filleokus (u/filleokus)

filleokus commented on Unlocking free WiFi on British Airways saxrag.com/tech/reversing... · Posted by u/vinhnx

amritananda · 2 months ago

This is basically what Xray [1] does. For any connection request matching a particular SNI and not presenting a secret key, it proxies the entire SSL handshake and data to a camouflage website. Otherwise it can be used as a regular proxy disguised as SSL traffic to that website (with the camouflage website being set as the SNI host, so for all purposes legit traffic to that host for an external observer).

It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.

[1] https://github.com/XTLS/Xray-core

filleokus · 2 months ago

Someone was using Xray, proxying to my employer, and it was detected in our attack surface management tool (Censys). I had some quite stressful few minutes before I realised what was going on, "how the hell have our TLS cert leaked to some random VPS hoster in Vietnam!?".

Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.

filleokus commented on Strong Eventual Consistency – The Big Idea Behind CRDTs lewiscampbell.tech/blog/2... · Posted by u/tempodox

the_duke · 3 months ago

The big problem with CRDTs IMO is that they make it incredibly easy to break application semantics.

Just a basic example for a task tracker:

* first update sets task cancelled_at and cancellation_reason

* second update wants the task to be in progress, so sets started_at

If code just uses the timestamps to consider the task state, it would not assume the task is cancelled, unexpected since the later user update set it to in progress.

Easy fix, we just add a state field 'PENDING|INPROGRESS|CANCELLED|...'.

Okay, but now you have a task that is in progress, but also has a cancellation timestamp, which seems inconsistent.

The point is:

With CRDTs you have to consider how partial out of order merges affect the state, and make sure your logic is always written in a way so these are handled properly. That is *not easy*!

I'd love it if someone came up with a framework that allows defining application semantics on top of CRDTs, and have the framework ensure types remain consistent.

filleokus · 3 months ago

Yes!

Any many CRDT implantations have already solved this for the styled text domain (e.g bold and cursive can be additive but color not etc).

But something user definable would be really useful

filleokus commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos research.kudelskisecurity... · Posted by u/spiridow

gz09 · 4 months ago

Correct me if I'm wrong, but the problem here is not with GitHub Apps, instead CodeRabbit violated the principle of least privilege: ideally the private key of their app should never end up in the environment of a job for a client but rather a short lived token should be minted from it (for just a single repo (for which the job is running)) so it never gets anywhere near those areas where one of their clients has any influence over what runs.

filleokus · 4 months ago

I agree, this seems like straight up bad design from a security perspective.

But at the same time, me as a customer of Github, would prefer if Github made it harder for vendors like CodeRabbit to make misstakes like this.

If you have an app with access to more than 1M repos, it would make sense for Github to require a short lived token to access a given repository and only allow the "master" private key to update the app info or whatever.

And/or maybe design mechanisms that only allow minting of these tokens for the repo whenever a certain action is run (i.e not arbitrarily).

But at the end of the day, yes, it's impossible for Github to both allow users to grant full access to whatever app and at the same time ensure stuff like this doesn't happen.

filleokus commented on Nginx introduces native support for ACME protocol blog.nginx.org/blog/nativ... · Posted by u/phickey

cortesoft · 4 months ago

My work is mostly running internal services that aren’t reachable from the external internet. DNS is the only option.

You can get wildcards with DNS. If you want *.foo.com, you just need to be able to set _acme-challenge.foo.com and you can get the wildcard.

filleokus · 4 months ago

Spivak is saying that the DNS method is superior (i.e you are agreeing - and I do too).

One reason I can think of for HTTP-01 / TLS-ALPN-01 is on-demand issuance, issuing the certificate when you get the request. Which might seem insane (and kinda is), but can be useful for e.g crazy web-migration projects. If you have an enormous, deeply levelled, domain sprawl that are almost never used but you need it up for some reason it can be quite handy.

(Another reason, soon, is that HTTP-01 will be able to issue certs for IP addresses: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-addr...)

filleokus commented on Sumo – Simulation of Urban Mobility eclipse.dev/sumo/... · Posted by u/Stevvo

filleokus · 5 months ago

I ride rental scooters almost 10k minutes per year and would really like to get my hands on my own ride data to plug it into something like this (or simpler) to find the optimal routes for my regular trips.

Google Maps (or others) works good to find a resonable route, but I can do better on my own. One-way streets where bikes are allowed to go do opposite way is sometimes missing, short desire paths connecting bike ways, crossings where it's safe to do an (illegal) right-on-red etc.

Tried a GDPR data claim from Voi but got nothing back :( But I hope the data is somehow available for urban planners, think it would be a great source of truth to use in tools like this.

filleokus commented on Try the Mosquito Bucket of Death energyvanguard.com/blog/t... · Posted by u/almuhalil

nsksl · 5 months ago

How is that better than what the article describes? You need gas, electricity (outdoors!) and get constant fan noise.

filleokus · 5 months ago

I guess it depends a lot on your situation, but for OP's method to be effective you need to out-compete other breeding grounds in not only your backyard but also X feet/meters away (whatever distance mosquitoes typically fly to "hunt").

If there's a nice shallow pond on the property line 100 feet from your porch (or water filled tires at the sloppy neighbour or whatever it might be), I seriously doubt the efficacy of the method in the article.

This thing would lure in any mosquitoes (and unfortunately other things, as per sibling comment) that fly in your backyard, wherever they come from.

For electricity: That also of course depends, but around here it's not uncommon to have an outlet on the outside of some garage or outbuilding or something. The product I linked have a 50 feet cord as well. The fan noise has not been noticeable at all when I've seen it.

filleokus commented on Try the Mosquito Bucket of Death energyvanguard.com/blog/t... · Posted by u/almuhalil

filleokus · 5 months ago

Many people with mosquito issues around here (Sweden) uses something like https://www.clasohlson.com/se/Mosquito-Magnet/p/31-7190 which burns propane to produce Co2 to lure in mosquitoes and then sucks them in with a fan towards a metal grid to zap them with electricity.

Non-poisonous and from what I've heard fairly effective. Not sure if these exists in the US?

filleokus commented on Maru OS – Use your phone as your PC maruos.com/... · Posted by u/fsflover

WorldPeas · 5 months ago

I think at this point the niche would be well-served if one could have a competent clamp-on landscape keyboard (so close, clicks keyboard) for their phone they could use to RDP into a better machine that could run while the phone is off. Additionally nice would be if the phone had a fully functional usb-c port that could do DP and usb for docking. At that point I'd have serious thoughts about retiring my backpack or nanote next. It frustrates me how close we are, if such a keyboard existed for $80 or so

filleokus · 5 months ago

I've been occasionally using Microsoft's RDP Client [0] on my iPhone with external keyboard + mouse with a usb-c cable into my external monitor (with a Logitech RF dongle connected to the back of it).

It worked okay, the mouse support is somewhat of a hack, but keyboard works awesome.

The biggest annoyance was actually getting RDP to work satisfactory on a linux box with no external monitor plugged in to it (hetzner box).

I thought someone would have created an app to run browser on the external screen in full resolution, so I could skip RDP and use vscode server via the browser. But the only option seems to be infinitex2p which is not available in the EU :(.

[0]: Which in typical Microsoft idiotic fashion semi recently got renamed to "Windows app"... [1]: https://x.com/infinitex2p

filleokus commented on Allianz Life says 'majority' of customers' personal data stolen in cyberattack techcrunch.com/2025/07/26... · Posted by u/thm

SoftTalker · 5 months ago

Unclear who is responsible here, Allianz or their third party "cloud-based CRM provider."

But I think that fundamentally, secure cloud-based SaaS is impossible. This stuff needs to be on-prem and airgapped from the internet. That makes some functionality complicated or impossible, but we're seeing that what we have now is not working.

filleokus · 5 months ago

Allianz have more than 150k employees with offices in 50+ countries. Not all of them need access to the CRM of course, but I think going back to on-prem is just asking for different kind of trouble.

We don't have any details now, but I wouldn't be surprised if the cloud-based CRM provider didn't have a very technical interesting weakness, but rather that some kind of social engineeringy method was used.

If global companies like this instead had stuff running on-prem all around the world the likelihood of more technical vulnerabilities seems MORE likely to me.

(Air gapping is of course possible, but in my experience, outside of the most security sensitive areas the downsides are simply not acceptable. Or the "air gapping" is just the old "hard shell" / permitter based access-model...)

filleokus commented on Azure API vulnerability and roles misconfiguration compromise corporate networks token.security/blog/azure... · Posted by u/ArielSimon

gwynforthewyn · 5 months ago

I’ve worked with Azure for a few years now, AWS and classic data centres for 15 years before that.

It’s pretty clear if you check github that Azure’s services and documentation are written by distributed teams with little coordination. We have a saying in-house that the info is all in their docs, but the sentences and paragraphs for even trivial things are split across ten or fifteen articles.

I see a problem like granting */read in an innocuously named role and am left wondering if it was pragmatism, because figuring out least privilege was tough, or a junior who didn’t know better and was just trying to make progress.

I’m on a phone and can’t search git effectively, but I’d swear there was a comment or note on the golang implementation of msal saying that it used non-idiomatic go with no real support for many of the auth flows in v1 because it was written by an enthusiastic junior dev and released with little review. The modern version looks better, but I felt like I got a window into Azure back when I read that.

Building large services is hard, my hat is off that Microsoft is making it work, but sometimes we get to see that it’s just teams of developers doing it for them and those teams look a lot like the teams we work with every day. There’s no secret sauce, except that MS has the resources to iterate until the thing mostly works most of the time.

filleokus · 5 months ago

> It’s pretty clear if you check github that Azure’s services and documentation are written by distributed teams with little coordination.

I've come to the same conclusion after dealing (and reporting) jankyness in both the Azure (ARM) API and especially the CLI. [0] is a nice issue I look at every once in a while. I think an installed az cli is now 700 MB+ of Python code and different bundled python versions...

[0]: https://github.com/Azure/azure-cli/issues/7387