Ammar Askar

93 posts

Ammar Askar

@__ammar2__

شامل ہوئے Temmuz 2018

106 فالونگ162 فالوورز

@IceSolst @evelovesolive It is, a formal verification is only as good as your specifications, covering every case and making sure all implementations conform. WPA2 was formally verified but was still vulnerable to KRACK galois.com/articles/forma…

English

916

solst/ICE of Astarte@IceSolst·3d

@evelovesolive Interesting, I always imagined this would be extremely difficult and inevitably leave gaps, esp for more complex systems

English

124

Eve Bodnia@evelovesolive·3d

Formal verification is protecting code and hardware from all possible hacks!

Pedro Domingos@pmddomingos

Mythos broke into almost all of the NSA’s classified systems in hours, per its director. It would have been irresponsible to not impose export controls on it. (And on Fable, with its pathetically inadequate guardrails.)

English

5.2K

Ammar Askar@__ammar2__·3 Haz

@colemurray @IntCyberDigest Fixed today so yup, record time indeed.

English

cole murray@colemurray·3 Haz

@IntCyberDigest legend let me guess, it’ll be fixed in record time x.com/_colemurray/st…

cole murray@colemurray

“so you found a critical vulnerability and just publicly disclosed it?” “Yes, Dave” “And the vulnerability was fixed in record time?” “That’s correct Dave” “Sounds like responsible disclosure to me” “Precisely”

English

3.4K

International Cyber Digest@IntCyberDigest·3 Haz

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

English

338

2.2K

278.1K

Ammar Askar@__ammar2__·3 Haz

@zemnmez Oh yeah, your write up was awesome, learned a bunch from it! The twitter thread was also very entertaining.

English

thomas🌦@zemnmez·3 Haz

kinda dope i got a shoutout in this

vx-underground@vxunderground

Yeah, so pretty much this guy is releasing an exploit in solidarity with Nightmare Eclipse guy. He said he notified GitHub about the exploit 60 minutes before releasing this paper. I don't do web stuff, and I'm not a VSCode nerd, so I'm confused by the underlying technologies. If you're a stinky GitHub and VSCode nerd maybe you'll understand. tl;dr click github dev, github dev opens editor, in github dev editor have javascript, javascript does shortcuts automatically. github treats javascript shortcuts as real human input, or something. use javascript shortcut stuff to automatically install vscode extension. the vscode extension steals your data tl;dr tl;dr user clicks 1 link, 1 click steals all data from your github blog.ammaraskar.com/github-token-s…

English

4.4K

Ammar Askar@__ammar2__·2 Haz

Full Disclosure: 1-Click GitHub Token Stealing via a VSCode Bug blog.ammaraskar.com/github-token-s…

English

113

7.9K

Ammar Askar@__ammar2__·30 Nis

@atlurbanist @AngieAsadourian Tech square around 5th and Spring is a good bet. If you don't count students, maybe 8th and Peachtree St NE.

English

589

Darin Givens@atlurbanist·29 Nis

@AngieAsadourian Can you recommend a particular block or two in Midtown were I could observe a lot of pedestrian activity on sidewalks on weekday mornings? I'd like to visit.

English

1.9K

Darin Givens@atlurbanist·29 Nis

Question: Is there an Atlanta street or block that's particularly vibrant with pedestrian activity on weekday mornings? I heard form someone that Midtown sidewalks can be creepily quiet in the mornings, given the density. Just wondering if any place has a lot of activity.

English

16.2K

Ammar Askar@__ammar2__·17 May

@isidentical Key/value type restrictions? Does it have to work across versions? Quick thought would be to just dump the whole in-memory dictionary and mmap it into place. Looks like mmappickle.readthedocs.io/en/latest/ does something like that for a limited set of values and string keys.

English

batuhan the fal guy@isidentical·16 May

what is the best way to load an immutable python dictionary (~13GB of kv pairs) from a local file. ideally with pre-allocating the memory so we don't loose time on it.

English

650

Ammar Askar@__ammar2__·8 Şub

@R1amu__ @nobelsucks You don't get a vote

English

mouse 🐭🇨🇦@R1amu__·8 Şub

@nobelsucks I vote no

English

Nobel Yoo@nobelsucks·7 Şub

I think we should let twinks vote

English

145

Ammar Askar@__ammar2__·27 Eki

@SpraklingTwit We've hit peak Spotify

English

Diogenes Stan@SpraklingTwit·27 Eki

what the fuck

English

112

Ammar Askar@__ammar2__·26 Eki

Little easter egg in here for the memers: github.blog/2023-10-25-cyb…

English

718

Ammar Askar@__ammar2__·29 Eyl

@R1amu__ Good way to support them but I just use Dropbox

English

mouse 🐭🇨🇦@R1amu__·29 Eyl

Am I about to spend $8/month on Obsidian sync?... Much better value proposition than Twitter Blue 🤔

English

202

Ammar Askar@__ammar2__·25 Ağu

@SpraklingTwit Spend less on movies!

English

Diogenes Stan@SpraklingTwit·24 Ağu

can someone who is good at budgeting help me Food - $50 Cell phone - $100 Transportation - $50 DragonCon costumes - $2,000 Movies - $25 please, my family is starving

English

138

Ammar Askar@__ammar2__·31 May

This isn't the first time Microsoft has botched handling vscode security. More details on my blog here: blog.ammaraskar.com/vscode-rce/

English

412

Ammar Askar@__ammar2__·31 May

Suffice it to say I'm very dissapointed in @msftsecresponse and @code around their handling of this. Two months to triage an RCE and mark it moderate severity and ineligible for bug bounty is crazy to me.

English

497

Ammar Askar@__ammar2__·31 May

I found a remote code execution bug in VSCode that can be triggered from untrusted workspaces. Microsoft fixed it but marked it as moderate severity and ineligible under their bug bounty program.

English

972

Ammar Askar@__ammar2__·30 May

@__phantomderp You may already know this but for what it's worth, PSF fellows aren't necessarily developers of the Python language (that's the Python core dev team). Anyone can nominate someone who has had a big impact in the Python ecosystem to be a PSF fellow.

English

699

Björkus 'No time_t to Die' Dorkus@__phantomderp·30 May

🙃 I didn't know he was a PSF Fellow. I, uh. I use python mostly for scripting so it's not like my life depends on it but this is gonna feel... extra weird. (It's doubly weird because I parasocially know other PSF engineers and they're lovely so WTF!) twitter.com/BajoranEnginee…

mastodon.online/@bajoranengineer@BajoranEngineer

Sending unwavering support to @__phantomderp in the face of only wanting to continue to provide their expertise to their programming community. I condemn the RANCID remarks made publicly about them by a PSF Fellow.

English

10.3K

Björkus 'No time_t to Die' Dorkus@__phantomderp·28 May

Very cute that because I'm a person of color, Armin here thinks I'm just a Diversity Speaker and not anyone of technical merit.

Onnes@0nnes

Techbros stop figuring new ways to showcase their racism: still impossible

English

682

118.8K

Ammar Askar@__ammar2__·26 May

@R1amu__ Bro they really went out and made a separate app is absurd

English