http://max.computer/ Recent content on Max.Computer Hugo -- gohugo.io en-US Copyright © 2012-2017 Max Veytsman Fri, 12 Dec 2014 00:00:00 +0000 http://max.computer/projects/gemcanary/ Mon, 01 Jan 0001 00:00:00 +0000 http://max.computer/projects/gemcanary/ After the Ruby security apocalypse, we had to figure out if any of our projects at State Machinery were vulnerable and patch them. We realized that manually checking Gemfiles for vulnerable versions was tedious and prone to error, so we built Gemcanary to monitor your Gemfiles and email you if any vulnerabilities came out. Gemcanary was designed as a free service to drive traffic to our consultancy, but after a few years we realized that focusing on commercializing the product was the right move and wound down the consultancy to focus on our current canary-themed venture, Appcanary. http://max.computer/about/ Mon, 01 Jan 0001 00:00:00 +0000 http://max.computer/about/ Name: Max Veytsman Age: days Employment: Appcanary Schooling (Computer Science): University of Toronto Schooling (Capitalism): Y Combinator Unschooling: Recurse Center Twitter: yes Github: yes Keybase: yes Linkedin: if you insist http://max.computer/blog/last-days-of-the-pirate-bay/ Fri, 12 Dec 2014 00:00:00 +0000 http://max.computer/blog/last-days-of-the-pirate-bay/ I’ll be showing my BitTorrent video collage at Long Winter tonight. $ cat last-days.nfo __ __ ____ ____ / / ____ ______/ /_ / __ \____ ___ _______ ____ / __/ / / / __ `/ ___/ __/ / / / / __ `/ / / / ___/ / __ \/ /_ / /___/ /_/ (__ ) /_ / /_/ / /_/ / /_/ (__ ) / /_/ / __/ /_____/\__,_/____/\__/ /_____/\__,_/\__, /____/ \____/_/ /____/ ________ ____ _ __ ____ /_ __/ /_ ___ / __ \(_)________ _/ /____ / __ )____ ___ __ / / / __ \/ _ \ / /_/ / / ___/ __ `/ __/ _ \ / __ / __ `/ / / / / / / / / / __/ / ____/ / / / /_/ / /_/ __/ / /_/ / /_/ / /_/ / /_/ /_/ /_/\___/ /_/ /_/_/ \__,_/\__/\___/ /_____/\__,_/\__, / /____/ Last Days of The Pirate Bay On December 9th, Swedish police raided a datacenter in Stockholm and seized the servers that run The Pirate Bay, shutting down the world's most notorious and popular piracy site. http://max.computer/blog/solving-the-expression-problem-in-clojure/ Sat, 18 Oct 2014 00:00:00 +0000 http://max.computer/blog/solving-the-expression-problem-in-clojure/ Last night, I was having a drink with a friend and he asked me what I liked about Clojure. Immutable data structures are coming in vogue outside Clojure, and they don’t need to be sold very hard. I don’t know a lot about virtual machine optimization, but I’ve always been swayed by the argument that with the amount of dollars and intellectual effort spent on JVM optimization in the past decades, it’s pretty fast. http://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/ Mon, 28 Jul 2014 00:00:00 +0000 http://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/ Update: 07/31/2014 Sonatype has reacted to this post and will soon be turning on SSL access for all users. Their blog post announcing this is here. I’m very happy that they are making this change, and the Java ecosystem is going to be more secure for it! That being said, if you’re reading this and are thinking of charging $10 to gauge the true demand for security features in your product, don’t. http://max.computer/blog/delimited-continuations-in-ruby-part-2-generators-and-coroutines/ Mon, 21 Jul 2014 00:00:00 +0000 http://max.computer/blog/delimited-continuations-in-ruby-part-2-generators-and-coroutines/ Last time, I showed some basic things you can do with delimited continuations. If you’re still confused about them (as I am!) another good tutorial is here. Let’s dive right in and build some more complicated control structures! Generators Let’s start by building what Python calls “Generators.” Ruby has Enumerators, which are pretty similar, but I’ll call it a generator in order to differentiate my implementation from the Ruby core. http://max.computer/blog/delimited-continuations-in-ruby-part-1/ Sat, 12 Jul 2014 00:00:00 +0000 http://max.computer/blog/delimited-continuations-in-ruby-part-1/ For the past few days at Hacker School, I’ve been exploring continuations. Continuations are hard to describe. Basically, a continuation represents the execution state of a program at a point. Capturing the continuation and invoking it later allows you to come back to that point in the programs execution. Continuations can be used to implement complicated control flow constructs. If that was complicated, here’s a sandwich metaphor from Luke Palmer: http://max.computer/blog/doorbot-overflow/ Thu, 03 Jul 2014 00:00:00 +0000 http://max.computer/blog/doorbot-overflow/ Today was presentation day at Hacker School. I have a 10 minute talk about “building a better doorbot” which was secretly a talk about exploiting stack buffer overflows. People seemed to enjoy it. The slides are available here, and the source code is here. http://max.computer/blog/hacker-school-the-first-three-weeks/ Sun, 29 Jun 2014 00:00:00 +0000 http://max.computer/blog/hacker-school-the-first-three-weeks/ For three weeks now, I’ve been at Hacker School. Hacker School is hard to describe, they call themselves a “writer’s retreat for programmers.” Personally I prefer “programmer summer camp,” mostly because I have no idea what writer’s retreats are like. Basically it’s a collection of people working in a self-directed way to improve their skills as programmers. They accept people of all skill levels, as long as you have programmed before. http://max.computer/blog/how-to-locate-any-tinder-user/ Tue, 25 Feb 2014 00:00:00 +0000 http://max.computer/blog/how-to-locate-any-tinder-user/ You can also find this post on my consultancy’s blog here Last fall, while performing some bespoke security research for one of our clients, I found a way to locate any Tinder user using trilateration. Here’s what the proof of concept looks like: I did a guest post over at the Include Security blog about how I was able to track the location of any Tinder user. http://max.computer/blog/thoughts-on-bsidesto/ Sat, 30 Nov 2013 00:00:00 +0000 http://max.computer/blog/thoughts-on-bsidesto/ Last month, I helped organize a security conference in Toronto called BsidesTO. I’ve attended and volunteered at my fair share of conferences, but this is the first time I’ve had an integral role in throwing and event of this scale. One day, two floors, 14 speakers, and over 150 attendees. It was a blast. An exhausting blast. Bsides. is a brand for security conferences around the world. What is BSides? http://max.computer/blog/hacking-letterpress/ Fri, 09 Nov 2012 00:00:00 +0000 http://max.computer/blog/hacking-letterpress/ You can also find this post on my consultancy’s blog here Letterpress is an iOS game that came out a few weeks ago and immediately became popular enough to take down Apple’s GameCenter. It’s a cross between Scrabble and Go. The game is played on a board made out of 25 letters and players take turns building words in order to capture the letters they use. I was hopelessly addicted to Letterpress until I figured out how to win consistently. http://max.computer/blog/breaking-in-and-out-of-vagrant/ Wed, 31 Oct 2012 00:00:00 +0000 http://max.computer/blog/breaking-in-and-out-of-vagrant/ **You can also find this post on my consultancy’s blog here ** Vagrant is a great tool that allows you to easily spawn and configure lightweight VMs to use as development environments. Vagrant provides base installs of several flavours of Linux, and takes care of setting up networking and shared folders for you. Vagrant is really useful for managing your development environment, and I highly recommend it. If you’re doing a lot of development, you might need to be running all kinds of application and database servers on your machine, and it’s probably a much better idea to run them in a VM rather than on your host machine. http://max.computer/blog/my-solutions-to-the-stripe-ctf-web-app-edition/ Thu, 30 Aug 2012 00:00:00 +0000 http://max.computer/blog/my-solutions-to-the-stripe-ctf-web-app-edition/ You can also find this post on my consultancy’s blog here Stripe recently ran a CTF focused on web application hacking. It ended yesterday, and I decided to write up my solutions. If you have any questions or find a bug in my solutions, you can reach me at max [at] state.io. First of all, I had an great time solving these challenges. Big thanks to the Stripe team for creating such a fun game. http://max.computer/projects/appcanary/ Mon, 01 Jan 0001 00:00:00 +0000 http://max.computer/projects/appcanary/ In 2015, we transitioned our consultancy into a product company and I switched my title from the ambiguous “partner” to the equally ambiguous but more startupy “founder.” Appcanary tracks vulnerabilities in open source software, and notifies you if one of your dependencies needs to be upgraded. We were part of Y Combinator in the summer of 2015, and I’ve been writing code and talking to users ever since. http://max.computer/projects/dilettante/ Mon, 01 Jan 0001 00:00:00 +0000 http://max.computer/projects/dilettante/ The main public repository for Java-ecosystem packages is Maven Central. I discovered that when you installed Java packages using a tool like maven or ant, they were served unencrypted over HTTP, without any sort of cryptographic verification of their contents. Anyone who has control over a wifi router could trick Java developers into downloading compromised Jars and run arbitrary code on their systems. I tried asking the company that runs Maven Central nicely to change this, but they didn’t budge. http://max.computer/projects/piratebay/ Mon, 01 Jan 0001 00:00:00 +0000 http://max.computer/projects/piratebay/ http://max.computer/projects/stateio/ Mon, 01 Jan 0001 00:00:00 +0000 http://max.computer/projects/stateio/ For two and a half years, I ran a boutique consultancy. We provided a mix of security and development services, meaning that on any given day I could be developing and MVP, hacking into someone’s network, or debugging legacy software. http://max.computer/projects/tinder/ Mon, 01 Jan 0001 00:00:00 +0000 http://max.computer/projects/tinder/ I discovered that Tinder would return distances between users with extremely high precision. This is a problem because it allows you to deduce the exact location of a Tinder user by measuring their distance to three known points (this is called trilateration). I made a demo application to geolocate Tinder users in order to demonstrate to Tinder how serious of an issue this was. They fixed the problem, and afterwards I disclosed it publicly.