Tim Strazzere

HackingTeam back for your Androids - now extra insecure! rednaga.io/2016/11/14/hac… @RedNagaSec

Race conditions run everything around me

@konrad_it @d0tslash @jcase @MThingguy @quarkslab I'd be shocked if any nation state who wanted to unpack it couldn't - it's all pretty basic under the hood if they have folks focus on it.

@konrad_it @d0tslash @jcase @MThingguy @quarkslab There are public things that can be easily used to unpack it. Though they aren't labeled with DJI or secneo keywords so folks seemingly never find them. Or they require complete turnkey solutions I guess? Giving out easy solutions only creates more work though.

Wow, really intrigued by what's going on here. Seems like the DJI Fly running on RC-N1, but with some modifications to add POI/mark targets in the mapview, did the orcs break SecNeo @d0tslash ? Looks like it, no?

Killer deal @raleys

And here are the slides from the talk: docs.google.com/presentation/d… Thanks for the nice words @argvee

Nothing much like digging into mtls on nginx and AWS to make sure you remember what pain feels like

Here’s a blog post covering all the technical details behind a strcpy bug I found in the Tony Hawk video game series that can be used to hack several gaming consoles and even get RCE on the over the network icode4.coffee/?p=954

As opinions trend up, output trends down?

Another banger from retr0id "Jailbreaking RabbitOS (The Hard Way)". It's got everything: secureboot bypasses, an Android bootkit, a tethered USB jailbreak over WebSerial, GPL violations, and highly questionable logging practices. A very fun read !! da.vidbuchanan.co.uk/blog/r1-jailbr…

This is how I approve PRs

Мне тут надо было WireGuard из России пробросить, и я на скорую руку родил такую штуку: github.com/ClusterM/wg-ob… Целую вечность не работал с сокетами на уровне системных вызовов.

Better late than never! The slides of our talk "Attacking Samsung Galaxy A* Boot Chain" at @offensive_con can be found here: github.com/quarkslab/conf… The video is also available: youtube.com/watch?v=WJ7wkJ…

Excited to talk at @reconmtl about a tool I've been working on to generate frida scripts to visualize coverage for the Android Java layer; hope you can make it! cfp.recon.cx/recon2024/talk…

While everyone is trying to break Bluetooth's cryptographic protocols, Jonas found a pairing bypass in the proprietary "Fast Connect" protocol in AirPods 🎧 More details in his blog post: blogs.gnome.org/jdressler/2024…

The fast JavaScript runtime Bun is much faster than Node.js 22 at decoding Base64 inputs. By much faster, I mean *several times* faster. But they both rely on the same underlying library (simdutf) for the actual decoding. So what gives? The problem is that Node.js needs to interact with v8, the underlying JavaScript engine (from Google)... and doing so is not trivial. Before we can start decoding the string, we need to grab the string... so, in this instance, we call String::Value... In turns, this allocates an array inside Node.js and asks v8 to copy the content to it... In an ideal world, we would avoid the trouble entirely and just ask v8 to give us direct access to how it stores the string... and we try to do that if we can... but let me come back to it... How bad can this be, right? Just a copy. Well. Let us do some profiling... So you see, the base64 decoding itself is about about 1/5 of the running time, but the copy takes half of it. What is up with this CopyChars function? Well, it is mostly just a wrapper around the standard high level C++ function std::copy_n as far as I can tell. (see v8/src/utils/memcopy.h) But we are copying for an 8-bit input to a 16-bit output... why is that? Base64 is pure ASCII... and v8 can store ASCII using 8-bit per character. We get there before both IsExternalOneByte() and IsOneByte() are false (see node/src/node_buffer.cc)... We have fast paths for these cases. If IsExternalOneByte() is true, we just get the bytes and everything is great. Unfortunately, it does not always work. So we have a v8 string that is really pure ASCII, but, seemingly, we can't tell that it is the case from Node.js, and so we have to convert it to UTF-16 needlessly, using a function that is maybe not very well optimized... and then we do the base64 decoding of an ASCII string from the UTF-16 input. It is not great. To be fair, this is just one string, created as 'Buffer.alloc(size, "latin1").toString("base64")', basically the base64 encoded version of the string "latin1latin1latin1...". In actual applications, we might have better luck. Yet. Yet. I am telling this complicated story for a reason. The story illustrates why our software is slower than it should be. We have layers of abstractions to fight against. Sometimes you win, sometimes you lose. These layers are there for a reason, but they are not free. To make matters worse... these abstraction layers often thicken over time... and the friction goes up. To be clear, I do not claim that the Node.js code is optimal. In fact, I know it can be better. But it is not trivial to make it go fast. I sometimes hear people say... "well, it is C++ and C++ is hard". No. The C++ part is easy relatively speaking. The difficulty is at a higher level. It is not a matter of syntax. It is a matter of architecture.

the people have spoken! enjoy, play nice: github.com/roddux/germy

"open source is free, if your time has no value" 😅 #qpss24

@seanhn Semgrep and eslint cranked up filter out lots of bad PRs

Developer friends: are there any code scanning tools for bugs that you actually love? As in, not a tool you use because you have to, but one that you actually like using and you feel brings real value day to day.