@Paul_Reviews On the bright side, this was vibecoded over the weekend and didn't cost a million euro right. Right?
English
adamsobotka.eth
5K posts
adamsobotka.eth
@vorcigernix
Building @meiro_io Ex-Director of Product Engineering at Emplifi. Participating @developer_dao and @forefront__
Prague Katılım Kasım 2009
466 Takip Edilen595 Takipçiler
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
Paul Moore - Security Consultant @Paul_Reviews
.@vonderleyen "The European #AgeVerification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..." I did. It didn't take long to find what looks like a serious #privacy issue. The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well. But, the source image used to collect that data is written to disk without encryption and not deleted correctly. For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them. For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them. This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary. From a #GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach. youtube.com/watch?v=4VRRri…
English
@WhiteHouse “WE FOUND SUSPICIOUS MILITARY BASE ON GREENLAND, THEY USE OUR SYMBOLS WITH STARS AND STRIPES!!!” - President Donald J. Trump
English
“NATO WASN’T THERE WHEN WE NEEDED THEM, AND THEY WON’T BE THERE IF WE NEED THEM AGAIN. REMEMBER GREENLAND, THAT BIG, POORLY RUN, PIECE OF ICE!!!” - President Donald J. Trump
English
Až dostanete na vybranou jestli vás má okrást banka, kterou můžete mít rádi nebo Amazon, tak Amazon vychází lépe.
Čeština
adamsobotka.eth retweetledi
Bloomberg just dropped the Orbán tapes and it reads like a bad fanfic.
Hungary’s prime minister spent a phone call with Putin calling him a “lion,” casting himself as the helpful little “mouse,” offering Budapest as a venue to end the war on Russia’s terms, and closing with “I am at your service.”
English
adamsobotka.eth retweetledi
vibecoding is so much fun. I love using @ungitui, but it's soo old, clunky and bad in many regards. Also it's a dead project so no point in opening fresh PRs.
That's why I am vibecoding an alternative. It's already handling big repos faster than ungit, but implementing common git operations is still missing.
Will open source when ready
English
@JimFergusonUK If they are going to play around with nuclear material they need to understand what happens when things go wrong. It's their problem.
English
🚨 BREAKING: NUCLEAR ESCALATION WARNING
A strike has reportedly hit the external protection systems of an Iranian nuclear facility.
Officials warn the risk of a nuclear incident is rising.
Evacuations were initiated within minutes, with reports suggesting movement toward border regions — though details remain unclear.
English
‘Even though you make many prayers, I will not listen: your hands are full of blood.' If you tell me ten years ago that I'll quote the bible to point out how insane US politics is, I'll just smile and walk away.
English
@vpavlin Did he have access to the internet? That'll explain a lot.
English
@josefslerka Nevěřím nikomu. Ale když je to téma o kterém ani zbla nic nevím, tak se smířim s @iROZHLAScz tam těch zklamání bylo asi nejméně.
Čeština
Anketa: ktery zpravodajsky povazujete za duveryhodny? Klidne i vic navrhu.
Čeština
@EmmaRincon That's excellent. If there is zero margin on menu prices. I'm all for transparency.
English
I went to a steakhouse in Miami, paid the bill, and they automatically added a 20% tip.
When the waiter brought the check, he said: “That tip goes to the whole establishment—if you want to leave something for me, it’s extra.”
I didn’t add anything else—20% is already too much. He gave me a dirty look, like I was robbing him.
This tipping culture is out of control.
English
@ryancarson I actually made our internal version of symphony to orchestrate the work through the all build and review phases. Take a look, let me know if you want sauce: symphony.meiro.dev
English
Okay, explored the codebase more, and this is not a replacement for Symphony.
It lacks the orchestration ability to shepherd issues from to-do to merged.
I think that final version is something like Open SWE + Symphony.
Ryan Carson@ryancarson
This is very exciting. It’s an open source version of Ramp’s Inspect. Will be digging into this - could be a much more powerful replacement for Symphony
English
@pmarca "To sum it all up, I must say that I regret nothing"
English
It is 100% true that great men and women of the past were not sitting around moaning about their feelings. I regret nothing.
English
Jedu vlakem.
Se mnou v kupé starší pár.. povídají si. Najednou má pán telefon. Říká někomu, že chce poslat část svých peněz na účet. Někdo z druhé strany ho přesvědčuje, že aby ty peníze dostal, musí zaplatit pokutu 25 000.
Pan se diví, neví za co je pokuta.
Nevydržím to a ⬇️
Čeština
If you hold such beliefs, can you wipe yourself from my circles and ideally from this planet?
Gen Z males twice as likely as baby boomers to believe wives should obey husbands.
theguardian.com/world/2026/mar…
English
adamsobotka.eth retweetledi
A public agency deploys AI into a critical system.
Years later, an audit challenges a decision after vendors changed & infra migrated.
Can the agency produce:
• The original input
• The model version
• The output
• The timestamp
Vendor continuity is not audit durability.
English
adamsobotka.eth retweetledi
So what was the difference between the US and China again?
The White House@WhiteHouse
"THE UNITED STATES OF AMERICA WILL NEVER ALLOW A RADICAL LEFT, WOKE COMPANY TO DICTATE HOW OUR GREAT MILITARY FIGHTS AND WINS WARS! That decision belongs to YOUR COMMANDER-IN-CHIEF, and the tremendous leaders I appoint to run our Military. The Leftwing nut jobs at Anthropic have made a DISASTROUS MISTAKE..." - President Donald J. Trump
English
@vpavlin @Logos_network That's cool. What's the use case? I was considering A2A, but haven't figured out anything useful, ended up with MCP and skills.
English
Well, I and Jimmy like this - Jimmy has already started building A2A module for @Logos_network - his own decision, I explicitly said "do something fun, it does not have to be work, pick anything we have in research or anything else" and he came back with "I would like to build something for Agents - maybe A2A protocol implementation on Logos?"
Corey Petty@Corpetty
The Logos tech ecosystem is analogous to a Linux os distribution: a minimal microkernel at the base, a privacy-preserving networking stack above it, and pluggable modules for storage, messaging, and blockchain on top. At the core is the Logos Kernel (via liblogos). It follows the microkernel architecture model: manage module lifecycle, handle inter-process communication (IPC) and orchestration. It doesn’t handle networking, store files, or validate blocks. Those are done by modules. Modules run independently and communicate through IPC. A storage bug can’t crash messaging. A blockchain upgrade doesn’t require rebuilding the kernel. Each component can be developed, tested, and shipped by itself. Above the kernel sits the networking layer. It delivers peer discovery, connection management, and a libp2p-based mixnet for privacy-preserving routing. Capability discovery replaces central registries. Three core modules ship with Logos: • Storage – CID-based decentralised file storage • Messaging – Delivery and Chat • Blockchain – Private Proof of Stake (PPos) + Logos Execution Zone (public & private state) All are independent and pluggable. The blockchain module uses Cryptarchia and the Blend network for PPoS. Validator identities and stake remain hidden. LEZ adds programmable execution with unified public and private accounts. Privacy is enforced at the protocol layer. Users choose their privacy level, same code is used. User modules are first-class. The logos-module library and CLI let developers build and load custom modules into the same IPC framework. The kernel manages them like systemd manages daemons on Linux. The Basecamp app is a distribution that bundles the kernel, default modules, and UI for a complete end-to-end experience. Or, run a headless Logos Node. It offers the same stack without a UI for operators, making it easy to run a node on Logos Testnet v0.1. Learn more about Logos Core:
English
adamsobotka.eth retweetledi
One month, only 30 days, left in Bordel crowdloaning campaign to fund a DeFi mortgage for our new community space! loan.bordel.wtf
We are building a space for independent creation, chaotic education and sustaining cypherpunk values.
What is it and how does it work?!👇
English