ExperimentalGuy

So I've had this idea for an API for a while but the problem I keep coming back to is authentication. I'm using rocket to actually code it. I looked through the rocket docs and it looks like the closest thing to API key authentication it has are cookies.

I then went and looked at some other APIs to see if I can copy their layouts and it looks like a lot of them use an API key and then a secret API key for authentication. Did some more googling and stackoverflow said that it's more secure to use a pair like that.

So that leaves me with the actual question: how do you actually implement this feature? Do you just generate API keys and throw them a database to be looked up later? Should they be written/read to a file to be used later(probably not a good option I'd guess).

Just for reference I'm using rocket, sqlx and postgres.

I've been coming back to the same project a few times. It's essentially just a program that interacts with an API. Only problem is whenever I get back to it, I realize how annoying it is to debug through all the "too many requests" responses I get back from the API because it has a max of 200 requests per second.

On solution would be to filter out those responses but that just feels like the wrong move, so I'm guessing the better solution would be to put some sort of rate limiter on my program. My two questions are: does that seem like a good solution and if it is, do I embed the rate limiter in my program, i.e. using the ratelimit crate or would a better solution be to run my program in a container and connect it to a reverse proxy(I think) container and control rate limiting from there?

I've been trying to learn the fuzzing library LibAFL for a while now, but I never seem to be able to fully grasp the essential parts. I've read tutorials, followed along tutorials, read the whole LibAFL book (that's still under construction), and have read a few of the examples in the repo. You could say I'm still in tutorial hell, honestly.

I'm trying to write a simple fuzzer for a malware code sample (MooBot) and I've been trying to figure out two things: how to find the input that has the maximum run time for a function, and how to not run malware directly on my computer. One of them should be more important than the other, but given my lack of expertise in LibAFL right now, I'm focused on the former. For my example, I noticed that there's a custom trim function in MooBot that helps sanitize input:

void trim(char *str)
{
        int i, begin = 0, end = strlen(str) - 1;

    while (isspace(str[begin]))
        begin++;

    while ((end >= begin) && isspace(str[end]))
        end--;

    for (i = begin; i <= end; i++)
        str[i - begin] = str[i];

    str[i - begin] = '\0';
}

This is what I test in my harness. I know I could probably logic my way into finding the input that has the max run time, but I'm using this as an exercise for LibAFL and using the rust FFI. The problem is how to deal with feedbacks and observers. I currently have this with no observers:

let mut feedback = CrashFeedback::new();
let mut objective = CrashFeedback::new();

Which simply reports an input if it crashes the program. It works for inital fuzzing, but now that I'm trying to find an input that maximizes run time this won't work. I tried to figure if there was a maximization feedback that would work with the time observer, but the only feedback that maximizes anything is the MaxMapFeedback which doesn't seem compatible with the time observer.

What I'm envisioning is something like this:

let mut observer = TimeObserver::new();
let mut feedback = MaximizeFeedback::new(&observer);

I think the solution has something to do with MapFeedbacks, but I'm not exactly sure how they work.

This is going to sound fishy.

Recently getting into cybersecurity things and have been pretty interested in looking at malware and maybe making some myself to get the hang of it. Do you guys know any good repositories with malware to learn from? For example, if I wanted to make a credential stealing program, there's a lot of different programs that may have credentials that are valuable. Or, maybe writing a keylogger? I took a look at a rust crate that can record keystrokes but has kind of a weird (or at least not as easy) type system because of different OS implementations, but how do different types of malware consolidate those differences?

I guess the broader question I'm getting at specifically is looking at how already made programs get around different technical obstacles like detailed above.

Thanks

I went to my local library today and noticed there's a lot of networking, cybersecurity, tcp/ip books from the early 2000s. Now, I want more modern versions of these types of handbooks. Does anyone know any good modern handbooks that deal with networking or network security standards?

Thanks :)

I wanted to get others' takes but it seems like the only real way to get a non-spying car is to get an older car without any sort of telemetrics. I saw a video about different car companies' security policies, well specifically the new Mental Outlaw video, and it just blew me away how even our cars aren't safe. Anyone got tips for how to anonymize their car?

I've seen a lot of different enterprise and personal use distros for servers, but what do you guys use?

I'm planning on using Debian but was wondering if there are any other good free options to consider.

I've been looking around to find a good, privacy respecting way to sync my messages between phones. I decided I'm going to use SyncThing so I don't have to mess around with a server. The only problem with this is that I haven't been able to find any apps that work on modern Android that routinely backup and import messages from a file/folder into the messages database. Does anyone know any app that might do this?

I recently purchased a domain for myself as a why-the-fuck-not purchase and I need some ideas for what to put on there. Some ideas so far include: Small Blog Personal S/FTP server to sync back to Minecraft server

Does anyone have other ideas? Thanks :)

Smooth breath

I beset from your bated breath

Unless the stress that's given to me clear

Resides unfound and unclear

The key to my restitution lies in recognition

Opaque and sticky, defiance. Then remission

Upset and overreliant on bad positions

The lever's balance is set on a dud pivot

Problems unseen stay while shit thickens

While the root is left untapped

The branch kindles

When the words barely whisper

And the songs known forgotten

When the seldom well wished

And a stone throw's the bottom

When the once well trodden

Is soiled down and sodden

Accept the well wishes of ones who once wished

And song without a singer like food without dish

And sing those well wishes to your brother on a lake

Stoning throws, hitting water, showing off for the sake

I'm trying to find a good fuzzing tool for testing my web applications and was wondering what people would recommend. I'm trying to find one that is open source, free, and doesn't use proprietary stuff. It seems like Google's OSSFuzz is the closest option to what I'm looking for, but it uses Google cloud :/