Oh no, the technology that is literally just a glorified text prediction that gives you random guesses about what word comes next, based on what was in the text you trained it on, can not scale to have an independent reasoning?

Color me surprised, who would have thought?

I can’t recommend Maldev Academy enough. It has been an amazing resource, to get into malware development. Keep in mind, however, that malware development is pretty difficult topic. You will have to eventually use WinAPI and syscalls, so learning about that even outside of malware development will help you a lot.

For example, try looking into how to execute a shellcode in memory - allocate memory as RWX, copy some data and then execute it. Try executing it in a different process, or in a different thread of another process. That’s the core of malware development you’ll probably eventually have to do anyway. Manually calling syscalls is also a skill that you’ll need, if you want to get into EDR avoidance.

Also, look into IoCs and what kind of different stuff can be used to detect the malware. Syscall hooks, signatures, AMSI, and syslog are all things that are being watched and analyze to detect malware, and knowing what exactly is your program logging and where is one of the most important and difficult skills you can get.

There probably are a lot resources for these two skills, and they are an important foundation for malware developemnt, so I’d suggest researching that. You’ll probably not get much from looking at other malware, because it tends to be really low-level, and obfuscated, exactly to avoid the IoCs I’ve mentioned above. Implementing the malware behavior after that is the easier part.

Another good resource to look into are C2s and communication, for example Mythic C2 has some interresting stuff.

And I really recommend joining the Bloodhound slack. Throughout my cybersecurity carreer as a Red Teamer, the community has helped me a lot and I’ve learned amazing stuff just by lurking.

I’d recommend Half Life: Alyx.

Or, you can probably make an absolute beast of Skyrim through mods.

It’s best to have a local copy of package repos with whitelisted libraries, or so I’ve heard. But containers are fine, too. Especially with VSCode .devcointainers, it’s super easy to setup and distribute with the repo, there’s really no reason not to do that.

The biggest issue here that a lot people don’t realize is Bing AI, it’s insanely easy to poison it’s results, since it summarizes search results. It’s only a matter of time before someone convinces it to start using or adding a typosquatted/malicious library to answers to a common programming question, and it will be a fun times ahead.

it’s also important to keep in mind that the cybersecurity field has adbanced tremendously, with cloidfare, EDRs, and in general it is now way harder to do anything anonymously without getting caught, quickly. This also males the field of hacking way more difficult to get in, which combined with reduced attention span of younger generations probably means there’s not that many bored teens willing to put the time in, and as an adult you have way much more to loose, so for hose who had the skills it would be a lot greater risk.

Whi getting through college, I was always bummed that we have to learn a lot of stuff that seemed super irelevant to my future carreer, while also being annoying. Stuff like prolog, Phyro, Lisp, Assembly, or bunch of obscure math.

It was only years later when I finally realized why it was important - the school wasn’t for teaching me to be the C#/Java programmer, but it taught me to be A programmer. I can pick up and start successfully writing anything I need, in any language, relatively quickly and without issues, nonmatter whether it’s functional, objective, or wharever style of language, because I’ve very probably already had to deal with, learn, understand and pass exams in language that is similar to it, since college made me learn a language from almost every style or flavor of languages there are.

I was surprised when I first saw colleagues struggle with picking up languages other than the ones they work in, and that was when I finally realized why and how sneakily did the college make me a universal programmer without me noticing it. And that’s something that’s harder to get when self-taught, because you don’t get exams and it’s easier to miss the point and just skip courses on lisp, prolog or lambda calculus, because it seems irrelevant, but the different point of view and approach used when writing in those languahes is what will teach you the most.

76% of all respondents are using or are planning to use AI tools in their development process this year, an increase from last year (70%). Many more developers are currently using AI tools this year, too (62% vs. 44%).

What the fuck. That’s horrifying. I also though that every sensible workplace bans the use of AI.

A friend was telling me about a discussion between CTO’s at a conference, where they were talking about whether it’s even worth it to hire junior developers anymore, since there’s a high risk of them just being “AI-raised”, without much (or any) experience of coding without AI. And, this survey result… I can see where they are coming from. The future of programming looks pretty bleak - our job will not be replaced. It will just get worse, with good developers being more of a rarity.

And the amount of people who use vim or neovim as their IDE is surprisingly high. Is it skewed by sysadmins?

There’s a piece of code in our hobby game project that I’ve written after attending classes in college about how to write clean and SOLID code. It’s the most overengineered piece of shit I’ve ever written. I’m not saying it’s the fault of the lectures, of course it’s on me being a little bit over zealous, but it does check all the boxes - It’s a simple “show selectable list of stuff”, follows MVC, it’s extensible without rewriting to adittional data-types and formats, extensible view that can show any part of data you need, generic, and in general it could be used anywhere we need, for any kind of data.

There’s only one place where we need and use such list in our game.

I needed to rewrite a part of it, since the UI changed drastically, to not need this kind of list, while also adding events into the process. I haven’t seen the code for almost 4 years, and it’s attrocious. Super hard to understand what’s going on, since it’s too generic, interfaces and classes all over the place, and while it probably would be possible to rewrite the views for the new features we need, it’s just so complex that I don’t have the mental capacity to again figure out how it was supposed to work and properly wire it up again.

I’m not saying it’s fault of the classes, or SOLID. It’s entirely my fault, because the classes inspired and hyped me with ideas about what a clean code should look like, that I didn’t stop and think whether it’s really needed here, and went over-the-top and overengineered the solution. That’s what I’d say is the danger of such Clean Code books and classes - it’s easy to feel clever for making something that passes SOLID to the letter, but extensibility usually comes at a complexity, and it’s super important to stop and think - do I really need it?

One night when returning from a party at work, I’ve decided to stay a while longer in the tram to escort my co-workers to the tram central hub (which was like half an hour of tram ride), instead of getting out at my home, which was only 5 minutes from our workplace.

When I got into the tram back home, there was an older guy with a carboard robot costume, who was talking to someone about his work in the theater. Because I find people like that interesting, I decided to move closer and sit next to them, so I can listen to their pretty interesting conversation. I’ve tripped and basically literally fell into their conversation, and the other guy left, so we started talking. It turned out he does a prop-guy on movies and for theater, and we hit it off pretty well. He also lived literally 3 minutes from my place, and we have decided to go have a few more beers at his home, which was basically a storage lot full of random stuff without much furniture - just random props, one bed, and a lot of beer.

I’ve messaged my GF that I’ll be late, since I’m drinking with this pretty cool old guy, and send her a picture of the place. Her reponse was “Wait, isn’t that <name>?”. Turns out, he was a prop guy on a movie they were filming a lot of years ago at their old family house when she was young, and not only he was the most fun guy to be around there, always sneaking out to drink with them, but also briefly dated her (late) mother, so he’s basically her step-dad. Since he’s pretty old-school, no social networks, internet and barely a phone, we did exchange contacts and since then have seen him a few times, and it was always a treat, like getting us to the backstage of theater production. But the way we have met is so, so random and the odds of something like that happening are mind blowing. I usually don’t follow random people home, but here we have hit it off so well that we wanted to keep talking and it didn’t even felt weird.

They should have just add more rainbows to the skin, and make it as gay as possible.

My favourite take on DI is this set of articles from like 12 years ago, written by a guy who has written the first DI framework for Unity, on which are the currently popular ones, such as Zenject, based on.

The first two articles are pretty basic, explaining his reasoning and why it’s such a cool concept and way forward.

Then, there’s this update:

Followed by more articles about why he thinks it was a mistake, and he no longer recommends or uses DI in Unity in favor of manual dependency injection. And I kind of agree - his main reasoning is that it’s really easy for unnecessary dependencies to sneak up into your code-base, since it’s really easy to just write another [Inject] without a second thought and be done with it.

However, with manual dependency injection through constructor parameters, you will take a step back when you’re adding 11th parameter to the constructor, and will take a moment to think whether there’s really no other better way. Of course, this should not be an relevant issue with experienced programmers, but it’s not as inherently obvious you’re doing something potentially wrong, when you just add another [Inject], when compared to adding another constructor parameter.

I’m starting to think that “good code” is simply a myth. They’ve drilled a lot of “best practices” into me during my masters, yet no matter how mich you try, you will eventually end up with something overengineered, or a new feature or a bug that’s really difficult to squeeze into whatever you’ve chosen.

But, ok, that doesn’t proove anything, maybe I’m just a vad programmer.

What made me sceptical however isn’t that I never managed to do it right in any of my projects, but the last two years of experience working on porting games, some of them well-known and larger games, to consoles.

I’ve already seen several codebases, each one with different take on how to make the core game architecture, and each one inevitably had some horrible issues that turned up during bugfixing. Making changes was hard, it was either overengineersled and almost impenetrable, or we had to resort tonugly hacks since there simply wasn’t a way how to do it properly without rewriting a huge chunk.

Right now, my whole prpgramming knowledge about game aechitecture is a list of “this desn’t work in the long run”, and if I were to start a new project, I’d be really at loss about what the fuck should i choose. It’s a hopeless battle, every aproach I’ve seen or tried still ran into problems.

And I think this may be authors problem - ot’s really easy to see that something doesn’t work. " I’d have done it diferently" or “There has to be a better way” is something that you notice very quickly. But I’m certain that watever would he propose, it’d just lead to a different set of problems. And I suspect that’s what may ve happening with his leads not letting him stick his nose into stuff. They have probably seen that before, at it rarely helps.

I’d recommend going for the app dev. I always knew I will be workig in gamedev, but choose my bachelors degree in general software engineering, and only went for Masters in gamedev.

I’ve been out of school for around 5 years now, and I’m really glad I chose SWE instead of anything more specialized - because it has given me the broadest outlook on IT as possible, from documentation best practices, through UMLs, to various obscure languages from Smalltalk through Lisp, assembly and Prolog to C, Java and C#, while also having some optional classes focused on cybersecurity or AI.

Most of what I’ve learned, I don’t really remmeber or use daily - but, the information has somewhat stuck with me, and I can quickly recall the general concept every time I enounter a similar problem, which makes research a lot faster. If I need to write something in a language that’s not my main focus, I can be certain that no matter how unknown, I’ve already worked in something with similar concepts. And that makes it so much easier to quickly understand syntax and start writing code.

I can’t imagine how difficult it would be for me to grasp how the hell is something like Prolog supposed to work, but having to sit through classes on it that I barely remember has left me with a vague recollection of what’s the purpose, so if I encounter anything similar, I can just pick it up almost immediately. And this goes for most of styles of languages or problems - I’ve already dealt with something similar.

Not to mention that while UML diagrams and general documentation practices may sound pretty boring (and they are), I’ve already encountered situations where the diagram was integral to understanding what are the docs going for - and I was able to get it instead of having to figure it out by myself, because I’ve already worked with them at school.

Also, having options is nice - After the school, I went to work in Cybersec, even though I had only like one optional class on the topic, and I can see how much it has helped me having a borad overview in comparison to colleagues who didn’t have it. I can write scripts in whatever we encounter, I have a deeper understanding of how other developers write code, what could be wrong, and have a better educated quess at how exactly does the stack we’re black-box testing works. And looking up the more specialized cybersec knowledge is way easier, than researching a stack of technologies I’ve never seen or work with in my life. And that’s where the broader degree has helped me the most with.

Also, you can probably enroll into optional classes that are outside of your field of study, which I really recommend - I was doing that a lot during my studies, and it were the most memorable and usefull lectures I’ve had.

I don’t think surface would make for a good work laptop, but I have amazing experience so far with using it for the ocassional traveling, or just as a carry-on.

I just Parsec into my desktop at home, and can comfortably work without having to deal with performance, and Surface is amazing for that.

I also really like the pen support, so I can make notes or draw bascially anywhere.

And I also use it for DJing, where it works pretty well and is compact enough to not be a bother carrying it around.

I think he should reconsider his stance on signing commits.

I make second factor public, effectively reverting to 1FA.

I work as a Red Teamer, and I heavily disagree with this approach. MFA has been a bane of so many engagements. We usually end up with a lot of credentials from the target company that we can’t really use for anything (unless you already are in the network, where some of Windows services don’t require it), because each one is under MFA.

There’s so many different ways how can you solve the problem of not loosing access to you account. Make offline back-ups of recovery keys, back up your Aegis vault to different places.

Also, you may have a pretty good level of security awarness, highly reducing the risk of any kind of breach happening to you. But that’s something you can only affect to a degree. Supply chain attacks happen, zero days happen. An extension you are using in your browser may get compromised, and someone pushes a info-stealer instead (which has already happened, i.e with Nano Defender). MFA is what will help you in cases like these.

Ooh, you are right, I can actually file bug reports or try to fix it myself now that I switched to FOSS from Windows. Tbh that didn’t really occur to me, since I was switching only like a month ago. I’ll look into it, so far I suspect that it’s actually covered by one of those troubleshooting cases mentioned in their FAQ, and I’m not really confident enough to start recompiling libraries with additional flags. Especially since I’m on Nobara and don’t want to break anything, AFAIK that OS is pretty customised from the start and figuring out what I can safely touch isn’t something I have the guts for yet.

It’s also important if you’re checking hashes (at least, it was - if you’re using correct hashing algorithm that isn’t ancient, you will not have this problem).

Because if you take for example “0e462097431906509019562988736854” (which is md5(“240610708”), but also applicable to most other hashing algorithms that hash to a hex string), if(“0e462097431906509019562988736854” == 0) is true. So any other data that hashes to any variantion of “0e[1-9]+” will pass the check, for example:

md5("240610708") == md5("hashcatqlffzszeRcrt")

that equals to

"0e462097431906509019562988736854" == "0e242700999142460696437005736231"

which thanks to scientific notation and no strict type checking can also mean

0^{462097431906509019562988736854} == 0^{242700999142460696437005736231}

which is

0 == 0 `

I did use md5 as an example because the strings are pretty short, but it’s applicable to a whole lot of other hashes. And the problem is that if you use one of the strings that hash to a magic hash in a vulnerable site, it will pass the password check for any user who’s password also hashes to a magic hash. There’s not really a high chance of that happening, but there’s still a lot of hashes that do hash to it.

For anyone wondering - why would I need it? I’m already signed in to github, the commit is commited using my ssh-key, Github knows it’s me. Why would I need another verification?

Here’s why. https://dev.to/martiliones/how-i-got-linus-torvalds-in-my-contributors-on-github-3k4g . If someone commits with your email (or github noreply email, which is public), it will get attributed to you. I was just trying it with colleauges account, and so far I haven’t found any way how to tell that it really wasn’t him.

If it has my username, on GitHub, you’re confident it’s my commit.

Apparently, that’s not true: https://dev.to/martiliones/how-i-got-linus-torvalds-in-my-contributors-on-github-3k4g

However, it’s a pretty old article - maybe it’s already fixed? I’ll have to try that.

EDIT: It still works, and you can just use the github noreply address, which is ID+username@users.noreply.github.com . The commit gets linked to their profile, and is shown on their profile page, has their username and profile picture. I haven’t figured out any difference between legit and impersonated commit so far, but maybe it’s hidden somwhere in the repo administration.

So, there you have it. That’s what PGP signing is for.