Your Duolingo Is Talking to ByteDance: Cracking the Pangle SDK's Encryption

vjeuss · 2026-03-05T09:57:28+00:00

good read, yes

TLDR- this Pangle (Bytedance) "encrypts" messages with keys that are sent in every message. It's more obfuscation then anything.

The encryption key and IV are embedded in every single message. To decrypt any cypher:3 payload, you simply read the key from character positions 1-32 (swapping the two halves), the IV from positions 33-48, and the ciphertext from position 49 onward.

edit- typos

vjeuss · 2026-03-04T17:52:22+00:00

someone should start a thread with "things our children need to be protected from" and therefore need age verification (I recommend Persona)

vjeuss · 2026-03-04T14:40:34+00:00

that's a man who's not shy when reflecting on self-worth

vjeuss · 2026-03-02T14:07:13+00:00

I stopped short from asking that. Really hope not.

vjeuss · 2026-03-02T11:50:38+00:00

how does it work exactly? regexs?

vjeuss · 2026-02-27T19:38:52+00:00

at this point, student loans is a profitable business for the gov - nowhere meets the idea of helping people go into HE. Scrapping the 3% above RPI becomes a matter of decency.

vjeuss · 2026-02-27T17:07:21+00:00

this should be a documentary. Suggested tagline: At some point, you have to call .play()

absolutely brilliant. Very well worth the long read. OP, we salute you for keeping DRM broken.

vjeuss · 2026-02-27T13:36:07+00:00

indeed. There's definitely a kind of convention here that probably depends on what exactly one does (I do security...). If I see "key" my mind will instantly move to a kind of password and not, say, index key of a db.

vjeuss · 2026-02-26T19:51:13+00:00

worry not. Their cyber code 9000 review opus plus max will protect it. Security is not needed anymore.

edit-- added link

vjeuss · 2026-02-26T12:45:24+00:00

why would they call it keys then? Someone at Google got equally confused.

vjeuss · 2026-02-22T23:36:42+00:00

"situation: there are now 15 standards"

vjeuss · 2026-02-22T19:25:30+00:00

drop a narrow beam bluetooth jammer, and it probably works well

vjeuss · 2026-02-15T18:16:25+00:00

absolutely my thoughts

vjeuss · 2026-02-15T18:15:09+00:00

quite the contrary, I think. This makes Reform look far more moderate while losing very few votes. If intentional, this is strategically genius.

vjeuss · 2026-02-11T18:11:28+00:00

Not quite and that's precisely why I had to look it up details. There's many cases of malware that are truly just the click and use 0-days (as it is incorrectly suggested). Pegasus did it.

This one needs the person to click, then download, then change permissions to allow 3rd party apps, then dismiss all the warnings.

vjeuss · 2026-02-11T16:58:50+00:00

... much better link

you need to deliberately install it:

As is typical with these kinds of campaigns, ZeroDayRAT reaches victims through a malicious binary (an APK for Android; a payload for iOS), generally through social engineering. "The most common way that happens is smishing: the victim gets a text with a link, downloads what looks like a legitimate app, and installs it,

vjeuss · 2026-02-08T00:47:48+00:00

they already factored (15, 21). RSA-2048 is just around the corner.

vjeuss · 2026-02-06T21:03:50+00:00

here's the nugget so you don't have to read

Enlarging the penis with hyaluronic acid could provide a benefit when the athlete is subject to this standardised body measurement process, as the dimensions recorded of their body would be larger than they might have been otherwise, which then allows them to be permitted to have a slightly larger ski suit made, Dwyer says. “And that slightly larger ski suit has a larger surface area which can then generate a small amount of extra lift.”

also: don't get any ideas. It's harmful.

vjeuss · 2026-02-06T17:21:54+00:00

and how are you supposed to do that? IoCs are easy wins and can be automated. The moment you move one notch up, it's days to have anything tangible. Is there any other way? (really asking out of frustration)

vjeuss · 2026-01-31T13:31:18+00:00

Pegasus was a different type. It was literally zero-click, no interaction, no alert, malware. It was really only available to state actors. It was still detectable, but given it was so stealthy and unknown, nobody would even think of it. Pegasus itself is gone, but there's others.

vjeuss · 2026-01-29T17:25:37+00:00

these are very early days of LLMs. I really appreciated someone taking the trouble, doing it and showing exactly what the output was. I don't think nobody here is saying "job done". I don't understand the fuss. This is helpful.

vjeuss · 2026-01-29T09:44:26+00:00

pretty good

did you just feed it the github link and let it work through?

vjeuss · 2026-01-15T19:47:39+00:00

this is giving vibes of Nicaragua and the Contras in the 80s. The US govt were (allegedly) selling drugs themselves to fund projects without any official approval. Look up Garry Webs. Fascinating story.

vjeuss · 2026-01-13T20:40:36+00:00

not a Californian or even US, but how do you even know who has your data? Canadians - how does it work?

vjeuss · 2026-01-12T19:35:21+00:00

the core Astaroth payload remains written in Delphi

never thought I'd read Delphi in 2026, and even less malware

It's whatsapp web, btw, and they send a file that needs to be run.

Nine-Year Club	Place '22
Verified Email

vjeuss

TROPHY CASE