bits 0x54 - Week 35~?, 2024 (WIP)

Good Reads

ASLRn’t: How memory alignment broke library ASLR
https://zolutal.github.io/aslrnt/

Understanding the Postgres Hackers Mailing List Language by Greg Sabino Mullane
Despite the postgres context, this is a nice reference for non-english speaking devs. https://www.crunchydata.com/blog/understanding-the-postgres-hackers-mailing-list

Pick Your Distributed Poison - via Hazel Weakly https://hazelweakly.me/blog/pick-your-distributed-poison/

It’s hard to write code for computers, but it’s even harder to write code for humans - Erik Bernhardsson
https://erikbern.com/2024/09/27/its-hard-to-write-code-for-humans.html

The perils of transition to 64-bit time_t - Michał Górny
https://blogs.gentoo.org/mgorny/2024/09/28/the-perils-of-transition-to-64-bit-time_t/

Learns

Fun

DEF CON 30 - Sam Bent - Tor - Darknet Opsec By a Veteran Darknet Vendor
https://www.youtube.com/watch?v=01oeaBb85Xc

MISC

Linus Torvalds on the rust-for-linux drama
https://www.youtube.com/watch?v=OM_8UOPFpqE

Cover: “The Serpentine Offering” by Dimmu Borgir - Adrienne Cowan
https://www.youtube.com/watch?v=TCwDlmiudp0

A peek inside pinentry - jmhobbs https://velvetcache.org/2023/03/26/a-peek-inside-pinentry/

cve-my-fucking-self

I woke up at 3 am realizing that I’ve been talking with someone over the phone, and I was about to read out a SMS PIN number to them. It was China Mobile (a chinese mobile phone provider).

I get promotion calls from China Mobile from time to time, they normally try to sell me into signing up for a more expensive data packet. And I always politely reply “oh too bad, I don’t live in China now so this won’t work for me.”

This time though, I was completely unconscious as they woke me up at 3am; My primitive nerv reflection failed to understand such a sophisticated context and simply (I guess so, because I remember nothing) replied like “ok, yes, sure, why not…” and continued to follow their instruction. When I suddenly really “woke up” I’m totally lost because I’m reading out a PIN number from a confirmation SMS and was terrified.

Then I tried to figure out whether it’s a scam. I checked the caller and SMS and luckily it’s just China Mobile instead of a credit card scam. But obviously I don’t want to sign up with this thing. But I’m reluctant to say “nah, nevermind, I changed my mind now.”….. Because I know they are just another hard-working person and I don’t want to make them feel tricked (though I was totally involuntary in the first place). Luckily the procedure requires a second confirmation SMS and I simply pretended that I didn’t receive it (which I did) and they think it’s a technical issue and I explained that I’m abroad and the said promotion won’t work for me (obviously I didn’t say this when I unconsciously got the call) and I finally ended the call without behaving like a jerk.

Here is the profound question in my personal security: I know cyber security, I use cryptography, I identify phishing and scams, I have deep knowledge in computer systems …. And fuck me, I’m just reading out a fucking security PIN to someone on the phone without even knowing it??? Had I not gained conciousness quick enough I will simply give my money to scammers.

How can I prevent my mental state being taken advantage of? When I’m half asleep? When I’m drunk? When I’m sick?

I beside passwords, I need a sanity checker on critical systems (no idea how to implement it to SMS confirmations though). Like, besides password, I should be forced to answer some questions like math or logic quiz…

BTW: WTF their sale teams are working on Sunday???? For fucks sake you capitalists.