This is great, although Google decided there was malware on my iPhone. False positive? After following all the steps it asked, now when logging in to any google service, google throws an error making it impossible to log in to any google service on the phone. I haven’t done a factory reset as I don’t want to loose the google auth tokens. Catch 22.
Peter Attia has an interview with Robert Sapolsky that was recently “rebroadcasted” - “ The impact of stress on our physical and emotional health” [1]
Highly recommended listening.
As a neuroendocrinology researcher, much Robert Sapolsky’s life work revolves around the questions your pondering on. He has spent years studying wild baboons in Kenya, “ .. specifically, Sapolsky studies the cortisol levels between the alpha male and female and the subordinates to determine stress level.” [2]
Can anyone recommend something similar for Java / Smali ? Specific use case is reverse engineering Android application with partially obsufcated code.
Current approach is following “xrefs” in JADX and hooking methods with dynamic instrumentation with Frida (displaying backtraces etc). Got to be a quicker way while chipping away renaming classes and methods and mapping out source/sinks.
Tavis Ormandy released some patches to get WordPerfect for UNIX (terminal based) to run on Linux [1]
Alternatively, WordPerfect 6.2 for DOS running in Wine on Linux (or DOSbox) [2]
This word processor was pretty serious back in the day. I have distant memories of sitting in class and learning it in at school in the early 90s. It’s interesting how we retain such inconsequential memories that can resurface with very specific triggers (such as seeing the screenshots of ASCII text of an ancient word processor).
I’m literally planning to do this in a few days to get some solid focus time in. The thought of the disadvantage of not having an AI model to support already has crossed my mind (no internet access in the woods)
It’s noted that this editor supports offline - does this mean that the AI features also run offline? Or a limited version?
Have you considered a limited LLM that could run locally?
> planning a more mellow retreat
The objective here is to forcefully going to where internet is impossible (no phone reception, I don’t have starlink) with the objective of focused productive output with limited distractions.
The idea came to mind after reading about John Carmack doing this for a week, diving into AI using nothing but classic text books and papers as reference material to work off.
EDIT: here is the HN thread on Carmack’s week long retreat:
> Have you considered a limited LLM that could run locally?
I think there are two main issues here. LLM are large (the name even hints at it ;) ) and the smaller ones (still, multiple GB) are really, really bad.
Edit: and uses a ton of memory, either RAM if CPU or VRAM if GPU.
Compared to GPT-4, most of them are not super great, yeah. I've tested out most of the ones released for the last weeks and nothing have been getting the same quality of results, even the medium sized (30GB and up) models that require >24GB of VRAM to run GPU. I have yet to acquire hardware to run the absolute biggest of models, but I haven't seen any reports that they are much better either for general workloads.
This book provided me a real appreciation for the innovative concepts the original UNIX developers came up with so many years ago. Their impact cannot be overstated.
Highly recommended read for anyone who happens to spend their time plotting away in a terminal.
TLDR; purchase an device that pairs with your phone, follow a hunch that it's doing a lot more then what it advertises it does.
A week ago I purchased a bluetooth device that takes some measurements. You require an Android or iOS application. The first thing the iOS app did was request permission for your location. Immediate fired up MITMproxy [1] running in transparent `--mode wireguard` and installed it's certificate in the iOS trust store. It was sending a whole bunch of data to China and HK. Since I don't have a jailbroken iPhone, it's off to Android.
For BLE scanning, Android does require permissions for location, but this application is using a Chinese branded tracking SDK and sending encrypted blobs (within already encrypted TLS). So it's time to start reversing and instrumenting the runtime.
Well - not so easy, they used a commercial packer that encrypts their compiled bytecode and decrypts and I think executes it within C++ library that might be an actual interpreter. I managed to pull the Dalvik bytecode out of memory using Frida[2] after the packer had decrypted the base application and converted it to java bytecode with dex2jar[3] then into decompiled java with jadx [4].
Since the developer relied on the packer to hide/obfuscate their software, it's quite easy to follow the deobsfucated code. The libraries that do the location tracking on the otherhand are obfuscated so now I'm at the stage of identifying where to hook before the encrypted blobs are sent to servers in China.
Here it would be nice to have a call flow graph generated based on the static decompiled java code - can anyone recommend anything?
I've sunk about 8 hours into this so far. The message here is that to understand what some applications on your phone does you need to really invest time and effort. The developers increase the cost to the consumer to know what their application is doing by obfuscation, encryption and packing. It's asymmetric. Also note: the play store and apple store state the app does not send data, which is demonstrably false.
I can also see that the tracking SDK has what looks like functionality to dynamically invoke code - which would break the terms and conditions of the app stores.
At some point I will reimplement it's primary BLE functionality and release it as opensource to the public and perhaps write a blog post.
This topic is intriguing. Could you please provide more information about the device and application? I'd appreciate the opportunity to examine them more thoroughly.
Wow amazing write up, start a consultancy and start charging to audit the privacy of apps, imagine getting paid to do this on every App Store update of Tik Tok and the like for agencies or companies auditing their apps, etc.
You are really talented, now get paid for it or open source some automated tools for getting the trail to see behind the curtain for these apps that force you to enable permissions to use them.
We need more privacy conscious talented tech folks like yourself to do the work without shortcuts. I think you should start a company doing this work with like minded folks and sell the service!
Literally using this right now on a pentest looking for privesc in some Linux boxes - the great thing about this tool is it's a shell script that's portable and does a significant amount of enumeration - big time saver. Feel as if it's better then the most other privesc script/tools out there for Linux.
My next go-to tool after Linpeas is pspy which "allows you to see commands run by other users, cron jobs, etc. as they execute" [1]
The reason its banned in OSCP is because the OSCP is in no way representative of a real world engagement.
The OSCP places a premium on hand jamming commands and doing everything manually, banning automation, because its trying to test if you understand the fundamentals.
Out in the real world, automation is encouraged. The goal is efficiency - getting the job done within the timeframe allowed by the client. Doing everything manually is horribly inefficient when you are on the clock.
It does annoy me that people take the wrong message from the OSCP, you should be automating away as much as possible so you can spend more time making novel discoveries and giving value to your customers.
I see what you are saying but engagements are not a matter of speed only either, you have restrictions and opsec requirements that prohibit you from automating certain things. If you have a decent EDR for example, even if you can evade the NGAV component,at least one of the commands LinPEAS runs will trigger an alert if the process execution alone is logged.
Really? Isn't coverage for vulnerability management and pentesting always has a specific goal like "get domain admin"? Honestly asking, I do offensive security but never been a pentester.
More mature clients these days want pretty broad coverage as well as "get DA" (or other "goal") out of their engagements, in my experience.
It's been kind of interesting seeing things change over the years - from strictly goal oriented, to the era of the Nessus Monkey (vuln scans sold as pen tests), and then back to goal oriented but now with additional coverage requirements.
Enumerating with it isn't banned, only auto-exploiting is.
This reminds me, I had hopelessly locked myself out of sudo access on a production box. This tool helped me get root again and fix a glaring docker socket privesc left there by some script that auto-configured docker among other stuff. I would have never looked at socket permissions I didn't configure,especially not after initial deployment of the server.
It's on a staging environment - but if it was a production machine it would not be an issue. I have until the end of the week to finish and need to work as fast and effectively as possible. Anything that assists in this goal is welcome.
As someone mentioned in another reply it's not banned in the OSCP. Automating enumeration is actually encouraged - after all enumeration is collecting information. It's up to you as the tester to interpret the results. On the other hand, tools like OpenVAS, Nessus etc. are not permitted as they go further then basic enumeration.
