• 0 Posts
  • 28 Comments
Joined 2 years ago
cake
Cake day: June 18th, 2023

help-circle

  • I started as part time without any experience durring my college. I was studying gamedev software engineering, but we had one voluntary class about Ethical Hacking.

    I just asked my professor if he can reffer me to someone in the field, followed OWASP Web App Testing guide to the letter when testing the interview homework website, and landed the job without much prior experience (I did attend a few CTF competitions, though).

    Just following the checklist in OWASP testing guide made my results comparable to, or even better to some of my colleagues, and I’ve slowly learned the rest (especially internal domain pentesting) from our internal documentation or shadowing seniors during pentests, and simply being interrested in the field, having initiative and looking up new tools and exploits eventually got me to a Red Team Lead role (not a very good RT, though, but it did improve eventually).

    The pay was pretty good compared to what’s usuall here in Czech, too. I could comfortably pay rent and get by even with part-time, during college.


  • My issue with canvas fingerprinting and, well, any other fingerprinting is that it makes the situation even worse. It plays right into the hands of data brokers, and is something I’ve been heavily fighting against, and simply don’t visit any website that doesn’t work in my browser that’s trying hard not to be fingerprintable.

    Just now there is an article on the front page of programming.net about how are data brokers boasting to have extreme amounts of data on almost every user of the internet. If the defense against bot will be based on fingerprinting, it will heavily discourage use of anti-fingerprinting methods, which in turn makes them way less effective - if you’re one of the few people who isn’t fingerprintable, then it doesn’t matter that you have no fingeprint, because it makes it a fingerprint in itself.

    So, please no. Eat away on my CPU however you want, but don’t help the data brokers.





  • I use Pixel with GrapheneOS as my phone, and I just have a separate profile that only has WhatsApp installed and nothing else. Since the profiles are completely separated, it doesn’t have access to anything else I do on the phone and it’s not running in the background (the profiles are basically sandboxed fresh slates, and switching it can be set-up to behave in a same way as basically turning off the phone as far as the profile is concerned).

    When the bridge asks me to log in again or refresh a session, I simply switch to the second profile for a minute and re-log in. I’ve heard iIt might be possible to set up an emulator and leave it running on the server, but that felt like too much effort.


  • I see a few people who don’t want to switch due to the hassle it would take with changing email addresses, presumably because they use one of the @proton.me email domains. Get your own email domain! It’s super cheap (if you choose one of the new TLDs, it can be as low as few dollars a year), the setup isn’t really hard - you just change a few DNS values, and that’s basically it - you can use whatever email you want that ends with your domain. It might take a while to slowly replace all your @proton.me emails with your domain one, but if you’re not in a hurry and change any old mail you see during your day-to-day activities, you’ll eventually be done with it, and you can set up mail forwarding to your domain for mail that arrives to your old @proton.me address.

    And if you ever need to move to a different provider, you just change the DNS records again to a new provider, and your email will start coming to the new one immediately.









  • Yeah, that’s my experience as well. In addition to being lazy with updating, so if some kind of supply chain attack happens, I usually sorts itself out before I get to updating :D

    But I did limit my browser extensions, after I a cause with Nano Defender taught me a lesson - it was a mildly popular anit-anti-adblock killer that worked where other adblocks were detected, but the developer sold the extension to a company that turned it into a info-stealer malware and pushed an update through chrome store, which got accepted and propagated, and some of my social network sessions got compromised. So, I just stick to more popular projects where something like this shouldn’t happen, and don’t use random extensions.