Fysac
@fysac.bsky.social
I’m a security engineer interested in vulnerability research, cryptography, and software engineering, among other things. I sometimes post about my research here: https://fysac.github.io
Reposted by Fysac
A reminder that if I block you, it’s definitely because I’m afraid of your superior intellect, arguments, and attractiveness. It has nothing to do with your being an annoying, toxic dimwit.
November 14, 2025 at 9:05 PM
A reminder that if I block you, it’s definitely because I’m afraid of your superior intellect, arguments, and attractiveness. It has nothing to do with your being an annoying, toxic dimwit.
Reposted by Fysac
Happy Memory Safety Day to all who observe. 🔐
Secure by Design software: It’s time to stop patching and start preventing. One year left before "Smashing the Stack" turns 30—let’s make it count! 🔐💪🛡️🗓️
medium.com/@boblord/29-...
medium.com/@boblord/29-...
29 Years Since “Smashing the Stack”: Time to Smash Memory Unsafety Itself
This coming Saturday marks the 29th anniversary of Aleph One’s seminal Phrack Magazine article, “Smashing the Stack for Fun and Profit.”…
medium.com
November 8, 2025 at 4:09 PM
Happy Memory Safety Day to all who observe. 🔐
Exploit demo for CVE-2024-51317, a use-after-free in the NetSurf web browser enabling arbitrary code execution when JavaScript is enabled. Target is NetSurf 3.11 on Ubuntu 22.04.
Patched in upstream source code, still making its way to distro packages. To mitigate, disable JS (off by default).
Patched in upstream source code, still making its way to distro packages. To mitigate, disable JS (off by default).
November 3, 2025 at 8:08 PM
Exploit demo for CVE-2024-51317, a use-after-free in the NetSurf web browser enabling arbitrary code execution when JavaScript is enabled. Target is NetSurf 3.11 on Ubuntu 22.04.
Patched in upstream source code, still making its way to distro packages. To mitigate, disable JS (off by default).
Patched in upstream source code, still making its way to distro packages. To mitigate, disable JS (off by default).
Cable management is the bane of my existence
October 13, 2025 at 10:29 PM
Cable management is the bane of my existence
Reposted by Fysac
I am doing a survey of supply chain attacks, and it's annoying how 95% of the analysis is on payloads vs. compromise vectors.
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
October 1, 2025 at 3:29 PM
I am doing a survey of supply chain attacks, and it's annoying how 95% of the analysis is on payloads vs. compromise vectors.
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
Reposted by Fysac
New in Go 1.24: os.Root, to prevent path traversal by constraining filesystem ops to a root directory. Seems pretty cool.
pkg.go.dev/os@master#Root
pkg.go.dev/os@master#Root
February 14, 2025 at 1:12 AM
New in Go 1.24: os.Root, to prevent path traversal by constraining filesystem ops to a root directory. Seems pretty cool.
pkg.go.dev/os@master#Root
pkg.go.dev/os@master#Root
reddit allowing threads less than a year old to be archived is legitimately infuriating.
December 20, 2024 at 8:44 PM
reddit allowing threads less than a year old to be archived is legitimately infuriating.
Reposted by Fysac
VPN vendors have huge budgets to advertise on your favorite podcasts.
We don't have marketing for the IETF, browser and OS security teams, CAs (Let's Encrypt), CDNs, researchers, open source authors, website builders, digital rights activists...
We made the web secure and didn't tell anyone.
We don't have marketing for the IETF, browser and OS security teams, CAs (Let's Encrypt), CDNs, researchers, open source authors, website builders, digital rights activists...
We made the web secure and didn't tell anyone.
Man-in-the-middle attacks on Public WiFi networks haven't been a realistic threat in a decade. Almost all websites use encryption by default, and anything of value uses HSTS to prevent attackers from downgrading / disabling encryption. It's a non issue.
They are useful to prevent man in the middle attacks where someone uses a pineapple to spoof a public wifi signal.
December 20, 2024 at 3:46 AM
VPN vendors have huge budgets to advertise on your favorite podcasts.
We don't have marketing for the IETF, browser and OS security teams, CAs (Let's Encrypt), CDNs, researchers, open source authors, website builders, digital rights activists...
We made the web secure and didn't tell anyone.
We don't have marketing for the IETF, browser and OS security teams, CAs (Let's Encrypt), CDNs, researchers, open source authors, website builders, digital rights activists...
We made the web secure and didn't tell anyone.