The XSS Guy
banner
thexssguy.bsky.social
The XSS Guy
@thexssguy.bsky.social
Developer. Hacker. Other stuff.
I think one thing that is not getting enough attention around AI and software developers is the fact that AI is going to create a “pipeline problem” for developers. Companies aren’t going to hire junior developers and fewer mid level developers now and then in 10-15 years there will be a shortage.
May 20, 2025 at 11:53 PM
Really sad to hear that ChatGPT had their IP stolen to train an AI model. </s>
January 30, 2025 at 1:21 AM
Reposted by The XSS Guy
CISA says that a 2020 XSS vulnerability in the jQuery framework tracked as CVE-2010-11023 is now being exploited in the wild

www.cisa.gov/news-events/...
January 23, 2025 at 6:47 PM
1459 days left.
January 21, 2025 at 10:49 PM
Reposted by The XSS Guy
Bambu Connect’s Authentication X.509 Certificate and Private Key Extracted
Bambu Connect’s Authentication X.509 Certificate and Private Key Extracted
Hot on the heels of Bambu Lab&#8217;s announcement that it would be locking down all network access to its X1-series 3D printers with new firmware, the X.509 certificate and private &#8230;read more
hackaday.com
January 19, 2025 at 6:30 PM
The TikTok law provides for a one time extension for up to 90 days. Could Joe Biden issue a 24 hour extension just to mess with Trump🤔
January 19, 2025 at 4:33 PM
Full Self Driving has been "just around the corner" for 10+ years. I feel the same way about AI replacing developers. It will be "just around the corner" for another 10 years.
January 16, 2025 at 5:33 AM
Sometimes I hate working in software. "Why did it take your team 10 weeks to implement that feature?" Because we waited 7 weeks for your leadership team to decide on what the requirements were for that feature.
January 16, 2025 at 5:31 AM
Reposted by The XSS Guy
The facts are, the ACA saved millions with pre-existing conditions and set standards for care.

But now, more than a decade later, with what we now know, it’s time to take the insurance companies out of the mix.
The subsidies they get are enormous. We don’t need them as middlemen.
January 16, 2025 at 2:10 AM
Reposted by The XSS Guy
Great insights from MIcrosoft's AI red team applicable to any enterprise developing generative AI systems: "3 takeaways from red teaming 100 generative AI products"
3 takeaways from red teaming 100 generative AI products | Microsoft Security Blog
The growing sophistication of AI systems and Microsoft’s increasing investment in AI have made red teaming more important than ever. Learn more.
www.microsoft.com
January 14, 2025 at 4:39 AM
Hey. You know that software that you use all day every day? You know that one feature of the software that you rely on and while it works, it can sometimes be buggy? The people that develop it know it sucks, but nobody is assigned to work on it and bugs build up. We hate it too.
January 13, 2025 at 1:11 AM
Reposted by The XSS Guy
The reality is that Salesmanship is the differentiation between the two parties.

The Dems couldn't sell dollar bills for 50c

Trump has found his audience and can sell them dollar bills for $5

When everything is a story the algorithm flashes at you as you scroll, you better be selling fast
It is truly about who tells a better story — or really a story people want to hear and makes them see what they believe rather than believe what they see.
More jobs have been created under Biden than during the full terms of Trump, Obama, or Bush 43. @danprimack.bsky.social www.axios.com/2025/01/10/i...
January 12, 2025 at 12:52 AM
Reposted by The XSS Guy

Facebook awards researcher $100,000 for finding bug that granted internal access

techcrunch.com/2025/01/09/f...
Exclusive: Facebook awards researcher $100,000 for finding bug that granted internal access
A security researcher found a bug in a Facebook ad platform, which gave him access to the company’s internal infrastructure.
techcrunch.com
January 9, 2025 at 11:28 PM
Reposted by The XSS Guy
This writeup on a signature bypass vulnerability does a good job of calling out some design red flags, but I want to point out a major one.

If you need to extract a signature out of a message, you MUST NEVER then operate on the original message.

Many applications and protocols get this wrong.
A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog
Wiz's engineering team discovered a high-severity signature verification bypass in Nuclei which could potentially lead to arbitrary code execution.
www.wiz.io
January 5, 2025 at 9:10 PM
A great way to find new bugs is to look at old bugs.

giraffesecurity.dev/posts/amazon...
Hat Trick: AWS introduced same RCE vulnerability three times in four years
giraffesecurity.dev
January 4, 2025 at 3:58 PM
Working on a death march project has to be one of the most demotivating things in tech. Here’s hoping for a more motivating 2025.
January 1, 2025 at 1:58 AM
I am a little disappointed that my box of cables is missing the one cable I need right now.
December 19, 2024 at 4:37 PM
Reposted by The XSS Guy
20 years ago we were suing teenagers for millions of dollars because they were torrenting a single Metallica album and now billionaires are demanding the free right to every work in history, so that they can re-sell it.

The law only ever serves capital.
January 8, 2024 at 4:34 PM
I have learned so much about desktop apps and their cloud strategy by simply setting a local proxy and looking at the calls.
December 18, 2024 at 3:02 AM
Die Hard is a Christmas movie. Die Hard 2 is a move that takes place around Christmas.
December 18, 2024 at 2:53 AM
Offshoring has a cost. Having a team spread across US West, US East, Western Europe and India, means someone is having a bad time. There are 0 hours of overlap in standard time, but the project must move forward. Guess what?? Your deadline is in trouble.
December 17, 2024 at 3:14 AM
Reposted by The XSS Guy
We can all resist fascism.
December 15, 2024 at 6:10 PM