Here is my level 7:
edit: formatting
Readit Newsfransr commented on Gandalf – Game to make an LLM reveal a secret password gandalf.lakera.ai/... · Posted by u/hubraumhugo
fransr commented on Choose the smallest number not chosen yet amolas.dev/blog/choose-th... · Posted by u/alexmolas
I worked with a nationwide lottery game in Sweden called Limbo around 2005-2006 that used this concept. I believe the winner each day won around $1000 and had the ability to turn it into $10000 in a weekly final doing the same game in a tv-studio.
The game was completely shut down after people in a small little town won three times in a row and they started to suspect foul play. Turned out to be the local store asking people to join and the store distributed the numbers for the people to make sure they had an even distribution across a huge range.
fransr commented on Five planets are lining up in the sky in June and will peak tonight cbsnews.com/news/planets-... · Posted by u/gmays
Just want to encourage anyone with kids...
I woke my son up this morning and we went outside and looked at these. We didn't stay outside very long (maybe 5 minutes). But walking him back inside he stopped and said "thanks for waking me up to see this. I really liked it". Then we both went back to sleep.
It may seem trivial but these are great moments to share with your kids/spouse/SO—there is so much in our lives that we can't see or touch nowadays and it is really meaningful to be able to point up in the sky (even without binocs/assistance) and "see" these planets we talk about but only usually see in pictures.
It can be a real spiritual experience.
I agree. I woke my daughter up to see NEOWISE when she was six. We climbed a small hill at 2 am to try get a glimpse of it. It was very close to the horizon so we had trees in the way.
We took the car up to a higher point but it got too cloudy so we went back home to sleep.
Even though we never saw the comet she still remembers that time as something exciting and joyful and she often brings it up when we talk about space.
I assume you are talking about a less obscure app like Live, Bitwig, or FL Studio, but in case not: I vaguely remember a 90s Windows application (possibly shareware) that had a 3D pre-rendered UI with keys shown on screen that looked like a payphone's keypad. You could assign beatmatched loops and hits to any key and toggle or trigger them in a synchronized manner (either with the mouse of the physical keyboard). I had loads of fun as a kid recreating Music Instructor's archetypal/self-aware cliché dance song "Hymn" with it.
Do you or anyone else know which software I'm talking about?
I'm not sure it's the same software but your comment made me remember Dance eJay ( https://youtu.be/b1PpXcC8Ik0 ). It was distributed in Sweden in the 90s by a radio channel called NRJ, and I guess it was made like that in a few other countries in the EU. It was so much fun and those samples still bring back a lot of memories.
Hi,
I'm the author of the article. As I wanted to point out, I'm not assuming this was something Let's Encrypt did wrong, but rather assumptions in the specification which was not equivalent to the reality.
I am really happy how this all was handled by Let's Encrypt.
I've been thinking about this issue with domain validation for a long time. It is not a solved problem yet. There is no standard for it. There are clearly overlapping techniques from the 10 blessed being used in the wild (Google being one) but the adoption has been really slow.
fransr commented on How we exploited a code execution vulnerability in math.js capacitorset.github.io/ma... · Posted by u/CapacitorSet
EDIT: removed my suggestion since it was unsafe.
Thanks for pointing it out.
I was hoping vm to offer you an isolated v8 interpreter without bindings that could used as a sandbox, but this wasn't the case.
The page explicitly says:
"Note: The vm module is not a security mechanism. Do not use it to run untrusted code."
One of the best vuln write-ups I've read in a while, in that it steps you through how the initial entrypoint was found, and the steps needed to turn that into a dangerous exploit.
I think what really makes this writeup worth the read is the insight it shows into the thought process of identifying an interesting bug and weaponizing it. Thanks Frans!
Thanks a lot! I had a lot of fun doing it and I really wanted to get every step of the process out there, so that was some really nice feedback :)
Just out of curiosity, how long did it take for you to come up with this PoC? From the initial notice that something might be exploitable until you sent the email to slack?
Your post makes it look so easy, but it would surely take weeks for me to figure out all these things.
It's a common pitfall and easy to look for. The stuff I spent most time with regarding this specific issue was finding the proper event that did something bad.