Skip to content

Instantly share code, notes, and snippets.


Pattern Juggled ie ðørkßöt pjstorm

View GitHub Profile
martinseener /
Last active Jul 26, 2018 - A simple nagios-compatible check for the FREAK vulnerability (CVE 2015-0204)
#!/usr/bin/env bash
# (c) 2015 Martin Seener
# Simple script which checks SSL/TLS services for the FREAK vulnerability (CVE 2015-0204)
# It will output if the checked host is vulnerable and returns the right exit code
# so it can also be used as a nagios check!
PROGNAME=$(basename $0)
Wack0 / gist:17c56b77a90073be81d3
Last active Jul 23, 2021
It's not just superfish that's the problem.
View gist:17c56b77a90073be81d3
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.
Superfish isn't the only product to use that sdk. there's others too.
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.
First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
View i2p inproxy howto v0.1
# this is a howto for an i2p inproxy from the best of my recollection
# you will need: nginx, squid3, polipo, i2p and a good vps provider that doesn't suck ass
# this setup uses nginx as load balancer + logger, squid for transparent proxy and polipo for interfacing with i2p socks proxy
# client => nginx -> squid -> polipo -> i2p socks -> i2p => eepsite
sarciszewski /
Last active Aug 29, 2015
Privacy Seppuku (Note: IANAL)

Let's say that you are an American whom produce software that respects user's privacy. And one day, the FBI comes knocking armed with a National Security Letter (NSL) and demands your signing key so they can distribute malware to your users, pretending to be you. There is no legal defense you can mount, they covered their bases.

What do you do? Lavabit fought, and was ultimately destroyed. If more companies pushed back, maybe the government would stop using it as an easy way to force compliance and silence. Or maybe they would just carry a bigger stick.

Here's another idea. Comply, then get "hacked" and have the keys they're demanding get leaked online and/or published via full disclosure.

Here, being "hacked" means either:

a) leaking the key to someone, discretely, over e.g. Tor with PGP and having them do it
b) leaking a backdoor to someone and having them actually hack in (over Tor) and steal the key
# create sha512 sum username
username=$(echo -n "$token"| sha512sum | cut -d ' ' -f 1)
agl / gist:876829
Created Mar 18, 2011
Proxy server for testing revocation
View gist:876829
package main
import (