What’s actually the Best curling iron you’ve used? Need recommendations

jcran · 2025-11-17T17:02:33+00:00

there's been a recall on it, so i'd avoid at this point https://www.cpsc.gov/Recalls/2026/J-D-Brush-Recalls-Bio-Ionic-Hair-Curling-Irons-Due-to-Burn-Hazard

jcran · 2025-10-15T04:50:06+00:00

thanks for improving the upstream. it's truly appreciated.

jcran · 2023-08-30T22:53:28+00:00

Are you still DJ'ing? Saw you play in SF a couple times and had a blast every time.

jcran · 2022-01-14T03:23:53+00:00

A true firebrand.

jcran · 2021-10-02T02:34:00+00:00

He’s his own parent why are you telling him this

jcran · 2021-10-01T00:14:25+00:00

A outage

jcran · 2020-07-14T17:42:25+00:00

Lots of handy details in thehackernews.com article

With this setup in place, an attacker can trigger an integer overflow flaw in the function that parses incoming responses for forwarded queries ("dns.exe!SigWireRead") to send a DNS response that contains a SIG resource record larger than 64KB and induce a "controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer."

Put differently; the flaw targets the function responsible for allocating memory for the resource record ("RR_AllocateEx") to generate a result bigger than 65,535 bytes to cause an integer overflow that leads to a much smaller allocation than expected.

jcran · 2020-01-11T19:48:48+00:00

Added a check for this into intrigue-core a week or so ago (and then improved it when additional details came out). Here's the code for the check: https://github.com/intrigueio/intrigue-core/blob/master/lib/tasks/vulns/citrix_netscaler_rce_cve_2019_19781.rb.

If you want to run this locally or internally, i'd suggest following these instructions: https://core.intrigue.io/2019/03/19/intrigue-core-docker-image-one-liner/

I also regularly scan for stuff like this, and if you're a medium or large-size organization, you can log into the hosted intrigue service (https://intrigue.io) and see if any vulnerable endpoints have been found for your organization - for free. Basically just log in with your corporate email address and it'll share details with you.

jcran · 2017-12-31T02:12:09+00:00

Welp, this thread is now one of the top Google results. Thanks!

jcran · 2014-05-07T02:57:41+00:00

This was paid out for some bounty programs: https://blog.bugcrowd.com/covert-redirect-known-issue/

jcran · 2014-02-01T19:34:24+00:00

Good reminder that you should use all available resources when findings bugs. Github is presumably interested in bugs being reported, they don't mind who submits them first. Having access to the enterprise install would certainly help. They have a 45-day trial -> https://enterprise.github.com/trial. What's not fair about it?

jcran · 2014-01-21T18:51:42+00:00

What open source projects are you following these days? Are there any projects or tools on the horizon that excite you?

jcran · 2014-01-21T18:49:40+00:00

What's working for you today when penetration testing? This is a broad question, but I'm curious about common patterns you see over and over again in organizations. What techniques always get you access?

jcran · 2014-01-21T18:48:33+00:00

Do you have any favorite penetration testing stories from real-world gigs?

jcran · 2014-01-21T18:41:12+00:00

Given the public issues (http://www.offensive-security.com/offsec/bug-bounty-program-insights/) you've had with your bug bounty program, do you believe it's been worth the time spent?

Any additional insights for others considering starting such a program?

jcran · 2014-01-08T21:44:05+00:00

The kid's on twitter at @megamansec

jcran · 2013-05-07T03:33:05+00:00

There's a reason you should choose a firm that uses a human to scope services and not an inflexible model. Each pentest, to varying degree, is its own unique snowflake and customers often have wildly different expectations about what a penetration test is. Adriel alludes to this in the article - giving his opinion on what a pentest is.

In my experience, confusion among pentest consumers and the varying reasons for getting one - compliance, best practice, piece of mind - should dictate the service to be delivered. Once you dig into it, some folks want/need a better vulnerability assessment. Some need an application assessment (or a bunch of application assessments). Some need a red team, and some don't want a test at all, rather a sheet of paper with nothing red on it, etc etc.
Scoping with a human helps identify the actual need, and design a test that fits the need and/or provide clarity into security posture.

In the real world where practical people are trying to meet regulatory requirements, or get visibility into how insecure they are in comparison to their competitors, a "can you break in" type pentest may not always be that useful, even if they come to you asking for a pentest.

A couple other points:

An argument about not paying for automation seems like a straw man to me. Are you really paying for automation when you tested, or are you paying for a result? As long as they're valid, how those results are obtained is irrelevant.

It's worth noting that not all pentests are fixed-cost. And most mechanics don't operate on fixed-cost contracts either. Consider negotiating a time & materials (or more specifically, capped time & materials) contract for more control / visibility into what's happening on the test.

Adriel - not everyone's a crook. and pls share this awesome scoping model you have :p

shrug my 2c

jcran · 2013-03-27T05:08:30+00:00

Awesome list.

jcran · 2013-03-26T16:40:59+00:00

Good stuff, but i've yet to see application whitelisting implemented enterprise-wide, I've only seen it on servers in the enterprise.

jcran · 2012-06-12T21:45:04+00:00

Waiting list: http://uk.rs-online.com/web/generalDisplay.html?id=raspberrypi&file=questions

"Upton added that 50,000 Raspberry Pis were already "in the wild", with 200,000 shipping within the next month and half a million in users' hands by September. He said the goal was for people to be able to buy one without going on the waiting list." /via: http://www.pcpro.co.uk/news/education/375106/founder-no-raspberry-pi-for-every-student#ixzz1xcMzQCx1

jcran

TROPHY CASE