I bet most Facebook users are not aware of what they really know about them. What if I told you that YOU can visualize it in just 5 minutes? A story of how I have explored https://facebook.com/dyi programmatically. I’m gonna show you how to do it yourself, and we will explore my (censored) Facebook data together. A (pretty censored) version of the data I’m about to show you. Open-Source code at the end of the post. Some spooky commercials I ran into the other day, related to something that I was, most certainly, 100%, speaking about in person around my phone (not new to anyone, but b ..read more

Leverage eBPF to secure internet-facing APIs: FastAPI, BlackSheep, Flask, Django, aiohttp, tornado, and more. In the previous post, I used secimport to secure PyTorch code. I showed how PyTorch models from insecure sources can be evaluated safely on any Linux machine. Table Of Contents: A word about API security — How to trace Python and syscalls together? Introduction to Secimport — Trace your application: secimport trace / trace_pid — Building an eBPF profile (sandbox policy): secimport build — Running your code with eBPF supervision: secimport run — Create a new sandbox from ..read more

This article was not generated by GPT In this blog, I will present secimport — a toolkit for creating and running sandboxed applications in Python that utilizes eBPF (bpftrace) to secure Python runtimes. I will start with why it is needed (feel free to skip that part), and then demonstrate how to run PyTorch models securely. Photo by Hitesh Choudhary on Unsplash In part 1 of the series, I introduced OS and Application tracing and sandboxing for Python. I wrote about a minimal working solution (MVP) with dtrace, that secures Python runtimes all the way to the syscall level. For an in ..read more

Running code from an untrusted source is still an unsolved issue.Especially in dynamic languages like Python and Javascript. I will begin with 2 unanswered questions; If you import requests for http, why should requests be able to open a terminal and switch to sudo? If you import logging, Why should it be able to network (or LDAP like in Log4Shell) if you only need to write files to a specific directory? This is the story of how I wrote a sandbox for python imports: Creating a production-ready solution and testing it for different use cases. Some AI art by min-DALLE for “secimport ..read more

I bet most Facebook users are not aware of what they really know about them. What if I told you that YOU can visualize it in just 5 minutes? A story of how I have explored https://facebook.com/dyi programmatically. I’m gonna show you how to do it yourself, and we will explore my (censored) Facebook data together. A (pretty censored) version of the data I’m about to show you. Open-Source code at the end of the post. Some spooky commercials I ran into the other day, related to something that I was, most certainly, for 100%, speaking about in-person around my phone (not new to anyone, b ..read more

My journey on finding and reporting databases with sensitive data about Fortune-500 companies, Hospitals, Crypto platforms, Startups during due diligence, and more. Table Of Contents Overview Background My Hypothesis Scanning BI & Automation: From thousands to hundreds Examples of data I found Conclusion Overview It is easy to find misconfigured assets on cloud services, by scanning the CIDR blocks (IP ranges) of managed services, since they are known and published by them. An email from one of the companies I reported. In just 1 day, I found thousands of Elastic ..read more

Browsers — A Localhost Gateway: Client Port Scanning Using WebAssembly And Go Websites tend to scan the open ports of their users, from the browser, to identify new/returning users better. Can ‘localhost’ be abused by the browser? Can it be done through WebAssembly? The code is available at https://github.com/avilum/portsscan, Feel free to contribute. In this article, I will demonstrate how browsers can be abused to attack localhost services — to penetrate organizations or to run remote code from the browser. Photo by Immo Wegmann on Unsplash It isn’t a secret that each of us go ..read more

Infery — Run Deep Learning Inference with Only 3 Lines of Python Code Imagine having the power of all frameworks at your fingertips with one friendly yet powerful API Our mission is to help AI developers easily build, optimize, and deploy deep learning models. As part of this mission, we developed Infery, a Python runtime engine that transforms running inference on optimized models into a light and easy process. It involves just three lines of code and supports the major frameworks and hardware types. Imagine having the power of all frameworks at your fingertips with one friendly ye ..read more

Google.news is not google.news: POC For Google Phishing with SSL Back in 2016, I ran into a post about someone buying ɢoogle.com. It was used for phishing proposes (notice the first G). Homographic characters look like ASCII letters, but their encoding is different, in a way that is usually not noticeable for the human eye. Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by or instant messaging, it often directs us ..read more