 102.2°F. From 41 minutes to reach threshold at baseline to 53 minutes on day 9. This is an insane level of primal panic to be in 200°F for 53 min. Max core temperature remained below the 103°F mark (39.4°C) The sauna session went from 41 minutes total to 56 minutes total to get the HSP benefit. CJC raises growth hormone which causes the body to retain more water and sodium. More water means more thermal mass which means core temperature rises slower. The body is harder to heat up. A second interesting data point. My max sauna heart rate dropped from 135 to 128 bpm while the core body temp remained the same. For a bodybuilder, this water retention helps performance and physique. For someone using sauna for HSP activation, it is a tradeoff. You bank more HSP time per session, but you pay for it with substantially longer sessions. I've stopped CJC-1295 DAC. The side effect burden outweighed the benefit. A 6 minute gain in HSP exposure is not worth 14 extra minutes in the sauna plus the unknowns of sustained GH elevation. It disrupted my REM sleep and caused clear blood sugar disruption with early insulin resistance signals (posting soon). In 2 weeks I will retest after washout. If time to threshold returns to 40 minutes, the GH mechanism is confirmed. If it stays elevated, what I observed was heat acclimation. Peptides are great, we just don't know much about them.

10 air squats every 45 min ✅

kantilabs.xyz/research pretty cool

I've measured my body a lot. I'm about to dwarf what we've done by building real-time continuous multi-omic monitoring and intervention. Cars drive themselves. Software writes itself. I'm building Autonomous Health. First for me, then for you. > Peptides in circulation (dose and efficacy in real time) > Gut and oral microbiome profiling > Transcriptomics and gene expression > Mitochondrial genome sequencing and mutational tracking > Real-time cell cultures > Longitudinal proteomics (heat shock response panel) > Inflammatory cytokine panels > Mitochondrial function, ROS, cell viability Continuous environmental monitoring including light, noise, air, water, pollutants. If you’re into this kind of stuff, come build with me. If you're building bioinfrastructure relevant to this, get in touch.

@0xAsm0d3us @0xAsm0d3us Thanks! mostly white box tests not black box right?

Needle in the haystack: LLMs for vulnerability research I've distilled my experience of sending thousands and thousands of prompts for using LLMs to discover vulnerabilities into a single write-up. These are the conclusions I came to.. (link in comment)

@sudoingX pc1 5090 + 96G RAM + 9950x3d. pc2 4090 + 128G RAM + 13900k wish could get more RAM the 5090 pc

if you have a single RTX 3090 and want the best local inference setup right now, here's what i landed on after testing 5 open source models across 7 GPU configs this month. GPU: 1x RTX 3090 24GB model: Qwen 3.5 27B Dense Q4_K_M (16.7GB) context: 262K (native max) speed: 35 tok/s generation, flat from 4K to 300K+ reasoning: built in chain of thought, survives Q4 quant config: llama-server -ngl 99 -c 262144 -fa on --cache-type-k q4_0 --cache-type-v q4_0 what this gives you: - 27B params all active every token - no speed degradation as context fills - full reasoning mode on a consumer GPU - 7GB VRAM headroom after model load tested MoE (faster but less depth per token) and dense hermes (same speed, degraded under load). qwen dense hit the sweet spot for single GPU. more architecture comparisons dropping soon. what's your single GPU setup? curious what configs people are running.

Dear supporters of the noble causes: Aging is not a destiny; it is a biological error. And like any error, it can be corrected. Today, we are relaunching the RenovaCode Therapeutics website. This is not marketing. It is a declaration of principles. It is ICER. Epigenetics. Biological determinism. We work with a single mission: to reverse aging. While some attempt to accept it, we will remain undeterred in our quest to abolish it. Welcome to the right war. We are going to change history. renovacodetherapeutics.com That's all.

@0bkevin Looking at the emoji selection more carefully, this could be from ChatGPT (OpenAI) - likely GPT-4 or GPT-4o.

I just tried Aurora Alpha. It's stupidly fast. I really like the interaction with this model, the experience is great

🥷 We’re launching a new stealth model on OpenRouter: Pony Alpha. - Pony Alpha is a next-generation foundation model - It delivers strong performance across coding, reasoning, and roleplay - It’s optimized for agentic workflows, with high tool-calling accuracy

@openrouter For questions that ask you to repeat words or phrases, avoid repeating excessively.Knowledge cutoff: 2024-06Current date: 2026-02-09

🥷 New stealth model: Aurora Alpha Aurora Alpha is an extremely fast reasoning model. It is built for coding assistants, with fast completions to keep you in the flow, and is extremely powerful for real time conversational applications.

Alright so to end 2025 I am going to post something that people have been requesting for quite some time.. As alot know, I have made over $1 million dollars from SSRF vulnerabilities alone. #ssrftips Below I will provide some information on some of the ways that I beat the blacklists/deny lists and cashed in. Any method I post below has worked for me personally in the past. I am not claiming that any of these ways are 'my' discoveries, and in no way am I trying to claim other's work as my own. Simply answering a question that gets asked of me almost daily. #bugbounty #bugbountytips #togetherwehitharder #ittakesacrowd #hackers #hacking #NewYearsEveBountyTips So lets get into it: Encoding: Everyone knows (or should know) about the ability to encode IP addresses. What alot of people dont know is that you can combine encoding types on a single IP. SO instead of encoding the entire IP, encode single octets etc. Example: Changing the Metadata IP to: 0251.254.169.254 this octal encodes the 1st octet only, leaving the rest of the IP the same. This is the exact method that allowed for my $180,000 from the Yahoo Bug Bounty Program in Oct 2018 Redirects: Alot of SSRF vulnerable functionality will follow redirects. What many people dont consider is multiple redirects. Never stop at just one. I have found many instances where an SSRF followed all redirects, and would properly block the final redirect to the target internal service (internal ip/metadata server). DO NOT STOP AT 1 REDIRECT! Instead of a single redirect, setup a simple php redirect script that will redirect the request back to the same end point multiple times before finally sending to the target IP/host. I have had many instances in the past where the target properly checks the response of the first 1,2, 3 ....6 redirects then magically on the 7th it no longer performs any valdiation and allows you to hit the metadata. I can't explain why this happens, but its happened enough that this is one of the very first things i test for when it comes to SSRF testing. TOCTOU: This is one of my fav's because it almost always can be used to bypass the initial fixes for an SSRF vulnerability. TOCTOU stands for: Time of Check Time of Use. When you pass a url to an SSRF vuln end point, the backend will take the host of this, resolve it (if its not already an IP), check against the allow/block list, then take action. Many frameworks will not cache the DNS lookup response that happens during the initial validation phase. When they forget to do this, having a subdomain properly setup for a TOCTOU check can allow for tricking their checks to allow for hitting banned resources. How it works: Server resolves aws.dawgyg.net to 1.1.1.1 and does their checks to make sure its not a blocked IP. After passing these checks the domain is passed to the function that will actually make the call. If the server did not cache the previous response, it will then resolve the host again as part of the flow to make the request. If you have a properly setup nameserver for this attack, then the instance they make the 1st DNS call, your server quickly changes the DNS entry and points it to the target IP (Metadata/Internal), so that when it gets to the function that makes the request, it resolves the host again and makes the request. HTTP 2 vs HTTP/1.1 vs HTTP/1.0 vs HTTP/0.9 Several have had success with this in the past. And again, I am not sure why this works sometimes. But if the request is using HTTP/2 and blocks your attempt, try and change it to an older version. I have had success with each of the above at least once (most of the time on Yahoo, but others as well). Simple/more common things: dns rebinding, create a hostname on your domain pointing to localhost or an internal IP. simplify the IP. example: 127.0.0.1 is blocked, so try 127.1, or 0.0.0.0, 0 etc. Theres tons of other ways that you can get creative and do things like this. This post is just sharing some of the more fun/more unique ways that I have had success in the past. This is not ment to be an exhaustive list of things to try, and is only ment to start your brain working to come up with weird/random/fun ways to beat the black lists. If you like the information, drop a like/comment/follow and let me know which of the above you have tried in the past, or are looking forward to trying out in 2026. If you end up having success with these, let me know as well!

Protip: One of the most under tested areas of any code, is the error handling. So when your doing your hacking/hunting, find ways to get into those error paths the devs account for and see what you can break. You'd be surprised about the crazy stuff you can find. #bugbounty #bugboutytips #hacker #hacking

men, 2026 is the time to get our shit together. the modern world has made human slop of us. fertility rates are down 62%. metabolic disease afflicts 35%. obesity has hit 40%.  63% are not having sex weekly. testosterone is dropping 1% every year. 42% over forty have erectile dysfunction. sexlessness has doubled to 24%. enough. fucking enough. reject fast food, junk food, vaping, gambling, porn, nicotine, sleep deprivation, phone addiction, and excessive scrolling. these are your enemies. this is dopamine extraction. they are mining you for profit and leaving you weak and miserable. they are predators and you are their prey. no, not just this once. no, not in moderation. no, it’s not living life. it’s suicidal and deranged behavior. sleep. get jacked. eat well. set limits. be consistent. build the schedule. put on autopilot. don’t let your mind rationalize. replace inner weakness with systems strength. don’t listen to other people’s criticisms. they’re projecting their own stuff onto you. straighten up. let it roll off of you.  be great. be unabashedily you. maintain friendships with those who make you better. who inspires you to be your best self. do not continue to hang out with people who encourage debauchery. maintain good posture. stand tall. get up from your desk and walk around, stretch, do light exercises. do these things to reclaim your self respect. be a sovereign person. do not be owned by evil companies or influence. do not listen to the critics. build your life systems. make them habits. don’t let yourself talk you out of it. as you gain strength, it will require less energy to maintain.

🛑 How I turned a "Simple Search" feature into a Blind IDOR that exposed sensitive information for over 20k users in just 2 minutes! 🛑 Have you heard of a vulnerability called Blind IDOR? Sounds strange, right? Today, I’m going to talk about a vulnerability I discovered in one of the largest companies. It started as an ordinary feature… there was no sign that it was dangerous or even worth testing. But after experimenting and digging deeper, it turned into one of the strangest and most powerful vulnerabilities I’ve ever encountered. Grab your coffee and let’s dive in… ——————————— It all started like any other day when I was testing the main target: redacted.com The site is fairly large, with many features, pages, and functions… I planned to test it fully, so I spent long hours every day testing everything, page by page, function by function, and trying everything possible. After all my attempts, I didn’t find anything exploitable. Even fuzzing didn’t yield anything useful. But during Recon, one thing caught my attention. The entire platform relies on a single API. I noticed that all real interactions happen on just one subdomain: api.redacted.com. No matter what you do on the front end, everything is executed from here. So I decided to focus on this during my full testing. I started doing extensive fuzzing on it, and the results were clear: 200 → endpoint is working 404 → not found 403 → exists but you don’t have the necessary permissions As expected… most of the sensitive endpoints returned 403. I tried bypassing with several methods: Header changes Capitalization variations Encoding and double encoding None of them worked, unfortunately. That’s when I realized the issue wasn’t the WAF; the issue was with the permissions. ——————————— - Permission differences between accounts - The platform has two main types of accounts: Individual accounts Company accounts So I decided to see if there’s actually a difference. I created a company account, grabbed the token, and started playing around with the 403 endpoints. And sure enough, a few important endpoints opened up immediately 🫣! That’s when the picture became clearer: The difference in roles is the key (which is logical and expected). ——————————— - The actual start of the vulnerability: The Search Endpoint - Among the endpoints I discovered: /api/v2/all-users/search The response returns a list of users, but with very basic information like their name, username, and ID. Generally, there’s nothing interesting. But since I’m used to testing everything, I decided to perform parameter fuzzing on it. That’s when things started to change… ——————————— - Fuzzing the parameters - I started fuzzing the parameters and found many of them: page length sort search username ... and others. I tried the page number, length, sort, etc., but none of them seemed to expose anything useful. But one parameter stood out: "search". I thought I’d try different values on it: username → returned the account display name → returned the account Then I decided to try something that should never be checked… I typed in the first part of my real email: sultansdp And guess what? It returned my account in the response!! Even though this part of the email is never visible to users or anyone else. That’s when I realized that the search doesn’t just search visible data… It also searches deeper, within the backend, specifically in the Model itself. At that point, I adjusted my seating, as this was clear evidence that something was wrong with the search👀 ——————————— - Linking search and profile update - While testing, I noticed that the update profile page returned the same JSON structure I saw in the search endpoint: The same fields The same structure The same names This meant that the backend was using the same Model for both updates and searches. Nice… so what does this mean? It means that the search can see data that it should not be able to see or search for. But there’s still a problem: You can’t directly guess sensitive data, especially email or phone numbers, because you don’t know their length, start, or service provider. And initially, the WAF will handle you if you send too many requests 😂 That’s where your thinking as a Hunter begins 🔥 ——————————— - Discovering Regex support in search - While analyzing JS files, I noticed that the search uses Regex internally. So I thought I’d try: sultan → returns results sul an → no results sul_an → returns results! And here’s the key part… The _ (underscore) worked as a wildcard for a single character. So what do I gain from this, you ask? In short, I can now guess the email one character at a time, with a “yes/no” logic. Just like a Blind SQL Injection, but on the API level. ——————————— - Exploiting the vulnerability - How was the exploitation done? Here’s how the process went: I pick a fixed username for the user via the username parameter I use Regex in the search: If the account shows up → the guess is correct If it doesn’t show up → the guess is wrong And thus, the search becomes an oracle that gives me a "yes" or "no" answer based on the data. I started extracting the email like this: First, I define the service provider: @gmail.com, @anything.com... Then, I define the number of characters: _@gmail.com __@gmail.com ___@gmail.com Then, I start guessing each character: a___@gmail.com b___@gmail.com ... until the full email is extracted. The same thing applies for phone numbers, addresses, and more. ——————————— - Automation - In complex vulnerabilities like this, it’s best to automate the process. So I wrote a simple Python script that automates the entire operation. I input the username → and within a minute or two, it extracts all of their data: Email Phone number Address Any information related to the user, even if it’s not shown in the response. This is what makes it not just an IDOR… It’s a Blind IDOR, and it’s much more dangerous 🚨 ——————————— - Backend Explanation - Here’s a mockup of what happened in the backend: In this code, I used the same Blind IDOR logic from the backend. The API relies on search with Regex to guess data like email and username. The Wildcard (_) here lets me guess each character, extracting hidden data just like it happened in the vulnerability. ——————————— - Conclusion - The testing began as something completely normal, but as I understood some details and connected the behavior across endpoints, it became clear that the search feature was directly tied to the user’s data model. This led to an unintended query exposure that allowed me to extract sensitive information through Blind IDOR. I reported the vulnerability, and it was fully patched 👏🏻. The key takeaway here: Most vulnerabilities don’t come from obvious steps. Instead, they come from small observations, and when you connect them, you uncover an entire exploit that wasn’t on your radar 🧠 ——————————— I created a simple challenge to simulate a Blind IDOR vulnerability using Flask. The challenge focuses on exploiting the API with Regex and Wildcard techniques to extract sensitive data. The goal is to find the flag🚩 Flag: Flag{......................................} Challenge URL: http://172.237.155.131:5000/ Let’s see who gets the First blood🩸👀 Thanks for reading… and stay tuned for more powerful vulnerabilities soon, God willing 🫡

A lot of people I know really dislike social media. It makes them feel some sort of hollowed out. They’re only on because fomo. They wish it didn’t exist so that they could be off without feeling left out. Where are you?

Had a good and candid conversation with @realDonaldTrump today and truly appreciated his warm congratulatory message on my appointment as Prime Minister. Together with him, I am determined to elevate the Japan–U.S. Alliance to even greater heights. Starting tomorrow, I’ll be attending ASEAN-related Summit Meetings. I am looking forward to working closely with the U.S. and our regional partners toward a Free and Open Indo-Pacific🇯🇵🇺🇸🌏 本日、トランプ大統領と電話会談を行い、率直で良いやり取りができました。大統領からの温かい就任の祝辞を有り難く思います。大統領と共に、日米同盟を更なる高みに引き上げていく決意です。 明日からは、ASEAN関連首脳会議に参加します。 自由で開かれたインド太平洋の実現に向け、米国や地域のパートナーと緊密に連携していくことを楽しみにしています。