yan
@bcrypt
Followers
77K
Following
27K
Media
2K
Statuses
20K
security engineering @brave / helped build Let's Encrypt, Privacy Badger, and HTTPS Everywhere @eff / physics alum @mit / rabbit enthusiast
Joined November 2012
could not for the life of me figure out how to buy a bus ticket in Milan. it was literally easier to get a shell 😆
93
679
7K
in january 2023, i had a simple ultrasound done at SimonMed. they sent me 4 bills totaling $5137 for it. after a year of emails and phone calls, they finally admitted today that i only owed $140.53 and are mailing me a refund check!. here's how i did it 🧵
171
4K
35K
my friend sophie got fired from her job at Facebook and turned down a $64,000 severance package in order to leak this, so u better read it.
191
9K
17K
PSA i can spoof any email and it will pass all DKIM/SPF/etc. checks. here's an email i sent to myself pretending to be a famous MIT-affiliated podcaster - thanks gmail for auto-inserting the profile pic :) . MIT may fix this someday but in the meantime
205
768
12K
so crazy that if u just touch a computer in the right ways u can make like 100 billion dollars.
96
1K
7K
reminder that the bcrypt hash function ignores input above a certain length! so if you do bcrypt(username || password) for some reason, a sufficiently long username will make it accept any password. to fix this you can sha256 the input first.
Okta allowing login bypass for any usernames with 52+ characters is insane. Official Security Advisory:
65
1K
6K
confirmed that Facebook lets me exclude black, asian, and hispanic people from seeing my ads. why can't i exclude white people?
148
5K
6K
ROFL at andrew huberman saying that if you have a 20% chance of pregnancy in any given month, the chance of being pregnant after 6 months is 120%
286
278
6K
tl;dr if u have insurance check that the amount ur billed lines up with what insurance says u owe before paying. if u overpaid u can try a demand letter to get a refund. ask the provider for a superbill. also "Never Pay the First Bill" has some tips for negotiating a bill down.
22
209
5K
i…. just received a children’s book about a rabbit who travels back in time to medieval europe and gets everyone hyped about blockchain
171
1K
4K
amazingly i work on a security team where nobody wants to go drinking, so instead we went out for an elaborate tea service after work lol
96
235
3K
6/ i called Anthem again to do a 3-way call with SimonMed to explain that i didn't owe them money, they owed me money. again nothing happened for months. in the meantime i started reading Never Pay the First Bill by Marshall Allen which suggested suing them in small claims court.
1
59
3K
7/ the first step to suing in small claims in CA is to send a demand letter, so i used to do this for free. i both mailed and emailed it to simonmed. they replied promptly via email saying they'd look into it.
3
73
3K
8/ after a few back-and-forths with SimonMed, they said their internal investigation concluded that i wasn't owed anything. however they offered to send me a superbill explaining the charges. i said sure. to my surprise, the PDF they sent me showed they owed me 484.92 ROFL.
2
44
3K
unpopular opinion of the day: i wish infosec (and tech industry in general) put less emphasis on teaching people to be public speakers and more emphasis on teaching them to be good technical writers.
60
423
2K
2/ the first bill they sent was for $484.92, which i paid promptly. a few months later they sent a bill for $3378.69! i contacted my insurance and they sent me an updated EOB saying i only owed an additional $140.53.
1
38
3K
9/ their own PDF contained the last bit of proof i needed to get the refund! i simply replied saying so and they immediately escalated it. a few days later they asked me where to send the check :).
3
34
3K
the person who used gamestop as a bank in 2014 was way ahead of their time
13
429
2K
3/ i emailed simonmed and attached the EOB. they said they would look into it. shortly after i got a new bill for $140.53 in the mail which i paid. then i noticed the 484.92 amount wasn't counted in my insurance deductible so i contacted my insurance asking why.
2
30
2K
4/ a representative from Anthem replied saying that their previous reply was wrong; i only owed $140.53 total. so simonmed owed me a refund for the first bill ($484.92). i called simonmed about this and their rep just said they would look into it and send me a check if needed.
1
32
2K
i've written links in markdown 100+ times and i still have to look up whether the brackets or the parentheses come first. every single time.
79
336
2K
5/ months passed with no refund. i asked Anthem what to do and they suggested Anthem, SimonMed, and I do a 3-way call. Anthem set up this call and again the SimonMed rep said they would look into it. months later, instead of a refund, SimonMed sent me another bill for $1133.18.
3
27
2K
a group of furries in costume is being accosted by casino staff for foiling the facial recognition system. #PeakDefcon.
30
547
2K
just gave my first guest lecture at stanford after dropping out in 2012 lol
32
50
2K
want to exercise at home but too lazy to figure out a routine?. i have solved ur problem by building a web app that randomly generates workouts w/ random pictures scraped from Google Images and random tracks from SoundCloud:
73
468
2K
last night someone explained meditation to me as cache invalidation for your mind.
38
977
2K
it's great making a product for linux users because they have such a low baseline expectation for things working out-of-the-box and will go to great lengths to help you debug.
21
288
2K
pg&e also:.* caused the deadliest fires in CA history bc they chose to spend money on lobbying & paying investors rather than maintaining their infrastructure.* declared bankruptcy to avoid liability for fire victims.* spent millions on lobbying politicians after that.
Just as a reminder. If you're in California, and your power goes out due to a rolling blackout, PG&E had the money to upgrade their infrastructure to ensure this doesn't happen and they gave it to their shareholders and executives.
15
1K
2K
i remember the days when people still programmed in low-level languages such as untranspiled javascript.
28
628
2K
fyi homebrew had the backdoored version of xz utils; updating now will downgrade it
17
441
2K
u mean to tell me i didn’t need to type “sudo” for the last 12 years??.
A bug lurking for 12 years gives attackers root on every major Linux distro by @dangoodin001.
19
203
2K
got the best, AKA worst, hackerone report ever. someone reported that an attacker website can figure out a person's IP address by *gaining local access to the person's machine*, installing a NodeJS webserver, and using the IP npm package to get the IP.
64
198
2K
my friends:. me: what if Game of Thrones is actually the prequel to the Redwall series because everyone dies at the end and small woodland animals become the dominant species.
41
206
2K
hypothesis: most people's feelings about most things are just cached responses.
53
505
2K
just made a "decentralized" "alternative" to twitter; everyone should go "join" it. to make an account: fork to tweet: git commit --allow-empty.to follow someone: git remote add <alias> <their fork url>.to retweet: git cherry-pick <their "tweet">.
38
358
2K
my biggest takeaway from this article is that FB could be doing a lot more to prevent politically-motivated bot activity, but they choose not to because they don't see any immediate revenue or PR benefit from doing so.
23
417
1K
i hate the confrontational tone of 'git blame'. from now on i will rename it to 'git thanks'.
107
241
1K
i discovered this because i received a VERY convincing phishing email sent from "me". it turns out the attacker compromised another acct and was using it to send email as arbitrary users. that acct has been reported and suspended.
8
19
2K
it’d be cool to live in a society where you get to go to college for 1 year every several years in order to learn a new field.
38
210
1K
if you made #30Under30, don’t give your personal info to Forbes. I found a bug that lets any 30under30 member (like me) see other members’ DoBs, addresses, phones, etc. Forbes ignored my emails asking them to fix.
35
423
1K
just got the heartbreaking news that peter eckersley is in the hospital and may not make it. there will be a vigil for him at 7pm in duboce park. if you want to share a story about him, please let me know.
62
154
1K
if you exclude english and spanish, the most commonly spoken language in each US state is pretty surprising.
37
573
1K
omfg my dentist today made a beat out of the dental cleaning tool sounds WHILE CLEANING MY TEETH and then she declared that her stage name would be Splash Mouth.
33
83
1K
OMG someone actually discovered malware (on the official Monero website) because the attackers changed the download binary but didn't change the hashes posted on the website this is a big day for hash checkers everywhere.
26
356
1K
A lot of people ask "why should I work in software development as opposed to math/physics/finance/etc.?" One reason is that this field is surprisingly full of "inadequate equilibria" (a steady-state in which low-hanging fruits are still available for non-experts to solve).
Myth 1: "Ruby has existed for like 20 years. If it were a good idea someone would have done it already.".Reality: Not that many people actually work on Ruby profilers! Those people have different priorities and interests than me!.
16
344
1K
if your site embeds tweets, add <meta name="twitter:dnt" content="on"> so that Twitter doesn't track your visitors
10
687
1K
cannot praise tim cook and the team at apple highly enough for making my rabbit’s ear go over the clock on the latest update
9
42
1K
no idea how many other legacy SMTP setups have the same issue but it's easy to detect in this case; just inspect the email headers and check if the "authenticated as" user is the same as the address in the "from" field.
12
37
1K
there is a github thread with 42 messages in my inbox this morning where everyone is named Brian
40
330
1K
gitcoin: the author of the commit sha1 with the longest prefix of 0's in your repository is now the project maintainer.
12
419
1K
hi i just want to encourage you to tell someone that they matter, even if you think they know it already. it might sound dumb but someone did this for me and it saved my night.
24
224
1K
peter, among other things, was my first boss at EFF and gave me a chance in cybersecurity when nobody else did. he was the mastermind behind HTTPS Everywhere and Let’s Encrypt. few people have had such a positive impact on the Internet in so little time.
4
99
1K
dystopian novel idea: a near-future world in which the visible spectrum is subject to FCC regulation in order to control visual noise. artists have to apply for licenses to use certain colors.
59
184
1K
my social media feeds are like 10% shitting on cryptocurrencies, 10% memes, 40% politics, 30% infosec, 5% people's personal updates, and 5% posts from my local rabbit shelter. the rabbit shelter posts are the best tbh.
11
89
1K
The military is threatening to put @xychelsea in solitary for the next 3 decades because she attempted suicide.
106
2K
956
everyone knows you're not a real software engineer unless you've collected sand to put into a furnace and purify into ingots for silicon wafers, duh.
32
154
1K
fun way to monitor someone's IP address:.1. create a paid slack workspace.2. get them to join your slack.3. now you can see their IP address and device type in Slack's access logs as long as they're logged in and have the Slack webpage/app open.
31
421
1K
great news!! it’s now possible to be 10x more goth than before because MIT has created a black that is 10x blacker then the previously-blackest black.
45
231
1K
fun fact: i applied to throw a tea party (securiTEA) at defcon this year for folks who don’t like drinking. the hotel, which has a no-outside-beverages policy, wanted to charge us for hot water at $100/gallon.
Hey friends - I won't be drinking in Vegas this year. I'd appreciate support in this matter and not trying to force me to because I'd still like to hang out with you and I won't if that nonsense goes on. Generally good advice to not do that since you don't know someone's reasons.
44
139
972
this was the first galaxy brain meme i ever saw and im still not over it tbh
18
191
982
this is an old optical illusion where there are 12 black dots in the pic but most ppl can't see all of them at once. since u aren't able to focus on all the dots simultaneously, ur brain makes stuff up to fill in the gaps. this is a good metaphor for life. perception != reality
33
352
972
RIP @dakami. u were not only a brilliant hacker and artist but also a great friend. i’ll never forget how u paid for my trip to Toorcon so i could speak there, or all the times u were on ur laptop in the middle of a party debugging the giant LED cubes u built. thx for all the joy.
14
78
993
hello my cat here would like to participate in the social engineering contest
22
136
948