HackerLangs
TopNewTrendsCommentsPastAskShowJobs

cookiengineer

7,881 karmajoined 10 वर्ष पहले
I'm sort of a Cyber Defense Engineer with a strong Purpleteam background. I just love CTF days and unit testing. My projects have involved co-evolutionary AI concepts to automate the generation and adaption of code and network protocols, as well as fuzzing and exploiting binaries reproducibly. Meanwhile I'm also building my own agentic environment for all sorts of things.

For the last years I've been building a AI-driven startup in the form of the https://tholian.network

The open source projects I've built in the past can be found on:

- https://github.com/cookiengineer (same account on gitlab)

- https://cookie.engineer

Fun fact: All my comments have been written on the toilet. I don't use social media anywhere else.

I only use reddit, HN, and LinkedIn. All other accounts are probably fake, because I don't like the toxicity that social media embraces as you might've guessed already.

PS: If you want to contact me, check my personal website's Contact Me page.

Have a great day, stranger!

Submissions

Malware Insights – Miasma Campaign

cookie.engineer
3 points·by cookiengineer·पिछला माह·0 comments

Microsoft BitLocker – YellowKey zero-day exploit

tomshardware.com
292 points·by cookiengineer·2 माह पहले·158 comments

Show HN: I remade my website in the Sith Lord Theme and I hope it's fun

cookie.engineer
36 points·by cookiengineer·6 माह पहले·16 comments

Show HN: Markdown Editor that you can plug as middleware

github.com
1 points·by cookiengineer·7 माह पहले·0 comments

Show HN: Git-evac – Offline Desktop App, JS free and written in Go with WebASM

github.com
1 points·by cookiengineer·8 माह पहले·0 comments

Show HN: Gooey – Opinionated Go WebASM Framework

github.com
5 points·by cookiengineer·9 माह पहले·0 comments

comments

cookiengineer
·3 घंटे पहले·discuss
Unit tests don't test for branch coverage.

That's the culprit, because LLMs tend to forget and remove a lot of branch logic in these kinds of tasks. If unit tests don't cover these specific if/elseif/else cases, then they'll just disappear.

They'll also disappear if the LLM is allowed to modify the unit tests, because they sure like to cheat their way around into greenlit test suites. The agentic environment must disallow write access to the unit test files for the agent that writes the code.

If you implement that in your tools, you'll see quickly how the models will try to rewrite the unit tests at all cost, no matter what kind of prompting you've done. Tool policies are the only boundary to successfully guarantee this.

Source: Am building my own agentic environment because of that behavior
cookiengineer
·23 घंटे पहले·discuss
Not trying to derail the discussion, but the reason for me to leave the Rust ecosystem in favor of Go was also the implied culture.

Experienced Go devs that stay inside the ecosystem try to write their libraries as "pure go" libraries with zero dependencies other than the upstream core libraries (or golang.org/x if needbe), which results in a very low maintenance ecosystem. This combined with the strong toolchain makes it joyful to work with.

I still don't agree with a lot of design choices of the language, but I realize that I can be more efficient if I am setting aside my opinion.

And that's exactly the thing that somehow never happened in the Rust ecosystem. I always joke that the Rust ecosystem has more OpenGL bindings than developers, because there's just so many low quality bindings or wrappers out there that the ecosystem in result got too noisy to maintain.

I don't want to write more (verbose) code. I want to write less.

I kind of already know that my comment goes to shit in terms of downvotes, but that's what I expect while writing this. How dare I criticized Rust as a language? How dare I, a fulltime noob, do this? Rust is better, always!

...the Rust ecosystem is just so effing toxic. I am glad that I left it. I just got tired of being angry at random online things all the time. Go is my happy place where my annoyances are reduced to Cgo, maps, and the unsafe package <3
cookiengineer
·23 घंटे पहले·discuss
Apple made me realize that I should choose AGPL as a license for my own projects, because I don't agree with the implied contract values of X11/MIT or BSD licenses anymore.

The latter licenses I choose now only for things I absolutely don't care about and won't spend any time on. Things that I care about I license under AGPL. If someone wants it fixed by paying development time, great, then just offer it dual-licensed AGPL/EULA.
cookiengineer
·कल·discuss
> Fuck the New York Times and their lawyers. Their reporting on AI has directly caused so much harassment against me. They play dirty so why would OpenAI play fairly?

What happened?

(Don't know who you are or what company you've built that the NYT was reporting on I assume?)
cookiengineer
·4 दिन पहले·discuss
Not sure why Dolosse are so special?

There's lots of different forms and shapes of wave breakers, like the Tetrapods [1] that you can find over here across pretty much every coast in Europe.

Maybe I'm just not getting it why the Dolosse shape is superior?

[1] https://en.wikipedia.org/wiki/Tetrapod_(structure)
cookiengineer
·5 दिन पहले·discuss
...but most of all, Samy is my hero!
cookiengineer
·7 दिन पहले·discuss
The real question is: why do you follow 800 people that post content like this?

In the crypto bubble I used the opportunity to remove all that noise from my stream. Unsubbed from everyone with Crypto in their job title with no regrets. Doing the same for AI thought leaders helped reduce the noise a bit further.

I like to keep my LinkedIn stream non AI generated, so if I see an AI generated post with all those shitty unicode bold letters, I'm just unfollowing and removing them from my connections.

Now I get the real value out of LinkedIn, which is spammers and advertisers that have a LinkedIn Pro subscription that I cannot unsubscribe from. Yay! /s

Jokes aside, you should reflect on how and for what you are using social media. Every second you spend reading there is likely a second wasted that you can spend building or doing what you enjoy. Social media is an attention grabbing business model, and your lifetime is too precious to waste it on...that.

Every time I was opening social media in the past I am now doing a little bit of sports outside to reset my brain. Much more fun to be in the green than in the digital noise world.
cookiengineer
·9 दिन पहले·discuss
> Michelangelo

Did you know that Michelangelo was the first "label" for inventions and art? He sourced his material from other people and published it for them.

So it's kinda ironic (maybe on purpose?) that you mentioned him.
cookiengineer
·11 दिन पहले·discuss
As a counter argument to your marketing fluff comment:

Name a single instance of right wing parties that did not violate all human rights the second they got in power. Name one, I dare you.

And no, historically such a fairytale world does not exist that you're trying to paint here. All right wing parties feed off aggression, painting humans as enemies, and populistic lies. It's always been this way, always will be this way.

Not a Mullvard customer anymore, and going to never recommend you again for any person that asks me in the future.

Go to history class if you still can't see the truth in my comment. I'm German, and that's our fucked up history, and our messed up ancestry of people "that just followed orders" that I have zero tolerance for. Your fairytale comment reads like the "Hitler just wants peace" protests during WW2.

There is always a democratic and peaceful option, and right wing parties never choose that option. It's unsystematic to how they fundamentally work.
cookiengineer
·12 दिन पहले·discuss
For people that love OpenRA: some friends and me started to play the Continue Mod a lot more recently. It's tons of fun, the mod author basically rebuilt zero hour with actual real weapon stats, vehicles, ships, infantry etc.

It's tons of fun, and runs in wine, too. Typical quirk is that the profile folder has to be setup before running it (same bug as with old generals.exe versions). But can be played easily with wireguard over the internet.

[1] https://www.moddb.com/mods/generalszero-hour-continue
cookiengineer
·13 दिन पहले·discuss
Maybe Volvo has some Swedish brand advertising running on Fox news?
cookiengineer
·14 दिन पहले·discuss
> They got a democratic mandate.

Fun fact that is missing in US history education: Hitler was a legally elected chancellor.

Don't skip history class, kids.
cookiengineer
·14 दिन पहले·discuss
Kind of funny that you're assuming that you are not paying with your data in both cases.

Do I need to remind you how LLMs are being trained? ...or that Anthropic claimed their codebase is 100% vibecoded, making it uncopyrightable by their own logic? ...or that Anthropic took down all Claude Code leaks they could find using DMCA takedown notices? ...or how do you think the caching mechanisms work when there's allegedly no data stored to be able to cache it?

I'm just saying. Anything you build with online models is their training data anyways. Assuming otherwise is pretty stupid at this point.
cookiengineer
·18 दिन पहले·discuss
> yes the ps3 is now considered a retro console.

kids these days... stares at the C64 in the corner
cookiengineer
·18 दिन पहले·discuss
I'm the guy that built the antimiasma discovery and mitigation tool [1] and has seen a lot of the evolved and ever-changing malware samples (17 unique deobfuscated samples with different code branches and adapters/functions/features), so I feel somewhat qualified to respond to this.

The problem of everchanging malware isn't fixable by global policies and global rulesets. Package managers need to change to different workflows in the package publishing process.

1. Reproducible builds have to be mandatory

2. Deployed packages have no execution or network capability at install time

3. If package artifacts differ from source artifacts, block it temporarily

4. In order to defend against credentials harvesting: Package managers need to have mandatory container or sandbox isolation (mandatory bubblewrap, podman, or whatever isolation that segregates filesystems and networking)

5. In order to defend against github being abused as a C2 infrastructure: Package managers need to have locked behavioral rulesets of packages, "allow filesystem" or "allow networking" is useless, and needs to be per-resource. Additionally, it needs to be a mandatory allowlist-only enforcement. If it's allowed by default, it won't help with the transitive dependencies problem

6. Introduced transitive dependencies need to be locked and signed by the package repository authority.

7. In order to defend against eBPF Rootkit: Sorry, you're just f'cked. The only EDR on the market that defends against this attack surface is literally my own product (that I won't advertise here). Every other available tooling is just too outdated in how it has been developed, and too outdated how it's doing behavioral analytics of malware.

---

My personal take on this:

Pretty much every developer thinks this isn't necessary and is probably gonna downvote me for telling the security perspective here. This is not about what's necessary, this is about what's broken.

Our existing DevOps and DevSecOps culture and the involved incident response/supply chain security/GRC/etc workflows are absolutely broken against these reoccurring supply chain attacks, and the tooling that promised to catch this is also absolutely broken and useless against mutating malware that's co-generated by LLMs.

The only ones actually re-identifying the malware implants as miasma malware samples correctly were the socket.dev folks. Every other supply chain tool vendor was just bragging about a new malware campaign because they weren't up to speed and seemingly didn't know about the initial miasma campaigns (and the prototype campaign targeting RedHat's NPM packages with the gyp bindings).

Microsoft was so useless in its incident response workflow that they tried to mitigate the problem by making VSCode extension installs with a required delay time, not even having understood how the malware implants work, and not even having understood what the actual spread vector was.

It's like Microsoft had to press a red button just for the sake of having done anything, instead of openly communicating and advising to ongoing malware attacks, sharing intelligence and samples; and in consequence leaving every customer of Microsoft in the dark, getting compromised in the process, too.

[1] https://github.com/cookiengineer/antimiasma

[2] https://cookie.engineer/weblog/articles/malware-insights-mia...
cookiengineer
·18 दिन पहले·discuss
My opinion is somewhat that the last "real" cyberdeck was the Hackberry Pi, which is essentially the Blackberry I always wanted and that they never produced. Due to it being fully open, there's an insane amount of 3d printing community overlap, where people share their upgrades, designs, modifications and customizations.

Raspberry Pi as a platform has revolutionized access to computers in my opinion, though since the RAM crisis started not so much anymore due to the insane price differences. But the Hackberry is the computing device where I think it has lots of potential for being my actual "Linux on the go" that I wanted but never got ... for the last 15(?) years waiting for it.

[1] https://github.com/ZitaoTech/HackberryPiCM5
cookiengineer
·20 दिन पहले·discuss
On top of that, it's a threat model that doesn't make really sense from an attacker vs defender perspective. Because it's optional, and all kinds of other libraries and tools can just blatantly ignore it anyways.

CORS literally exists only against XSS and CSRF for actively logged in human users. Anything else in CORS is absolutely pointless because every other attack scenario uses scripts or programs that fake HTTP headers anyways. It's just as useless as the Sec-CH (client hint) headers because some Browser made by a company that starts with Micro and ends with Slop decided that the User Agent always needs to be Windows 10 for compatibility reasons.

That is why you see everyone just enabling every CORS option anyways, even though that is literally the worst case that allows XSS and CSRF. And a lot of websites have user edited content at some place, at the very least in images that aren't filtered for embedded scripts (PNGs, anyone?).
cookiengineer
·21 दिन पहले·discuss
Note that the AUR attacks were part of the larger miasma worm campaign, gradually trying to gain more control through various package ecosystems since the RedHat prototype campaign.

Mitigation Tool: https://github.com/cookiengineer/antimiasma

Blog Post with details: https://cookie.engineer/weblog/articles/malware-insights-mia...
cookiengineer
·26 दिन पहले·discuss
Working on exocomp [1] and gooey [2]. The former being an agentic environment for pentesting and reverse engineering and the latter being a UI framework in Go.

Currently working on some networking parts, because I want multiple exocomp instances to be able to cooperate in terms of knowledge sharing and workforce sharing. So I'm experimenting with websockets combined with multicast DNS-SD via UDP sockets. Might be kinda nice if I can make all services discoverable and plug and play. Also using DNS-SD for my llama.cpp wrapper already, which allows local model and inference service discovery quite nicely already.

[1] https://github.com/cookiengineer/exocomp

[2] https://github.com/cookiengineer/gooey
cookiengineer
·27 दिन पहले·discuss
> Someone or something should vuln-scan these packages as they're published, as a number of companies do for NPM now. That would likely have found these pretty quickly.

No. It wouldn't have. That's the whole point of the miasma worm, because it changes too fast in its signatures and helper methods. The encrypted malware implant uses a changing AES-128-GCM key that's used to decrypt the payload, and that key is per-where-it-is-uploaded on GitHub. The code itself is dynamically renamed in its methods, re-used shuffled offsets for encrypted symbols, among other things. It's a mutating malware and the worst enemy from tools that rely on signatures.

Ironically, APT28/29 is somewhat relying on Microsoft being too slow to auto block users and repositories on GitHub that are the C2 infrastructure. Think about that for a second what this implies for your cyber strategy.

By the time you're able to scan signatures or "strings" you're already playing a cat and mouse game with a fully automated botnet, which you will never win. The only other ones I've observed during the last week that seem to be able to track this malware implant's changes were socket.dev. ALL other supply chain tools didn't even know about Miasma and re-invented it as a new campaign. They didn't have the skilled enough people nor toolchain to reverse the malware payload quickly enough to be able to keep up every 24h when they push out a new adapter for another ecosystem.

By fully automated I mean they're already using the credentials they stole less than 48 hours ago from a different package ecosystem, because the email addresses and names etc keep appearing from people who likely didn't even understand the impact of this self-spreading worm.

And having an IOC that checks for, let's say, any package that depends on bun won't help either because the malware will just use external means to re-download it. See the second PyPi campaign, where they just changed the dropper to use compressed WHL files and the setup.pth files that are auto-executed to download the dropper. They changed this after the PyPi maintainers flagged the first wave of malware droppers from the RedHat campaign.

As long as the package managers in those ecosystems aren't fully rewritten from scratch to accomodate for chroots, sandboxes, network and domain logs that are _only allowlistable per entry_ this won't change, and will stay being a feasible malware deployment strategy for supply chain attacks.

Repo for Mitigation Tool (I'm human so I play catch 21 with an LLM powered botnet) [1] ... Tech details in the blog post [2]

Also this is a problem across all package managers. Composer is also affected. Rubygems is also affected. NPM is also affected. PyPi is also affected. Go is also affected.

Nobody is talking about this, and I think this should be more openly discussed how much negligence and external trust we put in package managers in general. This really needs to change.

[1] https://github.com/cookiengineer/antimiasma

[2] https://cookie.engineer/weblog/articles/malware-insights-mia...