2·
6 days agoMAC addresses are only visible on a LAN
- 43 Posts
- 231 Comments
Joined 3 years ago
Cake day: June 12th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
This is neat. I’ve intercepted trafic from a few apps in the past, and whenever cert pinning was enabled it was a massive pain to deal with
541·20 days agoBlocking or allowing domains should not mess up SSL. Is there anything else filtering or intercepting the trafic ?
4·1 month agoI believe Signal has already fixed it, while meta said they won’t fix this in WhatsApp.
This side channel can be used to infer more than a rough timezone, specifically, an attacker could continuously monitor :
- the number of devices linked to the target’s account, along with fingerprints that allow differentiation between operating systems and browsers
- the locked or unlocked state of the target’s phone
- whether the phone is connected via Wi-Fi or a mobile network
- whether the WhatsApp application or browser tab is running in the foreground or background.
In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance
I’ve tested this on myself and can confirm all of this can be done reliably
This is not high effort. Starting from an open source WhatsApp client library, reproducing the attacks described in the research paper is trivial. There are even a few public github repos implementing PoCs of this.
Whether the reward should be considered high or low is ultimately subjective. What is objectively verifiable, however, is that an attacker can continuously (and silently) monitor several aspects of a target’s environment, including:
- the number of devices linked to the target’s account, along with fingerprints that allow differentiation between operating systems and browsers
- the locked or unlocked state of the target’s phone
- whether the phone is connected via Wi-Fi or a mobile network
- whether the WhatsApp application or browser tab is running in the foreground or background.
In addition, an attacker could deliberately drain the target’s phone battery and consume their mobile data allowance.
This would have been a (if not the only) good point to make in the article considering the title. But I guess this would have taken space away from ads
The headline is vert clickbaity : it does not affect VPN users (the law forbids age-gated websites from promoting VPNs as a circumvention), and the whole article is just an ad for VPNs
12·3 months agoHere is a link to the adjust.h GitHub in case you don’t feel like watching a video
Here is a link to the adjust.h GitHub in case you don’t feel like watching a video
Is this some kind of
virt-managerbut with a TUI ?
I’m using the latest firefox on the latest android (just tried it on chrome from the same phone and it loads fine)
It looks really interesting but the link is giving me an SSL error :/
https://github.com/atuinsh/atuin is a great tool to manage and search your shell history. I especially enjoy it being able to search commands based on the working directory I was in when I ran them.
It also has more features (which I don’t use) to manage dotfiles and sync shell history across hosts/devices.
18·5 months agoI once had a similar issue, caused by the keyboard layout in the os installer (when I defined the password) being different from the keyboard layout used for unlocking the drive. I quickly leaned to type my password in qwerty on my azerty keyboard and all is fine now.
Another similar thing I’m thinking about is trying with caps lock, as you may have had it on when defining the password
deleted by creator
Hâve you made a persistent volume for
/etc/nginx(or any of its subdirectories) ?IIRC, the templates are interpolated/copied on container start if the resulting configs do not exist already. Having a persistent volume would cause the issue you’re experiencing
I had one such case recently, turned out it was due to a faulty SATA (data) cable. Once you find which drive is clicking, try plugging it with a new cable before declaring it dead.
dmesgoutput may contain some useful error messages. If you find errors related to I/O, block devices, SCSI or SATA, you should include them in your post
19·6 months agoSomeone registering the domain would be able to receive any email sent to any address under this domain, including password resets.
Looks interesting, but after reading through the readme, I still clueless about the gameplay. Why does it need a container ? Is this some kind of security CTF with a story ?