tkp

@mikemo Caught about a 1/2 hour of it. The team concept is unique. How did the skaters feel about it? Using a spreadsheet with macros to update a locally running web application is something I've never seen before. Props on getting that to work.

All feedback is welcome after watching PSL. Any recommendations or thoughts?

Cross-site leaks are pretty neat.

<script>alert('p0wd3r')</script>

It's not perfect, or complete, but I built a site that archives some of California's public traffic camera photos and turns them into time lapses: roads.today There are some upcoming snow storms that will be fun to watch as they pass over the mountain passes.

If my math is correct, that 29% increase converts to over 92 billion liquid US gallons (92,323,363,830) or 349 billion litres (349,481,948,380) of water added to the reservoir in 3 days.

The Folsom, California reservoir capacity went from 34% capacity on December 29, 2022 to 63% capacity on January 1, 2023. Source: cdec.water.ca.gov/resapp/Rescond…

@samwcyo Is it the victim's mobile that device that ends up sending an unlock signal to the car (such as over Bluetooth), therefore requiring the victim to be within a certain range? Or is the car actively listening for requests made to that API?

After putting everything together, we reported the issue to Hyundai and worked with them to confirm the fix. Thanks for reading! This thread is a small part of a few months of web security research in the auto industry. We're hoping to disclose more related issues in the future.

We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. To explain how it worked and how we found it, we have @_specters_ as our mock car thief:

Hello, it's been a while. I'm still digging into mobile and web apps for work, as well as exploring the world as much as possible.

Gyrophone: Recognizing Speech From Gyroscope Signals crypto.stanford.edu/gyrophone/file…

@h4x0r_dz @bhavukjain1 facebook.com/whitehat/ gives you access to allow user certs in Android FB.

@bhavukjain1 I was trying to bypass the ssl on Facebook apps. And I have tried all the public methods and didn't work. And yeah I gave up

Too many fatal alerts to fix. Ssl unpinning is hard.

@LeeAReynolds @JackRhysider Just started learning about Algo and the technology (and Turing Award winning cryptographer behind it @silviomicali ). Pretty neat stuff. Looking at developer options.

@JackRhysider ALGOrand

So the question is, what crypto currency uses 1% as much power as bitcoin?

Using a mobile app that has a web app counterpart? Look at how a web app user can interact with a mobile app user, you just might find a vulnerability in the interaction.

@doronz88 @campuscodi Nice, I was attempting with 13.2.3 on iPhone6 and 14.1 (jb iPhone 8 w/checkra1n, so no passcode which might be causing issues with iTunes trust). I'll have to experiment with 14.0 and 14.2

@tkpsf @campuscodi I checked it with iOS 14.0 and 14.2, so I'm guessing at least every 14.x. I haven't checked for this feature in other firmwares, So if you have on some others maybe reply as an issue and I'll add a list of tested devices?

Interested in web security? @feross's CS 253 course (free!) is highly recommended web.stanford.edu/class/cs253/

@sambowne :( Without CCSF and your classes I wouldn't have found my way into the career I'm in.

CCSF just sent Accusation notices to many instructors, whether they are actually being laid off or not. It's like working for the USSR: the cruelty is the point.

I recently asked the question "Do you cover your cell phone cameras when not in use?" on my Instagram account. 6 people voted yes, 81 voted no.

@sambowne wow, that is quite the adventure

Melbourne to Cairns: Meet the Australian skateboarding an 'insane' 4,000km bbc.com/news/av/world-… @tkpsf

"All your text are belong to us" This is impressive: vice.com/amp/en/article… More details: lucky225.medium.com/its-time-to-st…