security engineering @brave / helped build Let's Encrypt, Privacy Badger, and HTTPS Everywhere @eff / physics alum @mit / rabbit enthusiast
- Tweets 20,215
- Following 331
- Followers 73,822
- Likes 25,859
Pinned Tweet
could not for the life of me figure out how to buy a bus ticket in Milan. it was literally easier to get a shell 😆
90
606
6,896
in january 2023, i had a simple ultrasound done at SimonMed. they sent me 4 bills totaling $5137 for it.
after a year of emails and phone calls, they finally admitted today that i only owed $140.53 and are mailing me a refund check!
here's how i did it 🧵
163
3,186
33,261
4,281,095
my friend sophie got fired from her job at Facebook and turned down a $64,000 severance package in order to leak this, so u better read it. buzzfeednews.com/article/cra…
184
8,412
16,022
PSA i can spoof any mit.edu email and it will pass all DKIM/SPF/etc. checks. here's an email i sent to myself pretending to be a famous MIT-affiliated podcaster - thanks gmail for auto-inserting the profile pic :)
MIT may fix this someday but in the meantime beware that it's trivial for any mit.edu account to send mail as any other mit.edu account!
181
700
11,710
1,390,732
so crazy that if u just touch a computer in the right ways u can make like 100 billion dollars
92
997
6,683
reminder that the bcrypt hash function ignores input above a certain length! so if you do bcrypt(username || password) for some reason, a sufficiently long username will make it accept any password. to fix this you can sha256 the input first.
Okta allowing login bypass for any usernames with 52+ characters is insane
Official Security Advisory: trust.okta.com/security-advi…
62
998
6,159
747,582
confirmed that Facebook lets me exclude black, asian, and hispanic people from seeing my ads. why can't i exclude white people?
141
4,740
5,364
ROFL at andrew huberman saying that if you have a 20% chance of pregnancy in any given month, the chance of being pregnant after 6 months is 120% piped.video/watch?v=O1YRwWmu…
254
244
5,322
2,029,836
tl;dr if u have insurance check that the amount ur billed lines up with what insurance says u owe before paying. if u overpaid u can try a demand letter to get a refund. ask the provider for a superbill. also "Never Pay the First Bill" has some tips for negotiating a bill down.
21
187
4,424
201,780
i…. just received a children’s book about a rabbit who travels back in time to medieval europe and gets everyone hyped about blockchain
156
1,047
4,189
amazingly i work on a security team where nobody wants to go drinking, so instead we went out for an elaborate tea service after work lol
90
217
2,733
6/ i called Anthem again to do a 3-way call with SimonMed to explain that i didn't owe them money, they owed me money. again nothing happened for months.
in the meantime i started reading Never Pay the First Bill by Marshall Allen which suggested suing them in small claims court
1
52
2,724
234,085
7/ the first step to suing in small claims in CA is to send a demand letter, so i used selfhelp.courts.ca.gov/form/… to do this for free. i both mailed and emailed it to simonmed.
they replied promptly via email saying they'd look into it
2
67
2,561
217,632
8/ after a few back-and-forths with SimonMed, they said their internal investigation concluded that i wasn't owed anything. however they offered to send me a superbill explaining the charges. i said sure.
to my surprise, the PDF they sent me showed they owed me 484.92 ROFL
1
37
2,490
207,253
unpopular opinion of the day: i wish infosec (and tech industry in general) put less emphasis on teaching people to be public speakers and more emphasis on teaching them to be good technical writers
57
402
2,382
2/ the first bill they sent was for $484.92, which i paid promptly. a few months later they sent a bill for $3378.69! i contacted my insurance and they sent me an updated EOB saying i only owed an additional $140.53.
1
33
2,368
282,499
9/ their own PDF contained the last bit of proof i needed to get the refund! i simply replied saying so and they immediately escalated it. a few days later they asked me where to send the check :)
3
27
2,375
198,563
3/ i emailed simonmed and attached the EOB. they said they would look into it. shortly after i got a new bill for $140.53 in the mail which i paid.
then i noticed the 484.92 amount wasn't counted in my insurance deductible so i contacted my insurance asking why
1
26
1,945
280,288
4/ a representative from Anthem replied saying that their previous reply was wrong; i only owed $140.53 total. so simonmed owed me a refund for the first bill ($484.92). i called simonmed about this and their rep just said they would look into it and send me a check if needed.
1
27
1,946
272,258
i've written links in markdown 100+ times and i still have to look up whether the brackets or the parentheses come first. every single time.
74
317
1,890
5/ months passed with no refund. i asked Anthem what to do and they suggested Anthem, SimonMed, and I do a 3-way call. Anthem set up this call and again the SimonMed rep said they would look into it.
months later, instead of a refund, SimonMed sent me another bill for $1133.18
3
24
1,877
250,646
a group of furries in costume is being accosted by casino staff for foiling the facial recognition system. #PeakDefcon
29
484
1,723
want to exercise at home but too lazy to figure out a routine?
i have solved ur problem by building a web app that randomly generates workouts w/ random pictures scraped from Google Images and random tracks from SoundCloud: random.training/
72
439
1,754
it's great making a product for linux users because they have such a low baseline expectation for things working out-of-the-box and will go to great lengths to help you debug
19
271
1,761
when i joined @brave in 2015, we estimated that the Brave 1.0 release was about 6 months away. today we finally did it!!! so proud of the team (which is now about 14x larger) :D
65
180
1,757
pg&e also:
* caused the deadliest fires in CA history bc they chose to spend money on lobbying & paying investors rather than maintaining their infrastructure
* declared bankruptcy to avoid liability for fire victims
* spent millions on lobbying politicians after that
Just as a reminder...
If you're in California, and your power goes out due to a rolling blackout, PG&E had the money to upgrade their infrastructure to ensure this doesn't happen and they gave it to their shareholders and executives.
15
934
1,589
i remember the days when people still programmed in low-level languages such as untranspiled javascript
28
605
1,701
fyi homebrew had the backdoored version of xz utils; updating now will downgrade it duo.com/decipher/red-hat-war…
17
405
1,666
274,020
u mean to tell me i didn’t need to type “sudo” for the last 12 years??
A bug lurking for 12 years gives attackers root on every major Linux distro arstechnica.com/information-… by @dangoodin001
18
186
1,511
got the best, AKA worst, hackerone report ever. someone reported that an attacker website can figure out a person's IP address by *gaining local access to the person's machine*, installing a NodeJS webserver, and using the IP npm package to get the IP.
62
181
1,510
my friends:
me: what if Game of Thrones is actually the prequel to the Redwall series because everyone dies at the end and small woodland animals become the dominant species
38
188
1,433
just made a "decentralized" "alternative" to twitter; everyone should go "join" it
to make an account: fork github.com/diracdeltas/tweet…
to tweet: git commit --allow-empty
to follow someone: git remote add <alias> <their fork url>
to retweet: git cherry-pick <their "tweet">
35
328
1,430
my biggest takeaway from this article is that FB could be doing a lot more to prevent politically-motivated bot activity, but they choose not to because they don't see any immediate revenue or PR benefit from doing so.
18
366
1,303
i hate the confrontational tone of 'git blame'. from now on i will rename it to 'git thanks'.
105
218
1,408
i discovered this because i received a VERY convincing phishing email sent from "me". it turns out the attacker compromised another mit.edu acct and was using it to send email as arbitrary users. that acct has been reported and suspended.
9
17
1,435
128,189
it’d be cool to live in a society where you get to go to college for 1 year every several years in order to learn a new field
37
192
1,364
if you made #30Under30, don’t give your personal info to Forbes. I found a bug that lets any 30under30 member (like me) see other members’ DoBs, addresses, phones, etc. Forbes ignored my emails asking them to fix.
34
383
1,318
just got the heartbreaking news that peter eckersley is in the hospital and may not make it. there will be a vigil for him at 7pm in duboce park. if you want to share a story about him, please let me know.
58
143
1,312
if you exclude english and spanish, the most commonly spoken language in each US state is pretty surprising. businessinsider.com/what-is-…
35
520
1,245
buried in this announcement is the absolutely crazy revelation that until 2 weeks ago, anyone could have published an update to any npm package. github.blog/2021-11-15-githu… (HT @feross)
26
411
1,243
omfg my dentist today made a beat out of the dental cleaning tool sounds WHILE CLEANING MY TEETH and then she declared that her stage name would be Splash Mouth
32
76
1,202
OMG someone actually discovered malware (on the official Monero website) because the attackers changed the download binary but didn't change the hashes posted on the website github.com/monero-project/mo…
arstechnica.com/information-…
this is a big day for hash checkers everywhere
26
334
1,204
we don’t usually like colors, but today is an exception. happy #SFPride from azuki and me!! ❤️🧡💛💚💙💜🖤
27
28
1,134
A lot of people ask "why should I work in software development as opposed to math/physics/finance/etc.?" One reason is that this field is surprisingly full of "inadequate equilibria" (a steady-state in which low-hanging fruits are still available for non-experts to solve).
Myth 1: "Ruby has existed for like 20 years. If it were a good idea someone would have done it already."
Reality: Not that many people actually work on Ruby profilers! Those people have different priorities and interests than me!
16
324
1,149
if your site embeds tweets, add <meta name="twitter:dnt" content="on"> so that Twitter doesn't track your visitors dev.twitter.com/web/overview…
10
630
1,119
cannot praise tim cook and the team at apple highly enough for making my rabbit’s ear go over the clock on the latest update
9
40
1,149
96,126
no idea how many other legacy SMTP setups have the same issue but it's easy to detect in this case; just inspect the email headers and check if the "authenticated as" user is the same as the address in the "from" field.
11
30
1,164
139,269
there is a github thread with 42 messages in my inbox this morning where everyone is named Brian
38
307
1,062
gitcoin: the author of the commit sha1 with the longest prefix of 0's in your repository is now the project maintainer
12
394
1,095
hi i just want to encourage you to tell someone that they matter, even if you think they know it already. it might sound dumb but someone did this for me and it saved my night.
24
204
1,072
peter, among other things, was my first boss at EFF and gave me a chance in cybersecurity when nobody else did. he was the mastermind behind HTTPS Everywhere and Let’s Encrypt. few people have had such a positive impact on the Internet in so little time
4
86
1,019
dystopian novel idea: a near-future world in which the visible spectrum is subject to FCC regulation in order to control visual noise. artists have to apply for licenses to use certain colors.
56
174
984
the new search engine we've been working on at @brave is now in public beta! search.brave.com
* we don't track clicks or queries
* we don't profile you
* for localized results, we only use IP and don't store it
* we show you what % of results are served from our own index
31
248
1,046
my social media feeds are like 10% shitting on cryptocurrencies, 10% memes, 40% politics, 30% infosec, 5% people's personal updates, and 5% posts from my local rabbit shelter. the rabbit shelter posts are the best tbh.
10
79
986
The military is threatening to put @xychelsea in solitary for the next 3 decades because she attempted suicide. aclu.org/news/chelsea-mannin…
102
1,493
886
everyone knows you're not a real software engineer unless you've collected sand to put into a furnace and purify into ingots for silicon wafers, duh
32
140
988
fun way to monitor someone's IP address:
1. create a paid slack workspace
2. get them to join your slack
3. now you can see their IP address and device type in Slack's access logs as long as they're logged in and have the Slack webpage/app open
30
392
992
great news!! it’s now possible to be 10x more goth than before because MIT has created a black that is 10x blacker then the previously-blackest black. dezeen.com/2019/09/24/blacke…
42
209
977
fun fact: i applied to throw a tea party (securiTEA) at defcon this year for folks who don’t like drinking. the hotel, which has a no-outside-beverages policy, wanted to charge us for hot water at $100/gallon
Hey friends - I won't be drinking in Vegas this year. I'd appreciate support in this matter and not trying to force me to because I'd still like to hang out with you and I won't if that nonsense goes on.
Generally good advice to not do that since you don't know someone's reasons
42
124
915
this is an old optical illusion where there are 12 black dots in the pic but most ppl can't see all of them at once. since u aren't able to focus on all the dots simultaneously, ur brain makes stuff up to fill in the gaps. this is a good metaphor for life.
perception != reality
33
329
933
RIP @dakami. u were not only a brilliant hacker and artist but also a great friend. i’ll never forget how u paid for my trip to Toorcon so i could speak there, or all the times u were on ur laptop in the middle of a party debugging the giant LED cubes u built. thx for all the joy
14
68
954
