I recently compared various tools for identifying regular expressions which are vulnerable to Regular Expression Denial of Service (ReDoS), as I wanted to build a small worfflow which would flag vulnerable expressions for me.| Joshua.Hu Joshua Rogers’ Scribbles
One of the benefits of working for a large, albeit stuck-in-the-past technology company which has a whole range of strange services running to fit different decades’ ideals – like Opera – is the ability to observe strange behavior and investigate it. You can find interesting things to investigate in every corner, whether that be due to concerns with security, or simply trying to work out “why is this happening?” At Opera, another strange case caught my eye, and the story is one of m...| Joshua.Hu | Joshua Rogers’ Scribbles
Another popular configuration I’ve found in nginx configurations is as follows:| Joshua.Hu | Joshua Rogers’ Scribbles
a problem| Joshua.Hu Joshua Rogers’ Scribbles
Rational Explanations: californiapetstore.com| Joshua.Hu Joshua Rogers’ Scribbles
Reporting to an AI Bug Bounty| Joshua.Hu | Joshua Rogers’ Scribbles
In a previous post, I outlined how I found an extremely annoying bug in Slack’s website, causing it to automatically redirect me to an invalid page every single time I visited the Slack website with NoScript enabled. Looking to get this issue fixed, my post outlined how support could not be more unhelpful, informing me the broken website was, in fact, working completely fine and as intended, and it wouldn’t be “fixed” because there’s nothing to be fixed! Eventually, my only way to g...| Joshua.Hu | Joshua Rogers’ Scribbles
Part three can be found here.| Joshua.Hu | Joshua Rogers’ Scribbles
POV: You’re a tourist flying into Melbourne airport at 3AM, after a combined 36-hour travel time from Europe. First things first, you’re instructed to fill out a paper declaration form which cannot be filled out online; the flight attendants didn’t have any pen to lend you, so you’ll just have to fill it out in the airport! When you land, you head to the arrivals hall, and find a line of about 40 people waiting for a pen from the single bench with two pens, attached with a cord (what ...| Joshua.Hu | Joshua Rogers’ Scribbles
In a previous post, I outlined how Google’s Feedburner refuses to serve 304 Not Modified for cached Atom feeds. I also outlined how rss feeds were serving stale results, resulting in delays of new posts of up to a few days. After sending that post to Feedburner’s support contact in the hopes that they would fix the delayed rss feed results and respect attempts at caching, they instead… completely got rid of the rss feed, and started serving stale results in the Atom feed. Nice!| Joshua.Hu Joshua Rogers’ Scribbles
I’m a big fan of minimizing the work required to perform a task correctly (without reducing quality), whether it be technical or otherwise. In today’s case, I’m talking about retrieving RSS/Atom feeds from Google’s Feedburner, and caching is seemingly not supported.| Joshua.Hu Joshua Rogers’ Scribbles
---| Joshua.Hu Joshua Rogers’ Scribbles
Over the past month or so, I’ve been investigating the BCM43602 chip, and its ability to: 1. work on freebsd using wifibox, 2. suspend with acpi’s s3/suspend-to-ram.| Joshua.Hu Joshua Rogers’ Scribbles
By default, FreeBSD uses the standard ntpd(8) daemon that is built with the FreeBSD world. This daemon only supports symmetric keys for encryption which must be configured per client/server duo, and thus cannot at-scale guarantee authenticity of the data received from the Network Time Protocol (NTP) server. Recent developments like RFC 8915/Network Time Security (NTS) have allowed for the automatic establishment of those keys over TLS. With a focus on both authenticity (so an attacker on-the-...| Joshua.Hu Joshua Rogers’ Scribbles
Unlike systemd-based Linux distributions, FreeBSD does not come with a switch to automatically turn on DNS-over-TLS (DoT) for the system resolver, and requires a bit of work to use an encrypted channel for domain resolution. In this post, we’ll look at how to set up DoT for FreeBSD using unbound(8), enable some hardening, and block all non-encrypted DNS traffic over port-53.| Joshua.Hu Joshua Rogers’ Scribbles