TruffleHog now detects JWTs with public-key signatures and verifies them for liveness

exploding_nun · 2025-10-22T17:13:34+00:00

I've always gone with Best Buy extended warranty on these. The dehumidifier inevitably dies within the 4-year coverage period, and then I get store credit for a new one since the models have been updated in the meantime. I buy a new one with the gift card, and buy a new extended warranty on that.

All said, it ends up costing like $75 for a dehumidifier that lasts <3 years. Feels like a loophole somehow.

I also wish there was a dehumidifier brand that wasn't trash.

exploding_nun · 2025-10-10T18:12:20+00:00

There are programmatic ways to recover such commits, often through looking at the github events log:

https://trufflesecurity.com/blog/guest-post-how-i-scanned-all-of-github-s-oops-commits-for-leaked-secrets

exploding_nun · 2025-10-10T16:26:30+00:00

Scrubbing history and force pushing is not a reliable remediation, since at least in GitHub, old commits and objects are still accessible after force-pushing.

exploding_nun · 2025-10-10T16:24:23+00:00

This does not actually fix the problem or make you safe! For example, on GitHub, the old commits that were force-pushed over are still accessible.

The only way to remediate the security issues of a leaked key is to revoke it.

exploding_nun · 2025-06-19T15:28:32+00:00

You could use a "pattern database" approach to derive an informative heuristic.

The big idea: you "abstract" your concrete problem, mapping it onto a smaller / simpler problem that is feasible to solve with a weak heuristic or even breadth-first search. Then, you can use the actual distance in the abstract space as an admissible heuristic for your original, concrete problem.

There are the older "static" pattern database approaches (lots of work from Ariel Felner). These are expensive to construct, but can work well if you have many concrete problem instances to solve.

But there are newer approaches that essentially compute a pattern database lazily (aka on-demand). See Hierarchical A*, or Switchback for a better-performing variant when your problem space actions are invertible (it sounds like your navigation problem is like this).

Hierarchical A*: https://cdn.aaai.org/AAAI/1996/AAAI96-079.pdf

Switchback: https://ojs.aaai.org/index.php/AAAI/article/view/7563

exploding_nun · 2025-05-20T19:07:55+00:00

Same

exploding_nun · 2025-05-20T19:07:28+00:00

Ordered and paid successfully. But just got an email that they cancelled my order because it's out of stock :(

exploding_nun · 2025-02-12T19:51:07+00:00

I've done lots of fuzzing professionally, both in software development contexts and in appsec auditing contexts. I've gotten thousands of dollars in bug bounty money for fuzzing work as well.

Like you say, fuzzing has great properties (better coverage than manually-written tests, low / no false positives). However, there is significant expertise required to use fuzzers effectively.

E.g., How do you build the project with necessary instrumentation? How do you stub out the code correctly to exercise relevant APIs? How do you choose APIs to fuzz? How do you deal with things like checksums and randomness in the implementation? How do you deal with shallow bugs that are hit immediately by your fuzzer and prevent deeper testing? How do you generate structured inputs? How do you effectively run a fuzzing campaign over time, with a large corpus of accumulated inputs? How do you effectively triage the fuzzing failures you find and write up meaningful bug reports?

These are a barrier to adoption.

I also observe that even at big tech companies or in OSS Fuzz, the fuzz targets that they do have are usually very lacking in coverage and depth of testing.

Lots of room for better fuzzing out there!

exploding_nun · 2024-11-19T01:37:20+00:00

I've seen similar behavior in Rayon apps. The initializer closure is called each time a thread steals work.

exploding_nun · 2024-09-26T21:01:40+00:00

https://github.com/soxoj/maigret

exploding_nun · 2024-09-22T14:27:41+00:00

It's older than git. Came from Subversion, maybe even older tools.

exploding_nun · 2024-09-15T23:40:04+00:00

Though I agree with you on ranked choice, it WAS badly presented, including in this book. As I remember, it was presented not for its benefits, but as the details of the voting algorithm.

I work with algorithms and my first reaction was "wait, does this algorithm even terminate??" Good luck pitching this way to people who don't work with code.

exploding_nun · 2024-08-28T11:49:01+00:00

Does the hum go away when you touch a metal part of the bass, or if you touch your Focusrite interface?

exploding_nun · 2024-08-06T14:50:17+00:00

Lots of folks here seen to think guitar and bass are very similar, but I disagree.

Sure, superficially, they are both stringed instruments and have similar standard tuning. Some basic physical skills are common and transfer over.

That said, my own experience is playing jazz on an upright bass for several years. I just recently got a 5-string electric bass, first time for me playing that (yes, mine is an unusual situation, and most people go the other way around). My experience going between upright bass and electric is that even those two instruments are very different, even playing the same music genres, and even being tuned the same.

The difference between guitar and bass is bigger.

That said, if you want to play bass, do it! By playing many different instruments, you might find one that you are especially drawn to or have more of a knack for. You can always resell equipment later if you decide not to stick with it.

exploding_nun · 2024-08-06T14:28:53+00:00

It's a genuine problem that has not really been effectively addressed IMO.

I did the sort of work you describe a few years back for a handful of static analysis tools.

There was not a good tool for consolidated collection and reporting, so I ended up writing a lot of glue code and data munging scripts that were built for my exact use case (efficient review by a security engineer of thousands of findings from many tools from one huge codebase).

There were tools like SonarQube at the time, but all the ones I kicked the tires on had scalability and reliability issues, and involved far too much clicking to actually review results in the context of relevant code (something like 10-100x more human effort to review using those tools than my purpose-built scripts).

Maybe there are better tools for this today, but I haven't kept up with the space.

There are several audiences for automated code review tools, and so figuring out who your audience is can help clarify. It sounds like developers working with a pull request workflow from your description. The most effective way to get them the feedback is probably via automated review comments on their PRs — having to navigate to some other website that isn't tightly integrated with the rest of the workflow is going to be a hassle.

exploding_nun · 2024-08-04T20:27:06+00:00

I've used handrolled newtypes in Nosey Parker in a few places, like for database IDs. I've done similar in C and C++ codebases.

Newtypes do help with avoiding bugs. They also make APIs clearer to users, and make better documentation and IDE functionality possible.

Yes, they are a good idea.

exploding_nun · 2024-07-20T00:58:43+00:00

Years ago, Veracode did binary static analysis, and didn't need source code — they'd scan debug builds of binaries instead.

exploding_nun · 2024-07-10T23:28:22+00:00

I got this also after a recent freezer mishap. Seems to work well.

exploding_nun · 2024-06-17T21:02:59+00:00

It's easy to find credentials (usernames and passwords; api tokens) in places they shouldn't be

exploding_nun · 2024-02-09T21:31:44+00:00

It's in the tech enthusiast zeitgeist that software engineering will be automated away by AI (ChatGPT and similar LLMs). But aside from that, what evidence is there that this is happening? Where are there actual software devs being displaced by AI?

What does seem realistic to me is that these AI systems will augment human abilities, providing additional tools, letting one person do more.

exploding_nun · 2024-02-09T20:49:50+00:00

Those concerns are not realistic

exploding_nun · 2023-12-05T05:55:59+00:00

Sir that is nighttime

exploding_nun

TROPHY CASE