Updated June 28, 2025
Monitor Your Company's Stock Price on Grafana
---------------------------------------------
Jun 28, 2025
Over the weekend, I built a way to monitor your companyās stock price on Grafana. That way, you can roll back your release if the market thinks your code sucks.
read more ā¶
Breaking electron-store's encryption
------------------------------------
Aug 21, 2021
A well-known attack on unauthenticated CBC mode allows attackers to modify encrypted config files without knowing the secret key.
read more ā¶
Ten seconds to ponder if a thread is worth it
---------------------------------------------
Mar 1, 2021
A userstyle that makes you wait ten seconds before entering a Hacker News thread.
read more ā¶
The Chrome T-Rex game, except the dinosaur is you
-------------------------------------------------
Dec 28, 2020
This weekend, I modified the Chrome T-Rex game to bring it into the physical world with a projector, webcam, and computer vision magic.
read more ā¶
My brotherās hamster
--------------------
Nov 24, 2020
My brother got a siberian dwarf hamster in March, right before we started quarantining. He and the hamster live a few states away, and although Iāve never met her in person, tonight I got a chance to see her over Zoom.
read more ā¶
Where Did Software Go Wrong?
----------------------------
May 27, 2020
Software is broken, but itās not because of NPM, startups, AI, or venture capitalists. A deep dive into how we think about and produce code, and how our software systems reflect the manic state of the modern world.
read more ā¶
Finding secrets by decompiling Python bytecode in public repositories
---------------------------------------------------------------------
May 12, 2020
Cache rules everything around me. `pyc` files can contain secrets and should not be checked in to source control. Use the standard Python .gitignore.
read more ā¶
Open and Shut
-------------
Apr 6, 2020
Iāve been working on a little toy project called Open and Shut, which enables you to type in Morse code by opening and shutting your laptop lid.
read more ā¶
Building a BitTorrent client from the ground up in Go
-----------------------------------------------------
Jan 4, 2020
What is the complete path between visiting thepiratebay and sublimating an mp3 file from thin air? In this post, weāll implement enough of the BitTorrent protocol to download Debian. Look at the Source code or skip to the last bit.
read more ā¶
You're still not anonymous on Looped
------------------------------------
Nov 25, 2019
Looped fixed the bug from part 1. Thatās all they fixed.
read more ā¶
You're not anonymous on Looped
------------------------------
Nov 23, 2019
Looped knows who you are, and so does anyone who cares to look. Avoid using it unless you understand the risks to your privacy. Read the conclusions.
read more ā¶
Detecting incognito mode in Chrome 76 with a timing attack
----------------------------------------------------------
Aug 4, 2019
FileSystem API writes are measurably faster and less noisy in incognito mode, allowing websites to detect incognito visitors by benchmarking their write speed. Results
read more ā¶
Reversing JS Malware From marveloptics.com
------------------------------------------
Jul 18, 2018
The injected script steals checkout form data and sends it to a Chinese-owned domain. But the attackers are really bad at programming.
read more ā¶
An Analysis of Cloudflare's Email Address Obfuscation
-----------------------------------------------------
May 20, 2018
Itās a hex encoded string where the first byte (the key), is XORed against each subsequent byte to decrypt the email address. This is not a vulnerability.
read more ā¶
Hacking Harvard (and nearly every other college)
------------------------------------------------
Apr 16, 2018
Chaining two CSRF attacks and brute forcing the userās birth date (upper bound = 730 requests) allowed complete account takeover.
read more ā¶
Snow Day Calculator XSS
-----------------------
Apr 12, 2018
PHPās type coercion and unescaped use of the pageās `snowdays` parameter allows injecting arbitrary HTML and Javascript via a reflected XSS attack.
read more ā¶
Stored XSS in Schoology
-----------------------
Mar 28, 2018
Schoology blog posts accept a plain HTML document via a tinymce editor, which may be injected with arbitrary elements, including iframes and event handlers.
read more ā¶
Uncovering a Bug in Cloudflare's Minification Service
-----------------------------------------------------
Mar 17, 2018
A bug in Cloudflareās Auto Minify service parsed `//` and `/* ... */` within ES6 `` `template literals` `` as comments, causing it to truncate lines or entire blocks of code, leading to unpredictable behavior or in rare cases, a code injection vulnerability.
read more ā¶
Bypassing Cert Pinning in the Steam Mobile App
----------------------------------------------
Jan 14, 2018
Use apktool and jadx to identify and remove cert pinning code so we can MITM the app to watch its network requests.
read more ā¶