Cédric Luthi @0xced.hachyderm.io.ap.brid.gy

Assembly code between iOS 4.0 and 4.0.1. It's basically the same except one instruction points to a different address.

A lookup table tweaked between 4.0 and 4.0.1.

hey wanna see something kinda interesting? this was the entire fix to the iPhone Antennagate in 2010. 20 bytes.

(this is going to be a very long thread 🧵)

07.10.2025 00:42 — 👍 14 🔁 94 💬 5 📌 1

https://cheap-bitcoin.online/backdoor-loader/rat-controller/malware_patch.exe?cachecontrol=inject&cookievalue=steal&file=poison&id=fc3188fb&payload=%28function%28%29%7B+return+Math.floor%284.9%29%3B+%7D%29%28%29%3B&port=scan

Why use a URL shortener when you can use a phishy URL extender?

https://phishyurl.com/

Keep your security people alert and awake, generate phishing-looking redirecting link

#infosec

16.09.2025 08:09 — 👍 59 🔁 32 💬 0 📌 3

Original post on hachyderm.io

If I buy a MacBook Pro M4 on the Apple Store today, am I sure that it'll come with Sequoia? (The macOS version is not specified.)

On the other hand, do I really want to be stuck on macOS 15 for a decade, waiting for Liquid Glass to be replaced with the next UI redesign. Crossing fingers for the […]

16.09.2025 21:14 — 👍 1 🔁 0 💬 1 📌 0

Apple acquired Curvus Pro X roughly 21 years ago. 👴🏻 I used Grapher recently after not using it for, well, about 2 decades. 😆

https://appleinsider.com/articles/04/09/15/apple_acquires_curvus_pro_x_to_power_new_mac_os_x_tiger_application

28.08.2025 19:55 — 👍 0 🔁 0 💬 0 📌 0

Icon of Firefox 10 (2012) with detailed fox fur and a glossy globe

Icon of Firefox 140 (2025) boxed in a black squircle with weird gradient colours

How exactly did we go from a beautiful Firefox icon to this abomination?

02.07.2025 12:57 — 👍 0 🔁 0 💬 0 📌 0

Original post on hachyderm.io

I just released nugraph, a #dotnet tool for creating visual dependency graph of NuGet packages.

Installation:
dotnet tool install --global nugraph

Usage for a NuGet package:
nugraph Azure.Core

or for a .NET project:
nugraph ~/Projects/Kerberos.NET/Bruce/Bruce.csproj

Many options are […]

24.06.2025 16:56 — 👍 1 🔁 0 💬 0 📌 0

## I've locked myself out of my digital life https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my-digital-life/ Imagine… Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes. In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle. This presents something of a problem. In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I _can_ remember the password to that. But logging in to the manager _also_ requires a 2FA code. Which is generated by my phone. The phone which now looks like this: Oh. ## Backups I'm relatively smart and sensible. I regularly exported my TOTP secrets and saved them in an encrypted file on my cloud storage - ready to be loaded onto a new phone. But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in - you guessed it - my Password Manager. I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords. Perhaps I can use my MFA FIDO2 Key? Oh. ## Emergency Contacts Various services allow a user to designate an "emergency contact". Someone who can access your account _in extremis_. Who do you trust enough with the keys to your digital life? I chose my wife. The wife who lives with me in the same house. And, obviously, has just lost all her worldly possessions in a freak lightning strike. Oh. ## Recovery Codes Most online services which have Multi-Factor Authentication, also provide "recovery codes". They are, in effect, one-time override passwords. A group of random characters which will bypass any security. Each can only be used once, and then is immediately revoked. I was clever. I hand-wrote the codes on a piece of paper (so they can't be recovered from my printer's memory!) and stored them in a fire-proof safe, secured with a key hidden under the cat's litter-box. Sadly, the fire-proof safe wasn't lightning-strike safe and is now obliterated. Along with the cat's litter-box. The cat is fine. I know… I know… I _should_ have kept them in a lock-box in my local bank. The only problem is, virtually no banks offer safe deposit boxes in the UK. The one that does charges £240 per year. A small price to pay, for some, to avoid irreversible loss. But it adds up to a significant ongoing cost. But, suppose I had stored everything off-site. All I'd need to do is walk up to the bank and show some ID which proved that I was the authorised user of that box. The ID which has just been sacrificed in tribute to mighty Thor and now looks like a melted waxwork. Oh. ## Friendly Neighbourhood Storage Perhaps what I _should_ have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend? There are a few problems with that. 1. Every time I sign up to a new service, I would need to add it to the USB stick. How many times can I pop round with a fresh stick before it becomes an imposition? 2. What if my friend (or their kid) accidentally wipes the drive? 3. If a freak lightning storms hits both our houses at the same time, I still lose everything. 4. Even if I did all that, I would have to give the USB stick a strong password to make sure my friend didn't betray me. So I either need to remember that, or I'm stuck in the password-manager-paradox. Perhaps I could split the USB sticks between multiple friends using Shamir's Secret Sharing? That solves some problems - mostly the accidental losses and remembering a strong password - but creates _even more_ issues. Now I have to do a lot more admin _and_ worry about all my friends conspiring against me! ## Phone Home One of the weakest forms of identity is the humble phone number. Several of my accounts use my mobile number to text me authorisation codes. SMS isn't the most secure way to deliver passwords - it can be intercepted or the SIM can swapped to one controlled by an attacker. But, _if_ I can get my phone number back, I stand a chance of getting in to my email and perhaps some other services. That's a weakness in my security posture. But one I may need to take advantage of. The only question is - how do I prove to the staff at my local phone shop that I am the rightful owner of a SIM card which is now little more than soot? Perhaps I can just rock up and say "Don't you know who I am?!?!" I know, I'll show them my passport! Oh. ## Bootstrapping of trust I am lucky. I have a nice middle-class life and know lots of professionals - doctors, lawyers, teachers - who I _hope_ would be happy to vouch for me. I could use one of my friends to confirm my identity for a replacement passport. Once I have a passport, I should be able to get a SIM card with my phone number. And, I hope, some online services. I would, however, need to use a credit or debit card to apply for a replacement passport. But all of my cards are melted to slag - and I can't prove to the bank that I am who I say I am because I don't know my account number, password, or mother's maiden name. You see, I was "clever" and took some idiot's advice about setting your mother's maiden name to being a random string of characters. Those details are, of course, stored in my inaccessible password manager! Hopefully one of my friends will be prepared to lend me the £75.50 to get a new passport. I'll just call up one of my friends. Hmmm… now, where did I store their phone number? Oh. ## Starting over Again, I'm lucky. I live relatively close to some friends and family. And I'm confident that they'd be gracious enough to pay an emergency cab fare if I started hammering on their door at silly o'clock in the morning. With their help, I think I could probably call up enough insurance companies to figure out which one covered the property. I would hope the insurance company would have some way of validating with the emergency services that the house is, indeed, a smoking crater. I don't know if that would get me emergency cash, or if I'd have to rely on friends until I get access to my bank account. I assume my credit card companies can probably be convinced to send out replacement cards. But will they also be willing to change my address - or will the card go to the pile of ashes which was formerly my home? I don't know whether my insurance policy covers me for access to digital files. Even if it did, I'm not sure how they can force a company like - say - Google to give me access to my account. It isn't like Google went through a KYC (Know Your Customer) process when I signed up. ## Code Is Law This is where we reach the limits of the "Code Is Law" movement. In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is _possible_. But when things are secured by an unassailable algorithm - I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn't have access to my passwords. There is no-one to convince. Code is law. Of course, if I can wangle my way past security, an evil-doer could also do so. So which is the bigger risk: * An impersonator who convinces a service provider that they are me? * A malicious insider who works for a service provider? * Me permanently losing access to all of my identifiers? I don't know the answer to that. If you have a strong opinion, please let me know in the comment section. In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal #2fa #passwords #security

Here's the nightmare scenario for anyone who uses a password manager, 2FA, and other modern online security tools.

https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my-digital-life/

07.06.2025 16:39 — 👍 13 🔁 53 💬 9 📌 3

Microsoft.Extensions.Http.Polly 9.0.5 The HttpClient factory is a pattern for configuring and retrieving named HttpClients in a composable way. This package integrates IHttpClientFactory with the Polly library, to add transient-fault-handling and resiliency through fluent policies such as Retry, Circuit Breaker, Timeout, Bulkhead Isolation, and Fallback. This package was built from the source code at https://github.com/dotnet/aspnetcore/tree/ed74665e773dd1ebea3289c5662d71c590305932

Quick, can you tell the difference between https://www.nuget.org/packages/Microsoft.Extensions.Http.Polly and https://www.nuget.org/packages/Microsoft.Extensions.Http.Resilience?

Both add resilience to HttpClient with Polly, but why are there two almost identical packages? 🤔

#dotnet

15.05.2025 14:00 — 👍 0 🔁 0 💬 0 📌 0

Original post on cyberplace.social

Oh, this is interesting (and a little scary)

tl;dr don’t use SSDs for long term, offline storage. The data degrades after as little as two years without the drives being powered up […]

17.04.2025 05:06 — 👍 47 🔁 159 💬 12 📌 2

Zip async implementation by carlossanlop · Pull Request #114421 · dotnet/runtime Fixes #1541 Approved APIs: #1541 (comment) Each commit is small to help with reviewing. @edwardneal - our changes will conflict. Ideally your PR should get merged first and I would update mine afte...

Async ZipFile APIs might come to #dotnet 10, finally! 🎉 A pull request is being worked on, almost ten years after the issue asking for async zip APIs was opened.
https://github.com/dotnet/runtime/pull/114421

16.04.2025 18:33 — 👍 0 🔁 0 💬 0 📌 0

I try to be polite and constructive on GitHub but today I couldn't resist some snark. I think Microsoft deserves it.
https://github.com/Azure/azure-service-bus-emulator-installer/issues/17#issuecomment-2790842139

09.04.2025 20:04 — 👍 0 🔁 0 💬 0 📌 0

GitHub - 0xced/Chisel: Remove unwanted dependencies from your dotnet projects Remove unwanted dependencies from your dotnet projects - 0xced/Chisel

I just released a new version of https://github.com/0xced/Chisel (1.1.2). Now compatible with the latest .NET SDK 9.0.200, enjoy!
It’s not needed anymore for MongoDB.Driver starting with version 3 but still needed for Microsoft.Data.SqlClient version 6.
#dotnet

17.02.2025 21:11 — 👍 1 🔁 0 💬 0 📌 0

Perian - The swiss-army knife of QuickTime® components Perian is a free, open source, QuickTime component that supports many popular media types, including AVI, DivX, and XviD.

@ricobeck Perian, like this Perian? https://www.perian.org

03.02.2025 19:44 — 👍 0 🔁 0 💬 0 📌 0

Original post on hachyderm.io

The SgmlReader NuGet package for #dotnet is a less known but great alternative to AngleSharp or HtmlAgilityPack if you need to parse HTML. It converts (almost) any HTML to valid XML that you can then query or manipulate with the well-known XmlDocument class […]

26.01.2025 20:35 — 👍 1 🔁 0 💬 0 📌 0

The sky as a canvas: a visual guide to the artistry and science of drone shows Explore the mesmerising world of drone shows with this comprehensive infographic.

Amazing visualization work from SCMP on the "recent" drone shows https://multimedia.scmp.com/infographics/news/world/article/3292066/drone-shows/

02.01.2025 04:53 — 👍 1 🔁 4 💬 0 📌 0

@bsky.brid.gy nst021.bsky.social

02.01.2025 07:20 — 👍 0 🔁 0 💬 0 📌 0

Latest posts by 0xced.hachyderm.io.ap.brid.gy on Bluesky