HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Faelian2

no profile record

Submissions

Twake – open-source Google Workspace alternative

twake.app
27 points·by Faelian2·السنة الماضية·19 comments

There's a Surprisingly Easy Way to Remove Microplastics from Drinking Water

sciencealert.com
2 points·by Faelian2·قبل سنتين·0 comments

You don't need NordVPN (if you have SSH)

blog.lasne.pro
2 points·by Faelian2·قبل سنتين·0 comments

comments

Faelian2
·قبل 6 أشهر·discuss
I did wrote a small open-source tool in Rust. And I too did encounter that kind of issue when I did start to build a .deb.

Honestly, it was the kind of bug that is not fun to fix, because it's really about dependency, and not some fun code issue. There is no point in making our life harder with this to gatekeep proprietary software to run on our platform.
Faelian2
·قبل 9 أشهر·discuss
Thanks for putting this site together. Despite all the comments here, I find your point pretty convincing.
Faelian2
·السنة الماضية·discuss
That's a really interesting project.

I have been generating documents for a while using https://github.com/enhuiz/eisvogel. It's nice to use markdown, but I feel really limited, and can't do much customization.

I would love to see some templates for this.
Faelian2
·قبل سنتين·discuss
France is literally making billions by exporting in electricity. https://oec.world/en/profile/bilateral-product/electricity/r...

It's France 9th biggest export.
Faelian2
·قبل سنتين·discuss
An explanation of the attack by the company doing the investigation: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbo...
Faelian2
·قبل سنتين·discuss
At what timestamp in the documentary do they talk about ?
Faelian2
·قبل سنتين·discuss
I love how he is porting every local attack to web applications.

I am also a bit frightening that the number of attack you have to know for the Burp Certification keeps getting longer.
Faelian2
·قبل سنتين·discuss
I don't use GDB a lot. But when I do, I generally use the pwndb extension. It's written for exploit development, but even for debugging a C program. It makes things a lot nicer.

https://pwndbg.re/
Faelian2
·قبل سنتين·discuss
I am writing an hexadecimal editor in rust, with colors.

https://github.com/0xfalafel/hextazy

I am also playing a bit with Gtk4, Relm4, and creating Active Directory labs with vagrant. https://blog.lasne.pro/posts/ad_lab_part1/
Faelian2
·قبل سنتين·discuss
Do you guys know if `!isset()` is a good alternative ? Or if it also has some shortcomings ?
Faelian2
·قبل سنتين·discuss
As a pentester, I would argue that attackers don't think in graphs either.

Apart from Bloodhound, I can't think of any tools where we have graphs.

For web security, I can't think of something where "graph thinking" applies. But we have a pretty huge list of attacks to test https://portswigger.net/web-security/all-topics.

And ultimately, what is inside your pentest report ? Not a graph, a list of things to do:

- SMB signing.

- Don't use the domain admin to manage every machine.

- ...

The main reason this phrase is so popular, is that it panders to the hacker community: "We are the smart guys, all the defenders do is excel sheets."

IMHO, the nugget of truth in this is that defenders can spend considerable amounts of time on things that don't matter. Like doing CIS benchmark by hand on all servers. While missing the low-hanging fruits that would give them a strong security posture.

In a lot of companies, the defenders are just sysadmins that don't have any idea of what they should focus on.
Faelian2
·قبل سنتين·discuss
SEEKING WORK: Pentest / AppSec / Training / Cybersecurity | Remote, France

Cybersecurity expert, with 8 years of experience, I have audited multiple complex systems. From Internet Gateway (Linux embedded), to innovative web apps and complex Active Directory environment of Healthcare providers.

Website: https://lasne.pro Github: https://github.com/Faelian Email: olivier [at] lasne.pro
Faelian2
·قبل سنتين·discuss
I just read "Windows from Marcus Aurelius". Guess I need to spend some time AFK
Faelian2
·قبل سنتين·discuss
Yeah, sorry guys. I did write too fast.

The last sentence should be :

So in that regard, Alpine is less secure by using musl. However, having a small and understandable system is a real advantage when it comes to security.
Faelian2
·قبل سنتين·discuss
Just my two cents about the security aspect.

All Linux binaries are compiled with PIE nowadays. You can run `checksec` on any binaries on Ubuntu, and it will have those properties. (You can install checksec with `pip install pwntools`).

On the other hand, GLIBC has, to my knowledge, the most hardened heap implementation out there. And there are more mitigations for double-free and other heap exploits on GLIBC.

So in that regard, Alpine is less secure by using musl. Having a small, understandable system is a real advantage when it comes to security.
Faelian2
·قبل سنتين·discuss
I am really curious about this.

As a pentester, I run use Linux on my laptop and I spend a lot of time working inside a Kali VM with VirtualBox.

How much performance improvement can we expect with the KVM backend ?
Faelian2
·قبل 3 سنوات·discuss
SEEKING WORK | France, Remote | Pentester, Cybersecurity expert

I am a cybersecurity consultant / pentester / trainer with 7+ years of experience. I have audited successfully internal networks, web applications, and embedded environments. I also do trainings for professionals and students.

Location: EU (France) Linkedin: https://linkedin.com/in/olasne Website: https://lasne.pro

Email: olivier [] lasne.pro
Faelian2
·قبل 3 سنوات·discuss
Honestly, the OWASP top ten is generic enough that most vulnerability fit in it : "injection", "security misconfiguration", "insecure design".

The problem is

1. knowing the gazillion of web vulnerabilities, and technologies

2. being good enough to tests them

3. kick yourself and go through the laborious process of understand and test every key feature of the target.
Faelian2
·قبل 3 سنوات·discuss
I work as pentester (as a freelance nowdays).

Getting out of bed and "real stuff" is supposed to be part of a pentest.

The problem is more the sheer amout of stuff your are supposed to know to be a pentester. Most pentesters come into the field by knowing a bit of XSS, a few thing about PHP, and SQL injections.

Then you start to work, and the clients need you to tests things like:

- compromise a full Windows Network, and take control of the Active Directory Server. Because of a misconfiguration of Active Directory Certificate Services. While dealing with Windows Defender

- test a web application that use websockets, React, nodejs, and GraphQL

- test a WindDev application, with a Java Backend on a AIX server

- check the security of an architecture with multiple services that use a Single Sign on, and Kubernetes

- exploit multiple memory corruption issues ranging form buffer overflow to heap and kernel exploitation

- evaluate the security of an IoT device, with a firmware OTA update and secure boot.

- be familiar with cloud tokens, and compliance with European data protection law.

- Mobile Security, with iOS and Android

- Network : radius, ARP cache poisoning, write a Scapy Layer for a custom protocol, etc

- Cryptography, you might need it

Most of this is actual stuff I had to work on at some point.

Even if you just do web, you should be able to detect and exploit all those vulnerabilities: https://portswigger.net/web-security/all-labs

Nobody knows everything. Being a pentester is a journey.

So in the end, most pentesters fall short on a lot this. Even with an OSCP certification, you don't know most of what you should know. I heard that in some company, people don't even try and just give you the results of a Nessus scan. But even if you are competent, sooner or later, you will run into something that you don't understand. And you have max 2 week to get familiar with it and test it. You can't test something that you don't understand.

The scanner always gives you a few things that are wrong (looking at you TLS ciphers). Even if you suck, or if the system is really secure. You can put a few things into your report. As a junior pentester, my biggest fear was always to hand an empty report. What were people going to think of you, if you work 1 week and don't find anything?