This week, people discover some applications like zoom, amazon music app are exposing a local web server without authentication. They are implemented to use as a GIF pixel to avoid CORS. To make thing worse, a few listens on
0.0.0.0 so anyone in LAN can
curl it. Since they are unauthenticated, it’s so easy to be exploit. So this week we have many links about security: encyrpting, signing.
Long names are long
Picking good name is hard. Bob Nystrom walks us through some refactor to turn long name to short name. He’s also the author of a few artciles about compilers and interpreters which we linked to in this same issue below.
The Hardest Thing About Data Encryption
Encrypting data is all about making sure that only the right people can view the data you’ve encrypted. There are two primary forms of data encryption: symmetric and asymmetric. The hardest thing about encrypting data isn’t encryption, it’s key management.
Apple bleee. Everyone knows What Happens on Your iPhone
If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number. The code to demo this is 100% open source so you will be able to learn about bluetooth and decode data transferting too. Pretty cool I must say.
Underscoring the “private” in private key
Amazon Music App run a server on your laptop so it can spin up process such as open the app and play a song to by pass Mac built-in safety net in browsers that seek confirmation from users. We investigate how to find process listen on port, disassembly it, run it with a debugger set breakpoints right before the decryption calls, and read the encryption key and IV from memory. I learn a lot from it.
How (not) to sign a JSON object
You’re trying to differentiate between a legitimate user and an attacker, usually by getting the legitimate user to prove that they know a credential that the attacker doesn’t. Advices from Latacora, a security firms on how to do that properly.
crafting interpreters: Calls and Function
This is a wip book and available to read online. We link to them before. This is a new chapter.
Even if you don’t want to write an interpreters, it still worth to read to understand more
about function call: call stack, frame,
Algebraic Effects for the Rest of Us
Have you heard about algebraic effects? I don’t. It turned out that algebraic effects are a cool concept and not as scary as I thought from those whitepaper pdfs.
Code to read
Perhaps the smallest useful terminal multiplexer in the world
A library allow us to move, drag, resize, scale, rotate any element. Support React/Preact too.
baby name analysis
Have fun analyse data from the dataset ‘Baby Names from Social Security Card Applications - National Data’.
Find time-consuming database queries for ActiveRecord-based Rails Apps
Go lib for rendering progress bars in terminal applications.
an SSH Certificate Authority that runs as a AWS Lambda function
Full featured and highly configurable SFTP server software
An easy-to-use BI server built for SQL lovers. Power data analysis in SQL and gain faster business insights
a distributed system intended for streaming data between various heterogeneous source and destination systems. Use cases: Kafka mirroring, capture MySQL change data events…
That's it for this round, have a great day! If you like this newsletter, please tell the world, or
tweet about this