Posts by gynvael@infosec.exchange
(DIR) Post #AQsi7xwzxc6J7zSykS by gynvael@infosec.exchange
2022-12-17T12:05:17Z
0 likes, 0 repeats
This year I'm back on the program committee for CONFidence conference (had to skip last year due to personal stuff).Anyway, CONFidence is one of the best known Polish #security / #hacking conferences. So, if anyone has any cool talk ideas, here's a link to the CFP:https://cfp.confidence-conference.org/confidence-cfp-2023/CONFidence is an offline conference, which will take place on 5-6 June '23 in Krakow/Poland.If anyone's also interested in attending, here's a link to some more info / early bird tickets:https://confidence-conference.org/
(DIR) Post #AcXGGvu5YXcKzvnU4e by gynvael@infosec.exchange
2023-12-06T14:22:53Z
0 likes, 0 repeats
Dear Mastodon community experts: We want to create a mastodon account for our zine about programming/hacking/etc (https://pagedout.institute), but we're really not sure which server to choose (it's a bit more complicated as this would be a project account that would write about the project, new issues, call for articles, but also printed special editions you can buy).Any hints are really really welcomed!
(DIR) Post #AcwXEBhsuIizP2vCQC by gynvael@infosec.exchange
2023-12-18T13:13:21Z
0 likes, 1 repeats
[PL] Wypuściliśmy dzisiaj wywiad z 𝗣𝗼𝗹𝗮𝗻𝗱 𝗖𝗮𝗻 𝗜𝗻𝘁𝗼 𝗦𝗽𝗮𝗰𝗲, tj. (p4 + Dragon Sector + przyjaciele) o HACK-A-SAT 4:https://youtube.com/watch?v=9Gl8ZZDbM7MMiłego oglądania!
(DIR) Post #Ad2RgxNykwtsEWFSz2 by gynvael@infosec.exchange
2023-12-21T14:04:06Z
1 likes, 0 repeats
Was bored, someone handed me malware, made a partial AST-transformer based deobfusctor.https://github.com/gynvael/random-stuff/tree/master/blankobf-partial-deobfuscator(I absolutely love how #Python has all the tools needed to do this kind of stuff in the standard library)
(DIR) Post #ApX5C4gJMZwbRFokXA by gynvael@infosec.exchange
2024-12-28T09:37:34Z
0 likes, 1 repeats
Want to support security researchers from Dragon Sector in covering legal costs piling up after they went public with logic bombs in train firmware?IBAN for donations is available here:https://www.ccc.de/en/updates/2024/das-ist-vollig-entgleistTalks for contexthttps://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trainshttps://streaming.media.ccc.de/38c3/relive/336#38c3 #dragonsector
(DIR) Post #AqcNRufkg0xeaDOr0S by gynvael@infosec.exchange
2025-01-30T19:30:01Z
0 likes, 1 repeats
"[...] representatives of this group of hackers, commonly referred to as "ethical hackers", though theft and home invasion have nothing to do with ethics—but well, I understand, ethical hackers, because that's what they call themselves [...]" (a certain Polish MP)"Hacker", as we in the bizz know well, carries different meanings for different people, and this can cause hilarious misunderstandings. Yesterday, the Polish TV network TVN aired the second part of an ongoing documentary about issues in NEWAG trains that were analyzed by Dragon Sector. Near the end, the documentary featured a recording from the November 2024 meeting of the Parliamentary Infrastructure Committee, which was meant to discuss the matter. During the meeting, one of the Members of Parliament took issue with the Dragon Sector team being referred to as "hackers"—the quote above is from him (translated from Polish).This, of course, is nothing new—just another example of someone knowing the colloquial meaning of the word but not its specialized one. This disconnect has existed for at least the past 40 years.This raises an interesting question—should we use the word "hacker" in formal settings (court, parliamentary committees, etc.), or would we be better understood if we opted for "cybersecurity specialist" or a similar term, as we often do on LinkedIn and other professional platforms?Or perhaps we should continue using the word "hacker," as it serves as a great litmus test for whether the person we're discussing these topics with is truly familiar with the computer security industry and its terminology. It’s an unexpected but useful canary—or perhaps a reminder—that not everyone speaks "computer."Returning to the original quote, and on a rather amusing note—or perhaps to balance things out—multiple departments of the Polish government are actively seeking to hire individuals with the "Certified Ethical Hacker" certification. In some cases, you can even get grants to earn it! Additionally, one can find information on government websites about how Dragon Sector was invited to the National Security Bureau to receive a commemorative letter of congratulations and symbolic gifts after winning the 2014 CTF season.So, do we continue advocating for our specialized meaning of the word "hacker" in official settings? Or should we revert to something more neutral instead?Just food for thought :)
(DIR) Post #Avitu3ZoJM4SlM4BA8 by gynvael@infosec.exchange
2025-07-02T11:58:03Z
5 likes, 2 repeats
Imagine the following situation: your company receives a ZIP file with an invoice, and you're the person responsible for checking if all the details are correct, before sending it off to the payment department. You open the archive, and there's a single PDF inside. You view it, and all the details match—your company's details, seller's company's details, items and total amount are what's expected, and even the bank account number is the same as on previous invoices from this company. As everything looks good, you forward the ZIP with the invoice to the payment team, and move onto reviewing other incoming invoices.A few days later you receive the same invoice again, but you already have it in the system. Just in case you reach out to the payment department whether it's been paid, and they confirm it has—great, no action required.Another month passes by, and you get a "payment due" reminder. What's this? You remember it being paid already, so what gives. You ask the payment team, they again confirm the invoice was settled. You phone the seller about this, but they say they received nothing. So you head down the hall to the payment department, you open the invoice on your laptop, and start going through the details with them. But what's this? The destination account number and amount in the wire transfer and the invoice don't match! The payment team manager's face gets a bit red—seems like it was their mistake? But no! They show you the invoice, and the amount and account number match the actual payment... but it doesn't match what you see on your screen! How can this be?Both of you re-download the ZIP archive from the email you've forwarded and open the PDF inside. And there it is—you see two different invoices. What in the world is happening?Immediately you report it up the chain, and your boss's boss gets a pair of IT forensics consultants on the job. They investigate, and later you learn that your company has been scammed with a pair of different invoices hidden inside a schizophrenic ZIP file. This means that you—on your work laptop running a certain software stack—saw and approved the correct invoice. But the payment team—running a different software stack—saw the fake invoice inside the ZIP, which they thought was what you had approved. Even later on you find out that the seller's company has been partially compromised and a lot of their customers got fake invoices. But that's water under the bridge at that point, and the money your company transferred is long gone.Technical details → https://hackarcana.com/article/yet-another-zip-trick
(DIR) Post #B069IkdVtMImsEJC9Q by gynvael@infosec.exchange
2025-11-08T13:16:13Z
1 likes, 0 repeats
@stfn Actually it's a compilation time constant deduplication (for the purpose of making the "code" object, which has a constants table used by the bytecode later on). So, only one object for 257 is created, and used in both places (similar to tmp=257; a=tmp; b=tmp).
(DIR) Post #B0B3FsLn7tltzm43pQ by gynvael@infosec.exchange
2025-11-12T17:35:18Z
0 likes, 0 repeats
Here's some blursed Python code for you:a, b, c = {"alice", "has", "a cat"}print(a, b, c)
(DIR) Post #B2BTHFvcIj9WLTHIVE by gynvael@infosec.exchange
2026-01-11T18:45:09Z
0 likes, 0 repeats
@foone So... ACCESS.bus?
(DIR) Post #B2EtloCUcfzTbnHT7o by gynvael@infosec.exchange
2026-01-11T13:22:40Z
1 likes, 0 repeats
A useful chart on what type to use for flags in C/C++ depending on your D&D alignment: