jwilkins

Use nginx as Non-Transparent SSL Proxy

Introduction

Many mobile apps have back-end API servers. They usually rely on the API replies to determine whether certain information is supposed to be shown. If the API responses could be manipulated on the fly, we may easily fool an unmodified app to expose some private data.

This manual guides you to set up nginx as non-transparent SSL proxy, which just subsitutes strings in the server responses (i.e. man-in-the-middle attack ourself). For both server-side (their API servers) and client-side (your device), the whole process is almost transparent.

jwilkins

100.00000000 100.63040201 100.67820004 100.75418227 100.80404273 100.88497099 100.97406618 103.08327523 103.23681735 [104.31415152](https://blockchain.info/tx/4e15ce4722

jwilkins

Useful Commands

Some of it related to embedded analysis, some of it not.

Table of Contents

• Dump or copy via nc
• Dump or copy via ssh
• Copy proc or sys

jwilkins

============

MAPS

Debug KeyStore

keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android

ADB

jwilkins

NOTE: sounds decent for desktops/laptops, but servers gain no benefit (and are presumed to be out of scope) - jwilkins

> - floating ADC inputs, as Peter suggested;
> - five independent RC oscillators.

I've got another idea that requires no extra hardware. I think has a
solid theoretical basis which I've explored below in sufficient detail
to raise suspicions that I miss my old line of work:

tl;dr: Record the dt time between button clicks, adding dt to the

jwilkins

Journalism can be a high-risk activity, and some stories are a lot riskier than others. In a part one we covered the digital security precautions that every journalist should take. If one of your colleagues uses weak passwords or clicks on a phishing link, more sophisticated efforts are wasted. But assuming that everyone you are working with is already up to speed on basic computer security practice, there's a lot more you can do to provide security for a specific, sensitive story.

This work begins with thinking through what it is you have to protect, and from whom. This is called threat modeling and is the first step in any security analysis. The goal is to construct a picture -- in some ways no more than an educated guess -- of what you're up against. There are many ways to do this, but this post is structured around four basic questions.

• What do you want to keep private?
• Who wants to know?
• What can they do to fi

jwilkins

#!/usr/bin/env bash

# Loads and mounts an ISO over SMB via the
# SuperMicro IPMI web interface
#
# usage: supermicro-mount-iso.sh <ipmi-host> <smb-host> <path>
#  e.g.: supermicro-mount-iso.sh 10.0.0.1 10.0.0.2 '\foo\bar\windows.iso'

set -x

jwilkins

#!/usr/bin/env ruby
#
# Name: reval.rb
# License: MIT
# Author: postmodern (postmodern.mod3 at gmail.com)
# Description:
#
# Re-evaluates a specified Ruby file whenever the file changes.
# Reval was inspired by Giles Bowkett's kickass talk on Archaeopteryx at
# RubyFringe 2008, where Giles used some mad Ruby to re-evaluate his

jwilkins

773 ɪ
750 ə
547 n
489 t
480 ː
393 d
334 s
327 a
304 l
296 e

jwilkins

module Kernel
  alias :old_req :require
    def require(*args)
      puts "Require called with: #{args}"
      old_req *args
   end
end

require 'pp'