Skip to content

Instantly share code, notes, and snippets.

View stevefan1999-personal's full-sized avatar

Steve Fan stevefan1999-personal

107 followers · 223 following
View GitHub Profile
@hackermondev
hackermondev / research.md
Last active April 17, 2025 21:44
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

@DavidBuchanan314
DavidBuchanan314 / 00_writeup.md
Last active June 21, 2024 08:33

MD5 Collision with CRC32 Preimage

Here's the scenario: We want to craft two different messages with the same MD5 hash, and a specific CRC32 checksum, simultaneously.

In other words, we want an MD5 collision attack and a CRC32 preimage attack.

This might seem like a contrived scenario, but it's exactly the one I faced while producing my PNG hashquine (Yes OK maybe that's also a contrived scenario, cut me some slack).

On its own, a CRC32 preimage attack is trivial. You can craft a 4-byte suffix that gives any message a specific checksum, calculated using a closed-form expression (which I am too lazy to derive, not even with assistance from Z3). It's not an attack per-se, since CRC32 was never meant to be cryptograpically secure in the first place.

@Patbox
Patbox / cardboard-not-so-great.md
Last active February 25, 2025 16:30
Why you shouldn't use cardboard, banner or any other "hybrid" server

By looking that you are here you most likely use Cardboard/Banner/some other weird bukkit + Fabric project (or just someone linked to it).

Don't do it, it will cause more harm/instabilities to your server than good. But let's start at the beginning.

Few definitions before we start:

  • Bukkit - It means bukkit, spigot, paper and any forks of these,
  • Cardboard - mod by IsaiahPatton that tries to port bukkit ecosystem to fabric.
  • Banner - another mod trying to make plugins work with Fabric, similar to Cardboard.
  • Fabric - a Minecraft modding platform, includes Fabric Loader and Fabric API, everything written in this gist also applies to Quilt.
  • Mods - Mods designed for fabric and compatible platforms
@0xabad1dea
0xabad1dea / copilot-risk-assessment.md
Last active September 11, 2023 10:21
Risk Assessment of GitHub Copilot

Risk Assessment of GitHub Copilot

0xabad1dea, July 2021

this is a rough draft and may be updated with more examples

GitHub was kind enough to grant me swift access to the Copilot test phase despite me @'ing them several hundred times about ICE. I would like to examine it not in terms of productivity, but security. How risky is it to allow an AI to write some or all of your code?

Ultimately, a human being must take responsibility for every line of code that is committed. AI should not be used for "responsibility washing." However, Copilot is a tool, and workers need their tools to be reliable. A carpenter doesn't have to

@g1eny0ung
g1eny0ung / OpenSourceIsNotAboutYou.md
Created November 3, 2020 04:32 — forked from richhickey/OpenSourceIsNotAboutYou.md
Open Source is Not About You

Open Source is Not About You

The only people entitled to say how open source 'ought' to work are people who run projects, and the scope of their entitlement extends only to their own projects.

Just because someone open sources something does not imply they owe the world a change in their status, focus and effort, e.g. from inventor to community manager.

As a user of something open source you are not thereby entitled to anything at all. You are not entitled to contribute. You are not entitled to features. You are not entitled to the attention of others. You are not entitled to having value attached to your complaints. You are not entitled to this explanation.

If you have expectations (of others) that aren't being met, those expectations are your own responsibility. You are responsible for your own needs. If you want things, make them.

@raystyle
raystyle / 2003build.md
Last active March 29, 2025 21:25
@probonopd
probonopd / Wayland.md
Last active April 16, 2025 20:29
Think twice about Wayland. It breaks everything!

Think twice before abandoning Xorg. Wayland breaks everything!

Hence, if you are interested in existing applications to "just work" without the need for adjustments, then you may be better off avoiding Wayland.

Wayland solves no issues I have but breaks almost everything I need. Even the most basic, most simple things (like xkill) - in this case with no obvious replacement. And usually it stays broken, because the Wayland folks mostly seem to care about Automotive, Gnome, maybe KDE - and alienating everyone else (e.g., people using just an X11 window manager or something like GNUstep) in the process.

As 2024 is winding down:

@graninas
graninas / What_killed_Haskell_could_kill_Rust.md
Last active February 18, 2025 19:32
What killed Haskell, could kill Rust, too

At the beginning of 2030, I found this essay in my archives. From what I know today, I think it was very insightful at the moment of writing. And I feel it should be published because it can teach us, Rust developers, how to prevent that sad story from happening again.

What killed Haskell, could kill Rust, too

What killed Haskell, could kill Rust, too. Why would I even mention Haskell in this context? Well, Haskell and Rust are deeply related. Not because Rust is Haskell without HKTs. (Some of you know what that means, and the rest of you will wonder for a very long time). Much of the style of Rust is similar in many ways to the style of Haskell. In some sense Rust is a reincarnation of Haskell, with a little bit of C-ish like syntax, a very small amount.

Is Haskell dead?

@markasoftware
markasoftware / enterprise_token.rb
Last active April 17, 2025 08:23
OpenProject Enterprise mode for free
############ REPLACE app/models/enterprise_token.rb in the source code with this file! ################
############ also be sure to RESTART OpenProject after replacing the file. ################
############ it doesn't show that enterprise mode is enabled in the settings, but all ################
############ enterprise mode features, such as KanBan boards, are enabled. ################
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2023 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
@imba-tjd
imba-tjd / .Cloud.md
Last active April 17, 2025 16:02
☁️ 一些免费的云资源

  • IaaS指提供系统(可以自己选)或者储存空间之类的硬件,软件要自己手动装。PaaS提供语言环境和框架(可以自己选)。SaaS只能使用开发好的软件(卖软件本身,如税务会计、表格文字处理)。BaaS一般类似于非关系数据库,但各家不通用
  • 云服务的特点:零前期成本 & 按需付费 & 弹性(类似于租,可随时多加、退掉;但没有残值)、高可用(放在机房中,不同AZ间水电隔离)

其他人的集合