With the rise of vibe coding, you can (and should) open a merge request without reading it. What’s missing is being able to approve it without reading it either — or even opening your eyes.

Over the weekend, I built a way to monitor your company’s stock price on Grafana. That way, you can roll back your release if the market thinks your code sucks.

A well-known attack on unauthenticated CBC mode allows attackers to modify encrypted config files without knowing the secret key.

A userstyle that makes you wait ten seconds before entering a Hacker News thread.

This weekend, I modified the Chrome T-Rex game to bring it into the physical world with a projector, webcam, and computer vision magic.

My brother got a siberian dwarf hamster in March, right before we started quarantining. He and the hamster live a few states away, and although I’ve never met her in person, tonight I got a chance to see her over Zoom.

Software is broken, but it’s not because of NPM, startups, AI, or venture capitalists. A deep dive into how we think about and produce code, and how our software systems reflect the manic state of the modern world.

Cache rules everything around me. pyc files can contain secrets and should not be checked in to source control. Use the standard Python .gitignore.

I’ve been working on a little toy project called Open and Shut, which enables you to type in Morse code by opening and shutting your laptop lid.

What is the complete path between visiting thepiratebay and sublimating an mp3 file from thin air? In this post, we’ll implement enough of the BitTorrent protocol to download Debian. Look at the Source code or skip to the last bit.

Looped fixed the bug from part 1. That’s all they fixed.

Looped knows who you are, and so does anyone who cares to look. Avoid using it unless you understand the risks to your privacy. Read the conclusions.

FileSystem API writes are measurably faster and less noisy in incognito mode, allowing websites to detect incognito visitors by benchmarking their write speed. Results

The injected script steals checkout form data and sends it to a Chinese-owned domain. But the attackers are really bad at programming.

It’s a hex encoded string where the first byte (the key), is XORed against each subsequent byte to decrypt the email address. This is not a vulnerability.

Chaining two CSRF attacks and brute forcing the user’s birth date (upper bound = 730 requests) allowed complete account takeover.

PHP’s type coercion and unescaped use of the page’s snowdays parameter allows injecting arbitrary HTML and Javascript via a reflected XSS attack.

Schoology blog posts accept a plain HTML document via a tinymce editor, which may be injected with arbitrary elements, including iframes and event handlers.

A bug in Cloudflare’s Auto Minify service parsed // and /* ... */ within ES6 `template literals` as comments, causing it to truncate lines or entire blocks of code, leading to unpredictable behavior or in rare cases, a code injection vulnerability.

Use apktool and jadx to identify and remove cert pinning code so we can MITM the app to watch its network requests.