thread of funny shit from browsing the 4chan source code. gonna tweet this live as i find stuff

okay admin.php i guess we are just raw dogging SQL in the big '25 how does mysql_global_do work tho

uhh this is ok i guess

In 2020, I solved a gnarly reverse engineering challenge in PlaidCTF. Only 9 teams solved.

It's a huge pile of Typescript. Everything is named after a fish.

The catch? There's no code, only types. How do they perform computation using just the type system?

(Spoiler: Circuits!) Let's break this down into individual lines, at least.

99% of YouTube videos lately are clickbait and stretch out ~1 paragraph of Wikipedia into 30+ minutes of content. Many videos are just questions with simple answers.

So I built : put in the URL and save your time! tldw.tube Code:

This was a fun way to practice my full-stack skills and try out how much Claude speeds up my work. It's greatgithub.com/stong/tldw

The entire disclosure seems to have been leaked online



Here is the report and POC gist.github.com/stong/c8847ef2…

https://twitter.com/gf_256/status/1839371715807498323

Not surprisingly, it's in cups-browsed.

Thankfully, the mitigation seems to be simple: uninstall or firewall off cups. And most servers and containers should not have cups installed

im pirating Ableton Live suite 12

the .NFO has an interesting tidbit:

"does not modify any original binaries".

How does it work? lets find out. live reversing thread lets go downloaded torrent is a split rar. lol

in 2024

In 2008, the Danish government used cutting-edge cryptography to auction 25,000 tons of beets.

The auction was needed to set the price of sugar beets. However, the farmers didn't want to show their hand. Rather than hire expensive consultants, they used MPC to implement this private auction.

But what's MPC, and how does it work? Let's build a MPC implementation from scratch. Here's how: MPC, or multi-party computation, is about how multiple parties can do shared computations on private inputs without revealing those private inputs.

Suppose you and your friend want to compare who's richer, but without revealing your net worths.

MPC allows us to accomplish this, by computing the function (x > y), where x and y are private inputs.

In general, MPC can be used to build all kinds of useful protocols, like threshold cryptography, dark pools, and private auctions (for sugar beets)!

Announcing Smart Contract Fiesta:🎉

An open-source, high-quality dataset of over over 175M lines of Ethereum smart contract source code! It has about ~150k unique contract sources across 30M smart contracts.

huggingface.co/datasets/Zelli…

Read more: 👇🧵 Dataset statistics:

Total contracts: 30,586,657
Contracts with code available: 3,897,319 (>10%!)
Contracts with code + unique bytecode: 149,386

Total LoC: 177,552,050

@chompie1337 CTFs = math competitions
Problem solving ability yes; but ruthlessly heavy on “guess the trick” and “get into the chal author’s brain” and “know chal fashion meta”.

I like to tell people to hack video games. More free form, less on rails, many possible solutions, more creative. @chompie1337 CTFs should not be the ONLY answer for “how to get into security” because it’s on rails. It is good at teaching SPECIFIC tricks and skills. But chals often have ONE intended solution. Whereas security in general is all about finding the alternative and unintended paths.

Common misconception: Idle memory usage is bloat. "I have 32GB of RAM, why is 16GB used when nothing is open?"

No, this is fine. If the memory is installed, the OS should make full use of it. Caching and prefetching are crucial for performance. Do you want everything to be slow? "In use" != "Unavailable memory"
Private bytes (non-shared, non-cached) is unavailable memory.
And that is not even considering swapping/paged vs non-paged.

OMG WTF bro wtf...

A bug in WETH:
Wrapped ETH is a smart contract that has been in over 125 MILLION Ethereum transactions. This year, 11.5% of all transactions used Wrapped ETH.
But is it secure? I formally verified two critical safety properties with a SMT solver, Z3.👇🧵
zellic.io/blog/formal-ve… WETH is an extremely simple smart contract. It clocks in at 62 lines of code. It's a simple utility contract that wraps native ether into a ERC20-compatible token.
That's why it's so popular: it lets devs avoid the hassles of native eth, simplifying code.

My final thoughts on this ordeal. 1/

1. Even if someone has done some reprehensible shit we should remember to not go too far. Everybody is human after all. And, dogpiling onto one person is cruel and can lead to horrible outcomes that everyone will regret. 2. This YT comment really bothered me. I do not want anyone to feel that infosec is filled with horrible mean people who will drag you through the mud. I want to make it clear that this was an absolutely exceptional case that goes far beyond simply being incorrect.

IDA pro tip: For custom calling convention, many people know __usercall (args / retval). But did you know __spoils for preserved and volatile registers?
hex-rays.com/products/ida/s… Before and after setting the proper __spoils. Notice how a1 and v4 are both aliased to r11? The problem is the callsite to `encryptcrap`, which hexrays treats as a fence if the call convention is underspecified (since r11 assumed as clobbered)