Six years of saved links

..and a wordcloud!

Thu, 03 May 2018

Intro

Over six years of studying, and working in technology Ive acquired over 600+ links. Losing these links to me would feel like the burning down of the Library of Alexandria. I use alot of them as references for programming and information security based work.

While scraping all these links I saw the word beginner become less frequent as we got closer to the present day, so I even found a fun way to add a visualization to this post.


Browser based Library of Alexandria

I cant stress the importance of reading enough, it will advance you more than you can imagine.

While writing a brief script to scrape all these links, which I will link shortly, I realized there are actually trends in these links. We can actually use some python libraries and heuristics to identify these trends amongst the links.

  1. Script I used to harvest my saved links from reddit, frequency data, and simultaneously create a word cloud
  2. The organized and sorted links.

You can find the raw unsorted copy of all of the links here https://pastebin.com/raw/9K5sNfgK

Itll have a good deal of extraneous links that I found interesting, but Ive omitted them from this in order to keep it on topic of security.

Security is more than just knowledge of mechanism or inner-workings of code, its also a mindset. So I have some materials relating to social engineering, and overall thought process mixed in some places.


getlinks && makewordcloud
from __future__ import absolute_import, unicode_literals
import praw
import json 
from wordcloud import WordCloud, STOPWORDS 
import matplotlib.pyplot as plt 

class LinkSave(object):

	def __init__(self, mode=None):
		self.mode=mode

	def load_config(self, data):
		self.config = json.load(open(data))
		return self.config

	def auth_reddit(self):
		try:	
			self.reddit = praw.Reddit(
				client_id = self.config['reddit']['id'],
				client_secret = self.config['reddit']['secret'],
				user_agent = self.config['reddit']['user_agent'],
				username = self.config['reddit']['username'],
				password = self.config['reddit']['password']
			)
			self.me = self.reddit.user.me()
			return self.reddit
		except Exception as exc:
			print('{0} - Unable to auth to reddit, check your creds'.format(exc))	
			exit(0)

	def get_links(self):
		target = open("saved_links.txt", "w")
		self.words = ''
		for link in self.me.saved(limit=None):
			try:
				target.write('{0} -- {1}'.format(link.title, link.url))
				self.words = self.words + ' ' + link.title	
			except Exception as exc: 
				print('{0} - This exception handles saved comments '.format(exc))
		target.close()
		return self.words
		
	def make_cloud(self):
		stopwords = set(STOPWORDS) 
		stopwords.add("using")
		stopwords.add("programming")
		stopwords.add("post")
		stopwords.add("source")
		wordcloud = WordCloud(background_color="white", width=800, height=400, stopwords=stopwords).generate(self.words)
		plt.imshow(wordcloud, interpolation='bilinear')
		plt.axis("off")

		#render a second slightly different wordcloud
		wordcloud = WordCloud(background_color="white", stopwords=stopwords, max_font_size=40).generate(self.words)
		plt.figure()
		plt.imshow(wordcloud, interpolation="bilinear")
		plt.axis("off")
		plt.show()


if __name__ == '__main__':
	driver = LinkSave()
	driver.load_config('user_config.json')
	driver.auth_reddit()
	driver.get_links()
	driver.make_cloud()

''' user_config.json
{
 "reddit": {
   "id": "",
   "secret": "", 
   "user_agent": "",
   "username": "",
   "password": ""
	}
}
'''

Its a pretty succint script, I try to operate under the thought that if its clean enough its fairly self explanatory. Its a little personalized but you could easily edit it to do the same for you.

4 Step Linear flow: Read in config -> Auth to reddit -> Scrape links into string and save to file -> generate word cloud

So what does this give us?

Word Cloud

Personally I find that pretty neat, its a visualization of all Ive tried to hone in on over the years.The one that stands out most to me is Reverse Engineering, Ive been working on learning for a while. Its definitely one of the more challenging things Ive tried to wrap my mind around.

So Ive decided to throw it at the top of this list. Without delay, here is my best attempt at a sorted list.


Reverse Engineering && Malware
Title URL
An Introduction to the CAN Bus: How to Programmatically Control a Car https://news.voyage.auto/an-introduction-to-the-can-bus-how-to-programmatically-control-a-car-f1b18be4f377
DhavalKapil/libdheap: A shared (dynamic) library that can be transparently injected into different processes to detect memory corruption in glibc heap https://github.com/DhavalKapil/libdheap
Reverse Engineering My Home Security System: Decompiling Firmware Updates https://markclayton.github.io/reverse-engineering-my-home-security-system-decompiling-firmware-updates.html
Project Zero: Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html
smashthestack.pdf https://avicoder.me/papers/pdf/smashthestack.pdf
Where-theres-a-JTAG-theres-a-way Where-theres-a-JTAG-theres-a-way https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Where-theres-a-JTAG-theres-a-way.pdf Where-theres-a-JTAG-theres-a-way.pdf
New emotet hijacks windows api evades sandbox analysis http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
Skeleton in the closet. MS Office vulnerability you didn’t know about https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
ROPEmporium: Pivot 32-bit CTF Walkthrough With Radare2 http://radiofreerobotron.net/blog/2017/11/23/ropemporium-pivot-ctf-walkthrough/
ropchain @kvakil
Escape Docker Container Using waitid() CVE-2017-5123
ROPEmporium: Pivot 64-bit CTF Walkthrough With Radare2 - Zero State Machine http://radiofreerobotron.net/blog/2017/12/04/ropemporium-pivot-ctf-walkthrough2/
/lobotomy: Android Reverse Engineering https://github.com/rotlogix/lobotomy
java-decompiler/jd-gui: A standalone Java Decompiler GUI https://github.com/java-decompiler/jd-gui
Defusing a Binary Bomb with Binary Ninja https://kukfa.co/2016/06/05/defusing-a-binary-bomb-with-binary-ninja/
Notepad+++ - Break it, Fix it, Write It Down - Putting stuff together so you dont have to google as hard as I did https://remotephone.github.io/lab/homelab/budget/testing/2016/12/20/practical-docker.html
SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c
buffer overflow explained https://www.uperesia.com/buffer-overflow-explained
Vulnerable Security - Reverse Engineering a book cover https://vulnsec.com/2017/reverse-engineering-a-book-cover/
CVE-2017-5521: Bypassing Authentication on NETGEAR Routers https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521
C++ DLL Injector Version 2 - BOTH 32-bit and 64-bit - Clean Code! - Multiple Functionalities! https://www.youtube.com/watch?v=W6HpX85ICh8
An in-depth explanation of how a 10 year old bug in Guitar Hero was reverse-engineered and fixed without using the source code https://www.youtube.com/watch?v=A9U5wK_boYM
Breaking the x86 Instruction Set https://www.youtube.com/watch?v=KrksBdWcZgQ
The Wonderful World of MIPS http://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html
A good two-part lecture on the basics of x86 architecture and system calls in *Nix systems [ for beginners ] https://www.youtube.com/watch?v=xHu7qI1gDPA
Linux ASLR and GNU Libc: Address space layout computing and defence, and “stack canary” protection bypass [ PDF and Github Sources ] https://github.com/blackzert/aslur/raw/master/offensivecon-talk.pdf
Reverse Engineering a MMORPG Bot to Find Vulnerabilities https://www.youtube.com/watch?v=irhcfHBkfe0
Reverse Engineering A Mysterious UDP Stream in My Hotel · Gokberk Yaltirakli https://gkbrk.com/2016/05/hotel-music/
Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain https://github.com/Plailect/keyshuffling
Reverse Engineering Malware 101 https://securedorg.github.io/RE101/
This channel explains a good deal of C/C++ for malware creation for Windows and lots of low-level fundamentals https://www.youtube.com/channel/UCDk155eaoariJF2Dn2j5WKA
Cracking Sublime Text 3 http://blog.fernandodominguez.me/cracking-sublime-text-3
Coding A Keylogger - Understand How Actual Keyloggers Work https://github.com/MinhasKamal/StupidKeyLogger
Docker 0-Day Stopped Cold by SELinux http://rhelblog.redhat.com/2017/01/13/docker-0-day-stopped-cold-by-selinux/
How Can Drones Be Hacked? The Vulnerable drone and attack tools Compilation http://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.o9nyxc3yz
a single byte write opened a root execution exploit on ChromeOS https://daniel.haxx.se/blog/2016/10/14/a-single-byte-write-opened-a-root-execution-exploit/
Internet Explorer has a URL problem http://blog.innerht.ml/internet-explorer-has-a-url-problem/
How to crack a totally blurred captcha? (any lead?) https://www.reddit.com/r/hacking/comments/4v5trz/howtocrackatotallyblurredcaptchaanylead/
MS16-039 – “Windows 10” 64 bits Integer Overflow exploitation by using GDI objects https://blog.coresecurity.com/2016/06/28/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects/
Hey guys, Ive gone and put together a github repo containing in-depth tutorials designed to teach binary exploitation from the ground up. Tell me what you think! https://github.com/bert88sta/how2exploit_binary
Just released the Practical Malware Analysis Starter Kit, a collection of pretty much every binary mentioned in the book. [ x-post /r/reverseengineering ] https://bluesoul.me/practical-malware-analysis-starter-kit/
X86 Shellcode Obfuscation - Part 2 - The obfuscception! (source in Python included) https://breakdev.org/x86-shellcode-obfuscation-part-2/
Practical Reverse Engineering of a Router Part 2: Scouting the Firmware http://jcjc-dev.com/2016/04/29/reversing-huawei-router-2-scouting-firmware/
Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide
Lisa.py - An exploit Developers swiss army knife (With ROP gadget support ) https://github.com/ant4g0nist/lisa.py
Android Reverse Engineering using apktool https://www.youtube.com/watch?v=K35AkvE8ulY
Ghost in the Droid: Reverse Engineering Android Apps https://pen-testing.sans.org/blog/2016/12/05/ghost-in-the-droid-reverse-engineering-android-apps
Mining Android Secrets (Decoding Android App Resources) https://pen-testing.sans.org/blog/2016/12/10/mining-android-secrets-decoding-android-app-resources
Reverse engineering a router part 1 - Hunting for hardware debug ports http://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/
New self-protecting USB trojan able to avoid detection http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/
attactics [ dot ] org: Bypassing Antivirus With Ten Lines of Code or (Yet Again) Why Antivirus is Largely Useless http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html
AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device (x-post /r/programming) http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/
Assembly Optimizations I: (Un)Packing Structures https://haneefmubarak.com/2016/02/25/assembly-optimizations-i-un-packing-structures/
Breaking homegrown crypto https://kivikakk.ee/cryptography/2016/02/20/breaking-homegrown-crypto.html
Exploiting a Kernel Paged Pool Buffer Overflow in Avast Virtualization Driver https://www.nettitude.co.uk/exploiting-a-kernel-paged-pool-buffer-overflow-in-avast-virtualization-driver/
glibc getaddrinfo() stack-based buffer overflow https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
DLL Injection with an old MMO client http://kukfa.co/2015/12/dll-injection-with-an-old-mmo-client/
Reverse Engineering the Yik Yak Android App http://randywestergren.com/reverse-engineering-the-yik-yak-android-app/
Hacking the PS4, part 1 - Introduction to PS4s security, and userland ROP https://cturt.github.io/ps4.html
[ VIDEO ] Software Hacking - Simple Patching (IDA Pro, C) https://www.youtube.com/watch?v=Awg4_6d5Nb8
Where do I start with reverse engineering malware? I recommend “RE for Beginners” , I like the method used to teach reverse engineering. Then you can start doing some challenges .
MacOS X 10.11.1 File System Buffer Overflow https://cxsecurity.com/issue/WLB-2015100149
Statically Linking a Windows Kernel Driver as an ELF http://gaasedelen.blogspot.com/2015/10/statically-linking-windows-kernel.html
A closer look at an operating botnet http://conorpp.com/blog/a-close-look-at-an-operating-botnet/
How to Reverse Engineer Android Applications http://darkmatters.norsecorp.com/2015/07/15/how-to-reverse-engineer-android-applications/?utmcontent=buffer1915a&utmmedium=social&utmsource=twitter.com&utmcampaign=buffer
hackme: Deconstructing an ELF File http://manoharvanga.com/hackme/
Lots of Reversing Tutorials for Newbs https://www.cyberguerrilla.org/blog/what-the-blackhats-dont-want-you-to-know-series/
Meet ‘Tox’: Ransomeware for the Rest of Us https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us
Code injection – a simple PHP virus carried in a JPEG image http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/
Source for malware, backdoors etc for whitehat testing. https://www.reddit.com/r/AskNetsec/comments/18vymh/sourceformalwarebackdoorsetcforwhitehat/
Building an SSH Botnet C&C Using Python and Fabric http://raidersec.blogspot.com/2013/07/building-ssh-botnet-c-using-python-and.html
Malware as a service [ pdf ] http://blog.checkpoint.com/wp-content/uploads/2016/08/InsideNuclearsCore_UnravelingMalwarewareasaService.pdf

Bug Bounties
Title URL
How i Hacked into a PayPals Server - Unrestricted File Upload to Remote Code Execution http://blog.pentestbegins.com/2017/07/21/hacking-into-paypal-server-remote-code-execution-2017/
Yahoo Bug Bounty: Exploiting OAuth Misconfiguration To Takeover Flickr Accounts – MISHRE https://mishresec.wordpress.com/2017/10/12/yahoo-bug-bounty-exploiting-oauth-misconfiguration-to-takeover-flickr-accounts/
Slack SAML authentication bypass http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html
How I hacked Google’s bug tracking system itself for $15,600 in bounties https://medium.freecodecamp.org/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5
Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/
Facebook Bug Bounties https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640/
Image removal vulnerability in Facebook polling feature https://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html
All your Paypal OAuth tokens belong to me - localhost for the win http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
Authentication bypass on Airbnb via OAuth tokens theft https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/
Bug bounty left over (and rant) Part III (Google and Twitter) http://blog.intothesymmetry.com/2018/02/bug-bounty-left-over-and-rant-part-iii.html
How I have hacked Facebook again (..and would have stolen a valid access token) http://blog.intothesymmetry.com/2014/04/oauth-2-how-i-have-hacked-facebook.html OAuth 2
Taking over Facebook accounts using Free Basics partner portal https://www.josipfranjkovic.com/blog/facebook-partners-portal-account-takeover
How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties https://medium.freecodecamp.org/hacking-tinder-accounts-using-facebook-accountkit-d5cc813340d1
Stored XSS, and SSRF in Google using the Dataset Publishing Language https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html
Authentication bypass on Uber’s Single Sign-On via subdomain takeover – Arne Swinnens Security Blog https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/
AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/
Piercing the Veil: Server Side Request Forgery to NIPRNet access https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a
My Public Evernote: 0day writeup: XXE in uber.com https://httpsonly.blogspot.co.ke/2017/01/0day-writeup-xxe-in-ubercom.html?m=1
Advice From A Researcher: Hunting XXE For Fun and Profit https://blog.bugcrowd.com/advice-from-a-researcher-xxe/
Hunting For Bugs With AFL 101 - A PRIMER http://research.aurainfosec.io/hunting-for-bugs-101/
Content Injection Vulnerability in WordPress 4.7 and 4.7.1 https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
Slack SAML authentication bypass http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html
Microsoft didn’t sandbox Windows Defender, so I did https://blog.trailofbits.com/2017/08/02/microsoft-didnt-sandbox-windows-defender-so-i-did/
[ WARNING ] Intel Skylake/Kaby Lake processors: broken hyper-threading https://lists.debian.org/debian-devel/2017/06/msg00308.html
[ Bug Bounty ] GitHub Enterprise SQL Injection http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html
Node.js code injection (RCE) on demo.paypal.com https://artsploit.blogspot.se/2016/08/pprce2.html
Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/
How I Hacked Facebook, and Found Someones Backdoor Script http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/
Google increases bug bounty reward for Chromebook to $100,000 https://www.hackread.com/google-increases-bugs-bounty-reward-chromebook/
Hack The Pentagon: DoD Launches First-Ever Federal Bug Bounty Program http://www.darkreading.com/threat-intelligence/hack-the-pentagon-dod-launches-first-ever-federal-bug-bounty-program/d/d-id/1324542?mc=NLDREDTDRweekly20160303&cid=NLDREDTDRweekly_20160303&elqTrackId=83ac6139d95e4093b9a2186e03f662cb&elq=fd5fc2039aab426283a3737b96c99471&elqaid=68121&elqat=1&elqCampaignId=19869
Details of eBays JavaScript bug that they refuse to fix. http://thedailywtf.com/articles/bidding-on-security
PayPal Remote Code Execution Vulnerability using Java Deserialization http://artsploit.blogspot.com/2016/01/paypal-rce.html
Even the LastPass Will be Stolen Deal with It! http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/

Penetration Testing (Exploit POCs, vulnerabilities)
Title URL
Introduction to Manual Backdooring http://www.abatchy.com/2017/05/introduction-to-manual-backdooring_24.html
CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
Node.fz: fuzzing the server-side event-driven architecture https://blog.acolyer.org/2017/06/09/node-fz-fuzzing-the-server-side-event-driven-architecture/
Rooting a Printer: From Security Bulletin to Remote Code Execution https://www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution
Escaping a restricted shell – humblesec https://humblesec.wordpress.com/2016/12/08/escaping-a-restricted-shell/
The Weak Bug - Exploiting a Heap Overflow in VMware http://acez.re/the-weak-bug-exploiting-a-heap-overflow-in-vmware/
Penetration Testing Flash Apps (aka “How to Cheat at Blackjack”) – PrivSec https://privsec.blog/penetration-testing-flash-apps-aka-how-to-cheat-at-blackjack/
PenTest Tools for your Security Arsenal http://www.kitploit.com/
Linux privilege escalation using weak NFS permissions https://haiderm.com/linux-privilege-escalation-using-weak-nfs-permissions/
Using Python To Get A Shell Without A Shell https://depthsecurity.com/blog/using-python-to-get-a-shell-without-a-shell
86_64 TCP bind shellcode with basic authentication on Linux systems https://pentesterslife.blog/2017/11/01/x86_64-tcp-bind-shellcode-with-basic-authentication-on-linux-systems/
Building and Attacking an Active Directory lab with PowerShell https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/
interference-security/icmpsh: Simple reverse ICMP shell https://github.com/interference-security/icmpsh
Meltdown and Spectre https://spectreattack.com/
Bypassing Anti-viruses with transfer Backdoor Payloads by DNS traffic https://www.peerlyst.com/posts/bypassing-anti-viruses-with-transfer-backdoor-payloads-by-dns-traffic-damon-mohammadbagher
[ PentesterLab ] Our exercises https://pentesterlab.com/exercises/
Mount a Raspberry Pi File System Image https://pen-testing.sans.org/blog/2016/12/07/mount-a-raspberry-pi-file-system-image
IOActive Labs Research: In Flight Hacking System http://blog.ioactive.com/2016/12/in-flight-hacking-system.html
Shortcuts: another neat phishing trick https://d.uijn.nl/2016/12/28/shortcuts-another-neat-phishing-trick/
Basics of Making a Rootkit: From syscall to hook! https://d0hnuts.com/2016/12/21/basics-of-making-a-rootkit-from-syscall-to-hook/
Cracking 12 Character Above Passwords http://www.netmux.com/blog/cracking-12-character-above-passwords
ImageTragick/PoCs: Proof of Concepts for CVE-2016–3714 https://github.com/ImageTragick/PoCs
ImageTragick Remote Code Execution http://4lemon.ru/2017-01-17facebookimagetragickremotecode_execution.htmlFacebooks
A pure python, post-exploitation, data mining tool and remote administration tool for macOS https://github.com/manwhoami/Bella
Using the Registry to Discover Unix Systems and Jump Boxes https://www.fireeye.com/blog/threat-research/2017/03/usingtheregistryt.html
The most complete open-source tool for Twitter intelligence analysis (With Sources) https://github.com/vaguileradiaz/tinfoleak
Five Pentesting Tools and Techniques (That Every Sysadmin Should Know) https://medium.com/@jeremy.trinka/five-pentesting-tools-and-techniques-that-sysadmins-should-know-about-4ceca1488bff
Various Docker Images for Pentesting https://github.com/ZephrFish/DockerAttack
SharpShooter - a weaponised payload generation framework with anti-sandbox analysis, staged and stageless payload execution and support for evading ingress monitoring [ See comment for Sources ] https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/
Any Interest in a Web Application PenTesting Methodology Cheat Sheet? https://www.reddit.com/r/AskNetsec/comments/7zz80i/anyinterestinawebapplicationpentesting/
An ICMP reverse shell to bypass TCP firewall rules https://github.com/interference-security/icmpsh
On a pentesting gig, you pivot from credential harvesting to an authenticated command injection to a privilege escalation for root. http://1.media.collegehumor.cvcdn.com/84/37/5f290f6d1def6c35fc73777a817f2672.gif
A Review of PentesterLab https://littlemaninmyhead.wordpress.com/2017/10/29/a-review-of-pentesterlab/
OSCP Survival Guide Cheatsheet https://github.com/frizb/OSCP-Survival-Guide/blob/master/README.md
Screwdriving BLE devices https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/
Operation Luigi: How I hacked my friend without her noticing https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without
5 severe Vulnerabilities found in IoT smart alarm system that could allow remote execution http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/
rtfm.py A python cheat sheet program à la red team field manual
Stealing passwords from McDonalds users https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users
p0wnedShell - PowerShell Runspace Post Exploitation Toolkit https://github.com/Cn33liz/p0wnedShell
Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
Truffle Hog: A tool that Searches Entire Commit History in Git Repositories for High Entropy Strings to Find Secrets Accidentally Committed to Version Control https://github.com/dxa4481/truffleHog
A thorough Guide to Pentesting Tutorials & WalkThroughs https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZrg
$3 USB Rubber Ducky https://www.youtube.com/watch?v=yJWwKO3Z0
Best 5 Websites to Master Hacking With Kali Linux : For Beginners http://www.kalitutorials.net/2016/10/best-5-website-to-master-hacking-with.html
Hacking the Hard Way at the DerbyCon CTF https://labs.signalsciences.com/hacking-the-hard-way-at-the-derbycon-ctf-d35b4dd4c97d
Metasploit Cheat Sheet - a handy quick reference guide with the most useful commands http://www.tunnelsup.com/metasploit-cheat-sheet/
nmap cheatsheet + examples https://highon.coffee/docs/nmap/
“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
22 Hacking Sites, CTFs and Wargames To Legally Practice Hacking https://hackerlists.com/hacking-sites/
Pentest Series: The State of Security - What Project Zeros font bug can teach us about engineering workflow, the nature of exploits, and legacy issues http://sten0.ghost.io/2016/07/06/the-state-of-security/
Building a Brute-Force Zip File Cracking Tool (this is my first truly original cracking script and I just wanted to show it off, ‘cause I’m proud of it. I would love any constructive criticism on the code). https://www.youtube.com/watch?v=jqpjF5o1SGs
VMware Escapology - Researchers from ZDI release Metasploit modules for VMware Escapes https://www.zerodayinitiative.com/blog/2017/10/04/vmware-escapology-how-to-houdini-the-hypervisor
Random Vulnerable VM Generator! https://github.com/cliffe/SecGen
A Secure Shell (SSH) scanner / bruteforcer controlled via the Internet Relay Chat (IRC) protocol. https://github.com/acidvegas/spaggiari
oss-sec: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315) http://seclists.org/oss-sec/2016/q1/645
Getting Domain Admin with Kerberos Unconstrained Delegation http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
Pwning CCTV cameras https://www.pentestpartners.com/blog/pwning-cctv-cameras/
DLL Hijacking Just Won’t Die http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/
How to embed an executable into Outlook, disguised as a .docx https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0#.luji1r9xf
I created a beginner’s tutorial for performing DoS and DDoS attacks for y’all https://toastersecurity.blogspot.com/2015/12/dos-101-ping-of-death.html
Useful PHP Exploitation Methods in Metasploit https://youtu.be/iD9Qm5KtsWk
Breaking 512-bit RSA encryption with Amazon EC2 is so easy novices can do it. http://arstechnica.com/security/2015/10/breaking-512-bit-rsa-with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/
Attacking Ruby on Rails Applications http://phrack.org/papers/attackingrubyon_rails.html
Kali Linux 2.0 Android phone hack. https://www.youtube.com/attributionlink?a=PB984nZ6uqw&u=%2Fwatch%3Fv%3DmWcKE1xujM%26feature%3Dshare
Kali linux 2.0. ~ Wireless Network Hacking ~ https://www.youtube.com/watch?feature=player_embedded&v=-fu5Wtx7K-o
Hack Like the Bad Guys – Using Tor for Firewall Evasion and Anonymous Remote Access http://foxglovesecurity.com/2015/11/02/hack-like-the-bad-guys-using-tor-for-firewall-evasion-and-anonymous-remote-access/
How I hacked my IP camera, and found this backdoor account http://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and-found.html
Here is a quick video series I made on Metasploit (for Beginners) https://www.reddit.com/r/hacking/comments/3nypx0/hereisaquickvideoseriesimadeon_metasploit/
Pupy: a RAT with an embeded Python interpreter. can load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk https://github.com/n1nj4sec/pupy
Exploiting MS15-100 Vulnerability (CVE-2015-2509) http://resources.infosecinstitute.com/exploiting-ms15-100-cve-2015-2509/
Twittor, a Python backdoor that uses Twitter as a C&C server https://github.com/PaulSec/twittor
The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/
0x00.txt - the write-up/guide from the FinFisher hack https://www.reddit.com/r/HowToHack/comments/3j2as7/0x00txtthewriteupguidefromthefinfisherhack/
Things you should do after you install Kali Linux/how to fix things https://www.reddit.com/r/HowToHack/comments/3d7e1c/thingsyoushoulddoafteryouinstall_kali/
DLL Injection Resources - more in comments http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
Help with SLMailv5.5 Buffer Overflow https://www.reddit.com/r/AskNetsec/comments/3c4i2y/helpwithslmailv55bufferoverflow/
Security CheatSheets a wealth of knowledge for a pen-tester https://github.com/Snifer/security-cheatsheets
(My) Introduction to Doxing. Various Sites and (Basic-Advanced) Information Gathering Techniques. https://www.reddit.com/r/HowToHack/comments/34ges4/myintroductiontodoxingvarioussitesand/
Pwning a thin client in less than two minutes http://blog.malerisch.net/2015/04/pwning-hp-thin-client.html
net-creds.py: the most thorough network/pcap credential harvester https://github.com/DanMcInerney/net-creds
Hacking Oklahoma State University’s Student ID http://snelling.io/hacking-oklahoma-state-university-student-id
PowerShell: Better phishing for all! http://d.uijn.nl/?p=116
[ Screenshots ] LANs.py: catch usernames, passwords, and messages on a network + inject arbitrary HTML into visited pages https://www.reddit.com/r/hacking/comments/1q70ic/screenshotslanspycatchusernamespasswords_and/
How to Approach Hacking https://www.reddit.com/r/HowToHack/comments/1mf46x/howtoapproach_hacking/
What do we think about compiling all our social engineering into some easy-to-read guides? https://www.reddit.com/r/SocialEngineering/comments/18yrff/whatdowethinkaboutcompilingalloursocial/
Tactics to Hack an Enterprise Network http://blog.strategiccyber.com/2013/01/14/tactics-to-hack-an-enterprise-network/

Web Application Security
Title URL
Your interpreter isn’t safe anymore — The PHP module rootkit https://blog.paradoxis.nl/your-interpreter-isnt-safe-anymore-the-php-module-rootkit-c7ca6a1a9af5
On a high level, how does OAuth 2 work? - Stack Overflow https://stackoverflow.com/questions/4727226/on-a-high-level-how-does-oauth-2-work/32534239#32534239
Inject All the Things - Shut Up and Hack http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03 - YouTube https://www.youtube.com/watch?v=8GwVBpTgR2c
Basic of SQL for SQL Injection part 3 http://securityidiots.com/Web-Pentest/SQL-Injection/Part-3-Basic-of-SQL-for-SQLi.html
Java Deserialization Security FAQ https://www.christian-schneider.net/JavaDeserializationSecurityFAQ.html
SAMLRaider/SAMLRaider: SAML2 Burp Extension https://github.com/SAMLRaider/SAMLRaider
The Grey Corner: CommonCollections deserialization attack payloads from ysoserial failing on JRE 8u72 http://www.thegreycorner.com/2016/05/commoncollections-deserialization.html
Mobile penetration testing on Android using Drozer – Security Café https://securitycafe.ro/2015/07/08/mobile-penetration-testing-using-drozer/#more-945
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine https://www.slideshare.net/joaomatosf_/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017
Bypassing SAML 2.0 SSO with XML Signature Attacks http://research.aurainfosec.io/bypassing-saml20-SSO/
OAuth 2 attacks - Introducing The Devil Wears Prada and Lassie Come Home http://blog.intothesymmetry.com/2013/05/oauth-2-attacks-introducing-devil-wears.html
Hunting in the Dark - Blind XXE https://blog.zsec.uk/blind-xxe-learning/
Cracking the Lens: Targeting HTTPs Hidden Attack-Surface http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html
S3 bucket enumerator https://github.com/bbb31/slurp bbb31/slurp
Extract subdomains with GAN GETALTNAME
Gaining Domain Admin from Outside Active Directory https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html
Dear developers, beware of DNS Rebinding https://www.twistlock.com/2018/02/28/dear-developers-beware-dns-rebinding/
In-Depth Subdomain Enumeration https://github.com/caffix/amass caffix/amass
Triggering a DNS lookup using Java Deserialization https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/
mpirnat/lets-be-bad-guys: A deliberately-vulnerable website and exercises for teaching about the OWASP Top 10 https://github.com/mpirnat/lets-be-bad-guys
RIPS - The State of Wordpress Security https://blog.ripstech.com/2016/the-state-of-wordpress-security/
Infection Monkey - GuardiCore https://www.guardicore.com/infectionmonkey/
Getting MOAR Value out of PHP Local File Include Vulnerabilities https://pen-testing.sans.org/blog/2016/12/07/getting-moar-value-out-of-php-local-file-include-vulnerabilities
Location based XSS attacks http://www.thespanner.co.uk/2008/12/01/location-based-xss-attacks/
What is DOM Based XSS (Cross-site Scripting)? https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
Mining Meteor https://pen-testing.sans.org/blog/2016/12/06/mining-meteor
Tampermonkey https://tampermonkey.net/
nidem/MeteorMiner https://github.com/nidem/MeteorMiner
PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
dns - GitHub pages custom domain infinite redirect loop http://stackoverflow.com/questions/11382544/github-pages-custom-domain-infinite-redirect-loop
XML External Entity (XXE) Processing https://www.owasp.org/index.php/XMLExternalEntity(XXE)Processing
SSRF bible. Cheatsheet https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#heading=h.xm4muaotv626
GitHub’s post-CSP journey - GitHub Engineering https://githubengineering.com/githubs-post-csp-journey/
fWaf – Machine learning driven Web Application Firewall Fsecurify
Major version release 1.0.0 of amass, the subdomain enumeration tool written in Go. Shown to be more effective than Sublist3r. https://github.com/caffix/amass/releases
Extract subdomains with GAN python tool that extract subdomains from HTTPS certificates.
introduction xml external entity attack and exploitation https://www.youtube.com/attributionlink?a=aGkEjpF2Jrs&u=%2Fwatch%3Fv%3DLkz98SY-m8%26feature%3Dshare
Lab for Java Deserialization Vulnerabilities https://github.com/joaomatosf/JavaDeserH2HC
Exposing Server IPs Behind CloudFlare http://www.chokepoint.net/2017/10/exposing-server-ips-behind-cloudflare.html
RESTful DOOM: HTTP/JSON API for classic Doom http://1amstudios.com/2017/08/01/restful-doom/
Injection Vulnerabilities - or: How I got a free Burger https://www.youtube.com/watch?v=WWJTsKaJT_g
AWS Security Primer https://cloudonaut.io/aws-security-primer/
The entire WebGL Insights book is now free: 23 chapters on advanced topics from 42 authors and 25 reviewers! http://webglinsights.com/
Exploiting PHPMailer https://hackr.pl/2016/12/27/exploiting-phpmailer-cve-2016-10033/
Bypassing PHP Null Byte Injection protections - Challenge https://www.securusglobal.com/community/2016/08/15/bypassing-php-null-byte-injection-protections/
Bypassing PHP Null Byte Injection protections - Part II (Challenge Write-up) https://www.securusglobal.com/community/2016/08/19/abusing-php-wrappers/
XSS Cheat Sheet SecLists/Fuzzing has some good text file examples of XSS along with a lot more, like password lists.
owasp is great too
another good xss list
the big list of naughty strings is another fun one.
Use good libraries to prevent it whenever you get a chance, because implementing secure sanitization yourself is always going to be a large project on its own, outside the scope of whatever app you’re making.
for real examples, visit /r/xss and check https://www.openbugbounty.org/ (also a good place to disclose them)
SQL cheat sheet https://zeroturnaround.com/rebellabs/sql-cheat-sheet/
Using Multi-byte Characters to Nullify SQL injection sanitizing http://howto.hackallthethings.com/2016/06/using-multi-byte-characters-to-nullify.html
Probing to Find XSS http://brutelogic.com.br/blog/probing-to-find-xss/
The Genesis of an XSS Worm – Part I http://brutelogic.com.br/blog/genesis-xss-worm-part-i/
Looking for XSS in PHP Source Code http://brutelogic.com.br/blog/looking-xss-php-source/
How The Hacker that Hacked The Catalan Police Union Did It? He Posted A Video Of The Process https://tune.pk/video/6528544/hack
Pastejacking: Using JavaScript to override your clipboard contents and trick you into running malicious commands https://github.com/dxa4481/Pastejacking
XSS on GoDaddy, Match, CalvinKlein, ToysRus, Southwest, Senate.Gov, RuneScape, CNET, DeviantArt and more http://antincode.com/post/144664272101/xss-on-godaddy-match-calvinklein-toysrus
How I broke a mobile banking application to gain unrestricted access to several Billion Dollars worth of Deposits. https://boris.in/blog/2016/the-bank-job/
Blind XSS Code http://brutelogic.com.br/blog/blind-xss-code/
I’m not a human: Breaking the Google reCAPTCHA https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf
Domino’s: Pizza and Payments http://www.ifc0nfig.com/dominos-pizza-and-payments/
Issue 773 - google-security-research - TrendMicro: A remote Node.js debugger stub is listening in default install https://bugs.chromium.org/p/project-zero/issues/detail?id=773
SQL Injection Cheat Sheet by Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
XSS without HTML: Client-Side Template Injection with AngularJS http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption http://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf
CSS based Attack: Abusing unicode-range of @font-face http://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html
Security for building modern web apps http://dadario.com.br/security-for-building-modern-web-apps/

Computer Science && Algorithms
Title URL
algorithm - Python- Sieve of Eratosthenes https://stackoverflow.com/questions/6687296/python-sieve-of-eratosthenes-compact-python
Improve Your Python: Python Classes and Object Oriented Programming https://jeffknupp.com/blog/2014/06/18/improve-your-python-python-classes-and-object-oriented-programming/
Quick Guide To Polymorphism In Java https://www.sitepoint.com/quick-guide-to-polymorphism-in-java/
Google Infrastructure Security Design Overview Google Cloud Platform https://cloud.google.com/security/security-design/#secureservicedeployment
Avoid Else, Return Early http://blog.timoxley.com/post/47041269194/avoid-else-return-early
Genius explanation of Meltdown/Spectre malware https://www.reddit.com/r/sysadmin/comments/7ot0ke/geniusexplanationofmeltdownspectremalware/
Pi-Tac 1.0 - A Raspberry Pi Zero W in a Tic-Tac box, with an Adafruit PiOLED display, and a Powerboost 1000C for push-button power, and safe shutdown on low battery. https://imgur.com/a/UTMGZ
500 Data Structures and Algorithms practice problems and their solutions https://www.reddit.com/r/learnprogramming/comments/76g2lo/500datastructuresandalgorithms_practice/
I created a beginners guide to SSH Keys video tutorial https://www.youtube.com/watch?v=hHs98hLtZJo
I want to practice Python but I have no idea what to make. https://www.reddit.com/r/learnprogramming/comments/6u218q/iwanttopracticepythonbutihavenoideawhat/
Bootloader and Low-Level Programming Tutorial: How To Develop Your Own Boot Loader https://www.apriorit.com/dev-blog/66-develop-boot-loader
Things you didn’t know a bunch of Pis can do: Playing a single video on multiple, freely arranged screens (more in a comment) https://gfycat.com/TheseHighlevelFlyingfox
My journey to getting hired with no CS degree and no professional programming experience https://www.reddit.com/r/learnprogramming/comments/6ps3lg/myjourneytogettinghiredwithnocsdegree_and/
Free Microsoft e-book giveaway with thousands of books. Grab ‘em. https://www.reddit.com/r/learnprogramming/comments/6nrsy2/freemicrosoftebookgiveawaywiththousandsof/
Maze generation code, inspired by working through Mazes for Programmers https://github.com/defndaines/meiro
I built a self-driving car! https://www.reddit.com/r/cars/comments/6dhzvn/ibuiltaselfdrivingcar/
Six programming paradigms that will change how you think about coding http://www.ybrikman.com/writing/2014/04/09/six-programming-paradigms-that-will/
Java/C++ bots playing StarCraft live at Twitch. Commentary each Sunday 11:00 AM PT. > BWMirror API is a Java wrapper for C++ BWAPI. It wraps all the classes, constants and enums inside Java objects, while providing the exact same interface as the original C++ BWAPI. This is achieved by heavily utilising JNI. http://www.sscaitournament.com/index.php?action=tutorial
500 Data structures and algorithms interview questions and their solutions https://techiedelight.quora.com/500-Data-structures-programming-interview-questions
Practical Color Theory for People Who Code https://tallys.github.io/color-theory/
How I Ruined Office Productivity With a Face-Replacing Slack Bot http://blog.zikes.me/post/how-i-ruined-office-productivity-with-a-slack-bot/
A beginners trick I learned way too late in the game of learning to code: repetition repetition repetition https://www.reddit.com/r/learnprogramming/comments/5pyx5t/abeginnerstrickilearnedwaytoolatein_the/
Google Infrastructure Security Design Overview https://cloud.google.com/security/security-design/
We’re programming a virtual machine - from scratch! https://www.reddit.com/r/learnprogramming/comments/59zjcc/wereprogrammingavirtualmachinefromscratch/
Google Interview University - multi-month study plan for going from web developer (self-taught, no CS degree) to Google software engineer https://github.com/jwasham/google-interview-university
Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections http://thehackernews.com/2016/10/nsa-crack-encryption.html
Found an interactive game to learn programing https://www.reddit.com/r/learnprogramming/comments/51lz7z/foundaninteractivegametolearnprograming/
How I made over $50,000 in 5 days with a drone (a step-by-step plan). https://www.reddit.com/r/Entrepreneur/comments/4wzh45/howimadeover50000in5dayswithadrone_a/
Over 183,000 datasets on Data.gov - if you’re looking for data for a personal project, here you go http://catalog.data.gov/dataset
Become a GDB power user! http://undo.io/resources/presentations/accu-2016-become-gdb-power-user/
Detecting cats in images with OpenCV. http://www.pyimagesearch.com/2016/06/20/detecting-cats-in-images-with-opencv/
Your favorite scripts you have stolen or made https://www.reddit.com/r/sysadmin/comments/4oxxgv/yourfavoritescriptsyouhavestolenor_made/
My new Raspberry Pi espresso controller: touchscreen GUI + PID control + Siri http://hallee.github.io/espresso-arm/
Pi-Hole doing its job! http://i.imgur.com/vo92mbx.png
For all of you who are starting programming, here is a site that lets you visualise some data structures and algorithms involving them. I wish I had this in college. https://www.reddit.com/r/learnprogramming/comments/4oi604/forallofyouwhoarestartingprogramminghere/
A simple stack overflow question becomes an interesting lesson in tech history (ZIP) http://stackoverflow.com/questions/20762094/how-are-zlib-gzip-and-zip-related-what-are-is-common-and-how-are-they-differen
Taking over 17000 hosts by typosquatting package managers like PyPi or npmjs.com http://incolumitas.com/2016/06/08/typosquatting-package-managers/
A game about hacking an imaginary device using a real assembly instruction set. It gives you a debugger and a memory dump and you have to figure out how to exploit it. Xpost from r/programming https://microcorruption.com
Facebook begins tracking non-users around the internet http://www.theverge.com/2016/5/27/11795248/facebook-ad-network-non-users-cookies-plug-ins
Google just open sourced something called ‘Parsey McParseface,and it could change AI forever http://thenextweb.com/dd/2016/05/12/google-just-open-sourced-something-called-parsey-mcparseface-change-ai-forever/
Googling is a skill. How to use Google.
Open Source remake of Red Alert / C&C / Dune with working multiplayer & a really active community! http://www.openra.net/
Two Google developers have drafted an API for direct USB access via web pages https://wicg.github.io/webusb/
Building your own GSM station has become the simplest task in the world http://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/#.VwiZPRSPDjo.reddit
C/C++ Program Memory - Easily the most helpful book I’ve ever read. https://www.reddit.com/r/learnprogramming/comments/4d1etw/ccprogrammemoryeasilythemosthelpful_book/
Why is calculus important for programming, specifically algorithms? https://www.reddit.com/r/learnprogramming/comments/4cog17/whyiscalculusimportantfor_programming/
Markov Chains explained visually http://setosa.io/ev/markov-chains/
The gloves are off: FBI argues it can force Apple to turn over iPhone source code http://www.extremetech.com/mobile/224709-the-gloves-are-off-fbi-argues-it-can-force-apple-to-turn-over-iphone-source-code
Surprise! NSA data will soon routinely be used for domestic policing that has nothing to do with terrorism https://www.washingtonpost.com/news/the-watch/wp/2016/03/10/surprise-nsa-data-will-soon-routinely-be-used-for-domestic-policing-that-has-nothing-to-do-with-terrorism
About SQL Server on Linux http://turnoff.us/geek/sql-server-on-linux/
activate-power-mode https://atom.io/packages/activate-power-mode
PSA: Learn Discrete Math https://www.reddit.com/r/learnprogramming/comments/465wkd/psalearndiscrete_math/
ELI5: Why do even numbers feel safer and more pleasing than odd numbers? https://www.reddit.com/r/explainlikeimfive/comments/45zunb/eli5whydoevennumbersfeelsaferandmore/
“An important thing to become better at programming is to read good code”. I agree but where do I find code for my language and skill level and how do I know it’s good? https://www.reddit.com/r/learnprogramming/comments/45yv6a/animportantthingtobecomebetterat/
What’s the coolest mathematical fact you know of? https://www.reddit.com/r/AskReddit/comments/45m1zl/whatsthecoolestmathematicalfactyouknow_of/
Parsing 10TB of Metadata, 26M Domain Names and 1.4M SSL Certs for $10 on AWS http://blog.waleson.com/2016/01/parsing-10tb-of-metadata-26m-domains.html
A critique of “How to C in 2016” https://github.com/Keith-S-Thompson/how-to-c-response
How to C (as of 2016) https://matt.sh/howto-c
If you are learning Python and want to build system monitoring or data driven web apps, then here is something to get you started https://www.reddit.com/r/sysadmin/comments/3udqgm/ifyouarelearningpythonandwanttobuild/
15 Sorting Algorithms in 6 Minutes-Visualization https://www.youtube.com/watch?feature=youtu.be&v=kPRA0W1kECg&app=desktop
How Cello, a library offering high-level functionality to C, implements (portable) garbage collection http://libcello.org/learn/garbage-collection
CPython internals: A ten-hour codewalk through the Python interpreter source code http://pgbovine.net/cpython-internals.htm
Learn to make a game in C++! https://www.reddit.com/r/learnprogramming/comments/3mtvlk/learntomakeagameinc/
The Greatest Regex Trick Ever http://www.rexegg.com/regex-best-trick.html
I created web app for monitoring temperature and humidity, and wanted share it with you. https://github.com/hawkerpl/damnhotpie
The Art of Command Line https://github.com/jlevy/the-art-of-command-line
Hi, first post ever! I’ve started a blog on fun graphic guides to algorithms. Thoughts? http://algosaur.us/
NASA’s ten coding commandments https://jaxenter.com/power-ten-nasas-coding-commandments-114124.html
Computer Systems Security MIT OpenCourseWare
Here’s a list of 153 free online programming/CS courses (MOOCs) with feedback(i.e. exams/homeworks/assignments) that you can start this month (July 2015) https://www.reddit.com/r/learnprogramming/comments/3bw634/heresalistof153freeonline_programmingcs/
The Open-Source Computer Science Degree https://www.reddit.com/r/learnprogramming/comments/3btnh6/theopensourcecomputersciencedegree/
BetterExplained - A fun website that explains programming concepts and tools in a very easy and intuitive way https://www.reddit.com/r/learnprogramming/comments/3b0rli/betterexplainedafunwebsitethat_explains/
The Technical Interview Cheat Sheet https://gist.github.com/TSiege/cbb0507082bb18ff7e4b
Goddamn pointers man… It just doesn’t click https://www.reddit.com/r/learnprogramming/comments/3hycnu/goddamnpointersmanitjustdoesntclick/
Algorithms and Data Structures cheat sheets? https://www.reddit.com/r/learnprogramming/comments/3gpvyx/algorithmsanddatastructurescheat_sheets/
The best Git Workflows explanation so far https://www.atlassian.com/git/tutorials/comparing-workflows
Learning programming beyond the basics https://www.reddit.com/r/learnprogramming/comments/3er4xo/learningprogrammingbeyondthebasics/
The AI Games - Create a bot for Tetris and join the competition! http://theaigames.com/competitions/ai-block-battle
The Art of Command Line https://github.com/jlevy/the-art-of-command-line
PSA for people who often do troubleshooting. PSR is relatively unknown, and it’s awesome. http://windows.microsoft.com/en-us/windows7/how-do-i-use-problem-steps-recorder
Unicode is Kind of Insane http://www.benfrederickson.com/unicode-insanity/
Top 10 data mining algorithms in plain English http://rayli.net/blog/data/top-10-data-mining-algorithms-in-plain-english/
Hi r/programming, 4 months ago I released a tiny text-extraction algorithm. After spending the better part of the last 4 months testing/thinking about extraction algo’s for a paper (never again), I think I’ve landed the big one. Well, it’s small actually. 10 lines of code. http://rodricios.github.io/posts/solvingthedataextractionproblem.html
How are reddit bots created? https://www.reddit.com/r/learnprogramming/comments/362ark/howareredditbotscreated/
40 Key Computer Science Concepts Explained In Layman’s Terms (x-post from r/interestingasfuck) https://www.reddit.com/r/learnprogramming/comments/33i1k2/40keycomputerscienceconceptsexplainedin/
Learn Git Interactively https://www.reddit.com/r/learnprogramming/comments/2xfieg/learngitinteractively/
Here’s Waldo: Computing the optimal search strategy for finding Waldo [ OC ] http://www.randalolson.com/2015/02/03/heres-waldo-computing-the-optimal-search-strategy-for-finding-waldo/
[ Resource ] Wireshark video course. Most useful packet capture tool every coder should know (100 free coupons) https://www.reddit.com/r/learnprogramming/comments/2ueowa/resourcewiresharkvideocoursemost_useful/
Hey everyone! I’m writing a complete beginner’s guide on how to use Git / Source Control. Thought some of you might find this helpful. https://www.reddit.com/r/learnprogramming/comments/2ubnew/heyeveryoneimwritingacompletebeginners/
Main is usually a function. So then when is it not? https://jroweboy.github.io/c/asm/2015/01/26/when-is-main-not-a-function.html
I taught myself how to program from scratch. Here are my recommendations for newbies starting out. https://www.reddit.com/r/learnprogramming/comments/2sm65w/itaughtmyselfhowtoprogramfromscratchhere/
Learning iOS development by building a Yik Yak Clone https://www.reddit.com/r/learnprogramming/comments/2sufw2/learningiosdevelopmentbybuildingayik_yak/
A github repo that’s actually a game to help you learn git https://github.com/hgarc014/git-game
14 clever and useful 3D-printable camera accessories http://makezine.com/2014/05/09/14-clever-and-useful-3d-printable-camera-accessories/
Tutorial on creating a platformer in Python https://www.reddit.com/r/learnprogramming/comments/20ejkg/tutorialoncreatingaplatformerinpython/
Raspberry Pi Class Now Free on Skillshare https://www.reddit.com/r/raspberrypi/comments/1yfwnm/raspberrypiclassnowfreeon_skillshare/
How I learned to develop Android apps in less than a year https://www.reddit.com/r/learnprogramming/comments/1s347g/howilearnedtodevelopandroidappsinless/
What are some exercises a beginner should do to get better at coding. https://www.reddit.com/r/learnprogramming/comments/1ixjvt/whataresomeexercisesabeginnershoulddoto/
Introduction to C++, a series of 46 videos created by Redditor sarevok9 [ x-post /r/UniversityofReddit ] http://ureddit.com/blog/2013/02/25/featured-class-introduction-to-c/
About 4 months ago I posted a fast/simple youtube to mp3 converter. I’ve kept my promise of no ads and continue to fund it from my own pocket. Can you jump start it by pasting 1 youtube url? http://www.url-to-mp3.com/
How to make a cakeday site using the Reddit api and JavaScript - x-post r/programming http://stinaq.me/2013/02/21/how-to-make-a-cakeday-site-using-the-reddit-api-and-javascript/
What other abominations can anyone find written in bash? 3D FPS here… https://github.com/EvilTosha/labirinth/blob/master/lab2.sh
[ Java ] Tips and tricks for Java development with Eclipse https://www.reddit.com/r/learnprogramming/comments/18pa1m/javatipsandtricksforjavadevelopment_with/
Detecting a Loop in Singly Linked List - Tortoise & Hare http://codingfreak.blogspot.com/2012/09/detecting-loop-in-singly-linked-list_22.html
9 of the Best Free C Books http://www.linuxlinks.com/article/20130202034416464/9oftheBestFreeC-Part1.html
Instacode - Instagram for Code! (yes this is as useful as you think it is) http://instacode.linology.info
Found a list of legally FREE e-Books pertaining to programming, comp. sci, and engineering over at /r/freebies https://www.reddit.com/r/learnprogramming/comments/17diit/foundalistoflegallyfreeebookspertainingto/
Java Beginners Course, Making a 3D Game, Minecraft 2D Tutorials, Tower Defence Tutorials! https://www.reddit.com/r/learnprogramming/comments/14srg6/javabeginnerscoursemakinga3dgame_minecraft/
You wan’t to learn how to code a game? Here’s a short template for you. Turn this into tetris as a learning experience. Post a screen shot of your success. https://www.reddit.com/r/learnprogramming/comments/10iya0/youwanttolearnhowtocodeagameheresa/
Learning to program from zero to employable: tips and tricks, or recommended resources? https://www.reddit.com/r/learnprogramming/comments/yay4p/learningtoprogramfromzerotoemployable_tips/
How many of you, if any at all, would be interested in a stream of me going through and programming a 2D game? https://www.reddit.com/r/learnprogramming/comments/ptdie/howmanyofyouifanyatallwouldbeinterested/

CTF
Title URL
Defcon-ctf-2017-divided-writeup https://www.securifera.com/blog/2017/06/18/defcon-ctf-2017-divided-writeup/
Warhable - CTF - PEN-TESTING - CODING - RESEARCH - LEARNING https://warhable.wordpress.com/
Solving a Danish Defense Intelligence Puzzle - Irken Kitties https://safiire.github.io/blog/2017/08/19/solving-danish-defense-intelligence-puzzle/
Zero Day Initiative — Deconstructing a Winning Webkit Pwn2Own Entry https://www.zerodayinitiative.com/blog/2017/8/24/deconstructing-a-winning-webkit-pwn2own-entry
Solving the SANS 2016 Holiday Hack Challenge https://techanarchy.net/2017/01/solving-the-sans-2016-holiday-hack-challenge/
ForAllSecure released their open CTF-style training platform, HackCenter, at Enigma 2017 https://www.reddit.com/r/netsec/comments/5r8rz8/forallsecurereleasedtheiropenctfstyle/
HackCenter https://hackcenter.com/sign-in
Learn buffer overflows, assembly, and read step-by-step walkthroughs on CTF events/challenges https://www.reddit.com/r/netsecstudents/comments/6f6zm3/learnbufferoverflowsassemblyand_read/
Pwntools v3.0 Released https://www.reddit.com/r/netsec/comments/4z3noh/pwntoolsv30released/
CTF challenges and a guide for beginners https://github.com/kablaa/CTF-Workshop
Holiday Hack Challenge 2015 Complete Writeup https://medium.com/@jrozner/holiday-hack-challenge-2015-complete-writeup-1c8300cc847a#.pv007155s

Web Development
Title URL
learnlayout.com is a nice resouce for beginners in CSS https://www.reddit.com/r/learnprogramming/comments/88pg39/learnlayoutcomisaniceresouceforbeginners_in/
Simple single element spinning loader using CSS https://codepen.io/AllThingsSmitty/pen/BRbgyp
I’ve created a tutorial for creating a module Angular 5 Dashboard from scratch https://www.reddit.com/r/learnprogramming/comments/7n5zdv/ivecreatedatutorialforcreatinga_module/
jq - like sed for JSON data https://stedolan.github.io/jq/
A Collection & Specification for Exemplary Frontend and Backend Codebases https://github.com/gothinkster/realworld
Things you probably didn’t know you could do with Chrome’s Developer Console https://medium.freecodecamp.com/10-tips-to-maximize-your-javascript-debugging-experience-b69a75859329#.8mba7zmqr
Node.js Playbook - A guide to getting started fast https://github.com/HiFaraz/node-playbook
How to build a responsive parallax scrolling site using only CSS & HTML. https://css-tricks.com/tour-performant-responsive-css-site/
Implementing Search Into Your React & Redux App w/ Algolia http://blog.getstream.io/cabin-react-redux-example-app-algolia/
Funky CSS3 Toggle Buttons http://codepen.io/ashleynolan/pen/wBppKz
Vanilla JS is a fast, lightweight, cross-platform framework for building incredible, powerful JavaScript applications. http://vanilla-js.com/
I’ve written a 200 page e-book on how to build an Instagram like social network from scratch with Ruby on Rails. It’s yours for free (no sign up required). https://www.dropbox.com/s/9vq430e9s3q7pu8/Let%27s%20Build%20Instagram%20with%20Ruby%20on%20Rails%20-%20Free%20Edition.pdf?dl=0
How to Not Suck at JavaScript http://www.slideshare.net/tmont/how-to-not-suck-at-javascript
Share your silly JavaScripts that you created for fun! https://www.reddit.com/r/learnprogramming/comments/2sl4ce/shareyoursillyjavascriptsthatyoucreated_for/

Defensive Security && Sys Admin
Title URL
Securing Windows Workstations: Developing a Secure Baseline » Active Directory Security https://adsecurity.org/?p=3299
Detecting Lateral Movements in Windows Infrastructure http://cert.europa.eu/static/WhitePapers/CERT-EUSWP17-002LateralMovements.pdf
IT and Information Security Cheat Sheets https://zeltser.com/cheat-sheets/
Docker for Automating Honeypots or Malware Sandboxes https://dadario.com.br/docker-for-automating-honeypots-or-malware-sandboxes/
A honeypot proxy for mongodb. When run, this will proxy and log all traffic to a dummy mongodb server. https://github.com/Plazmaz/MongoDB-HoneyProxy
White Hats http://blog.pentestnepal.tech/
Security Resources: Beginner to Advanced. https://hrushikeshk.github.io/blog/2018/01/15/security-resources/
Leaked Slides Outline What Are Probably Some of the Most State-Of-The-Art Artifical-Intelligence Powered Social Engineering Methods of the Present Day (partial x-post /r/gaming) https://imgur.com/a/l4yQ5
Windows Admins: Let’s all take a second to thank or think about Nir Sofer for all the help over the years. What a great portfolio of simple, to the point tools. http://www.nirsoft.net/aboutnirsoftfreeware.html
GitHub - avatsaev/touchbar_nyancat: Stupid nyancat animation on your +$2k MacBook Pro’s Touchbar https://github.com/avatsaev/touchbar_nyancat
Your Social Media Fingerprint https://robinlinus.github.io/socialmedia-leak/
Malware, malicious charging stations, and rogue cell towers - Oh My! NIST releases the Mobile Threat Catalogue for public comment on Github. https://pages.nist.gov/mobile-threat-catalogue/
Website enumeration insanity: how our personal data is leaked (xpost r/sysadmin) https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/
PowerShell Security: PowerShell Attack Tools, Mitigation, and Detection https://adsecurity.org/?p=2921
Awesome Infosec Resources https://github.com/onlurking/awesome-infosec
I made a website that explains basic network theory https://www.reddit.com/r/sysadmin/comments/46r5ws/imadeawebsitethatexplainsbasic_network/
Excel tricks to impress your boss http://i.imgur.com/s8neQNJ.jpg
Defending Against Mimikatz https://jimshaver.net/2016/02/14/defending-against-mimikatz/
Wireshark Workflow - Analyzing Malicious Traffic (Sasser Worm) http://hackmethod.com/malicious-network-traffic-wireshark/
CryptoWall 4.0 Released - We’ve already seen it with one of our clients http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/
Portrait of a Sysadmin https://www.facebook.com/baattinofficial/videos/1190780811044387/
Tron v6.7.0 (2015-09-23) // Disable Windows 10 telemetry; Remove Lenovo spyware; large improvements to OEM de-bloat section https://www.reddit.com/r/sysadmin/comments/3m71gt/tronv67020150923disablewindows10telemetry/
Script that tracks the devices in your network and displays statistics/charts about what is running at which times. (I’m definitely the one spending the most time on my computer in my flat) https://github.com/phiresky/nmap-log-parse
Great list of sysadmin resources/tools https://github.com/kahun/awesome-sysadmin
I’ve been sent a clearly malicious bit.ly link by a hacked skype account. What’s the best way to safely analyze where the malice is? https://www.reddit.com/r/AskNetsec/comments/3fkmiz/ivebeensentaclearlymaliciousbitlylinkby_a/
Awesome tip i learned form a graybeard, the .\ https://www.reddit.com/r/sysadmin/comments/3dmmcl/awesometipilearnedformagraybeard_the/
Free certification practice test engine with thousands of questions for CCNA, CISSP, CEH, Net+, Sec+, PMP, etc. https://www.skillset.com/certifications?a=m
PSA for people who often do troubleshooting. PSR is relatively unknown, and it’s awesome. http://windows.microsoft.com/en-us/windows7/how-do-i-use-problem-steps-recorder
HOW TO: Remove yourself from MOST background check sites and people search engines. Thanks to LawyerCT & Pibbman! https://www.reddit.com/r/technology/comments/31u84n/howtoremoveyourselffrommostbackground_check/
Tron v6.1.0 (2015-03-29) // Add Kaspersky VRT, remove Vipre (speed increase), logging cleanup, preserve LogMeIn sessions https://www.reddit.com/r/sysadmin/comments/30x1xu/tronv61020150329addkasperskyvrtremove_vipre/
Sad Server: All SysAdmin’s will Love this Twitter Handle [ Truly Hilarious ] https://twitter.com/sadserver
I made a free tool for rapidly scanning Cisco routers. [ Download link in post ] (xpost from /r/netsec) https://www.reddit.com/r/sysadmin/comments/2suyid/imadeafreetoolforrapidlyscanningcisco/
So apparently you need a CAL to obtain an IP address from a Windows DHCP Server.. http://blogs.technet.com/b/volume-licensing/archive/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal.aspx
I was unhappy with the other subnet calculators out there so I built one myself. I hope you agree it’s better than the rest. http://www.tunnelsup.com/subnet-calculator
The Best Hidden Features of VLC: downloads YouTube videos, records desktop, converts video files and more http://lifehacker.com/the-best-hidden-features-of-vlc-1654434241
windows 10 to have a package manager http://www.howtogeek.com/200334/windows-10-includes-a-linux-style-package-manager-named-oneget/
Found this brilliant guide on StackExchange - how to Hack into a computer through its MAC and IP address (x-post from /r/sysadmin) http://security.stackexchange.com/questions/56181/hack-into-a-computer-through-mac-and-ip-address
Worked on a completely locked down machine. Time passed quick https://www.reddit.com/r/excel/comments/2jtd2f/workedonacompletelylockeddownmachine_time/
How I made the office IT guy hate me http://imgur.com/QCBtATV
Just Sysadmin Things… for which I’ve been reprimanded https://www.reddit.com/r/sysadmin/comments/2gt7x5/justsysadminthingsforwhichivebeen/
In honor the 4th of July, I present Tron, who “fights for the User” (automated disinfect/cleanup package) https://www.reddit.com/r/sysadmin/comments/29u4c3/inhonorthe4thofjulyipresenttron_who/
Happy Hour Virus - How to leave work early (XPost from /r/ProgrammerHumor) http://happyhourvirus.com/
How do you get new desktop machines ready as soon as possible? https://www.reddit.com/r/sysadmin/comments/1tj5ob/howdoyougetnewdesktopmachinesreadyas_soon/
Active Directory Administrators Toolkit https://www.reddit.com/r/sysadmin/comments/1t3a2a/activedirectoryadministrators_toolkit/
Why PowerShell? http://ramblingcookiemonster.wordpress.com/2013/12/07/why-powershell/
So my daughter’s friends thought they would prank her… https://www.reddit.com/r/sysadmin/comments/1ontpn/somydaughtersfriendsthoughttheywould_prank/
Best security practices for a VMware Workstation sandbox https://www.reddit.com/r/AskNetsec/comments/17r95x/bestsecuritypracticesforavmwareworkstation/

Tech News
Title URL
Amazon claims another victim: Cisco kills its $1 billion cloud http://www.businessinsider.in/amazon-claims-another-victim-cisco-kills-its-1-billion-cloud/articleshow/55989213.cms
This Pakistani student has developed a full-blown IDE for Assembly language https://www.techjuice.pk/pakistani-student-ide-for-assembly-language/
Internet protocols are changing - Future of TCP, DNS, TLS and HTTP https://blog.apnic.net/2017/12/12/internet-protocols-changing/
Inside the world of Silicon Valley’s ‘coasters’ — the millionaire engineers who get paid gobs of money and barely work http://www.businessinsider.com/rest-and-vest-millionaire-engineers-who-barely-work-silicon-valley-2017-7
U.S. Senators introduce IoT bill affecting gov. procurement; good-faith research liability protections. https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC3-4A63-B9B4-523E18DADB36
How is NSA breaking so much crypto? https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/
Comcast’s CEO Wants the End of Unlimited Data http://www.fool.com/investing/general/2015/12/23/comcasts-ceo-wants-the-end-of-unlimited-data.aspx

Saved Comments

TIL that Doom was so popular in 1995 that it was installed on more PCs than Windows 95. Bill Gates briefly considered buying ID software, but settled for getting a team at Microsoft to port the game to Win95. The team was led by Gabe Newell. > inverse square root
There is no obvious reason why this should work, and how Carmack or any of the previous users of this stunningly elegant hack came across the magic value 0x5f3759df appears to have been lost to history. Beyond3D tried to trace it back through the ages, but after going through Carmack, an x86 assembly hacker called Terje Matheson, NVIDIA and eventually Gary Tarolli who used it in his days at 3dfx, the trail went cold.
It’s a real pity, because finding that constant would have required someone to think in a completely different direction to everyone else, and be convinced enough that such a constant even existed to spend time narrowing it down.
Source: https://blog.dave.io/2011/10/0x5f3759df-true-magic-number/
From a web dev perspective, familiarize yourself with the OWASP rules to prevent it if you want to stay safe. XSS is one of the easiest things to find in the wild. Usually I can find it pretty quickly in a vulnerable site by just looking at the chrome network connections and seeing when requests are made with URL params, and see if changing those gets inserted into bad spots in the page - and that’s just reflected XSS, low hanging fruit. Some people just put URL parameters right into javascript, and something like ', 'z':alert('xss'), 'y': ' can work. Also, it’s not just quotes. alert(/XSS/) will execute too. Just make sure you track the flow of user input, and never assume obfuscation or an extremely complex javascript file is enough to prevent people from realizing where input goes and how it might be processed. If you check for URL params that are prepended with debug_ and do something special with them, it’s going to be possible for attackers to find that and send their own input. And never assume that it being processed server side is enough to prevent people from finding a vulnerability.
Also, make sure you test with firefox. I’ve found that firefox has a lot of potential XSS that chrome fixes on its own. Chrome might prevent HTML tag injections like