This is a short summary of my unfinished projects, how they relate to each other, etc.
Scott Arciszewski sarciszewski
sarciszewski
/ gist:576ec0459466f5f224ec
Created
October 29, 2014 19:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://web.archive.org/web/20100102015733/http://who.is/whois/nsa.gov |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <title>Something something dark side</title> | |
| <meta charset="UTF-8" /> | |
| </head> | |
| <body> | |
| <h1>Title</h1> | |
| <p> | |
| Lorem Ipsum here |
sarciszewski
/ 0_reuse_code.js
Last active
August 29, 2015 14:11
Here are some things you can do with Gists in GistBox.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Use Gists to store code you would like to remember later on | |
| console.log(window); // log the "window" object to the console |
Let's say that you are an American whom produce software that respects user's privacy. And one day, the FBI comes knocking armed with a National Security Letter (NSL) and demands your signing key so they can distribute malware to your users, pretending to be you. There is no legal defense you can mount, they covered their bases.
What do you do? Lavabit fought, and was ultimately destroyed. If more companies pushed back, maybe the government would stop using it as an easy way to force compliance and silence. Or maybe they would just carry a bigger stick.
Here's another idea. Comply, then get "hacked" and have the keys they're demanding get leaked online and/or published via full disclosure.
Here, being "hacked" means either:
a) leaking the key to someone, discretely, over e.g. Tor with PGP and having them do it
b) leaking a backdoor to someone and having them actually hack in (over Tor) and steal the key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| class switchNotMatched { } | |
| function doInteger($i) { | |
| echo $i; | |
| if ($i < 100) { | |
| echo " is less than 100."; | |
| } | |
| echo "\n"; | |
| } |
You can log in with either the correct password, or the password 'IndictClapper4Perjury' (sans quotes).
Because password_verify() is defined in the namespace Framework, if the call to password_verify() (inside of the context of the "Framework" namespace) is not preceded by a backslash, PHP will by default look in the current namespace then check the global namespace. Silently.
i.e. it will attempt in this order
- \Framework\password_verify()
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| namespace Sarciszewski\Gists; | |
| /** | |
| * This is a proof of concept code! DO NOT USE THIS! | |
| */ | |
| class PasswordLock | |
| { | |
| const KEY = '4ff556f7b1db2dd95906c21a45ef00344abdb38934450263ee7a908facc05070'; |
sarciszewski
/ _original.php
Last active
August 29, 2015 14:17
Raymond Benc (moxi9 - PHPFox) - PHP Sadness
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Found in static/ajax.php | |
| */ | |
| /* ... */ | |
| $sUserProfileImage = Phpfox::getLib('image.helper')->display(array_merge(array('user' => Phpfox::getService('user')->getUserFields(true)), array( | |
| 'path' => 'core.url_user', | |
| 'file' => Phpfox::getUserBy('user_image'), | |
| 'suffix' => '_50_square', | |
| 'max_width' => 50, | |
| 'max_height' => 50 |
In response to some people claiming that using a CSPRNG is "going way overboard" and/or is "overkill", I've written this test to verify the performance impact of using a CSPRNG versus their insecure mt_rand() based hacks.
I think the results are conclusive (at least on my device): A 50% speed increase. In addition to less-predictable randomness.
If anyone would like to suggest a benchmark script (or conditions that lead to different results with mine), let me know and I will link to them here.