Dropping privileges in nodejs

A couple of months ago I wrote a web challenge for the 9447 CTF called ramble. Spoiler alert, the challenge was written in nodejs, but allowed the user to execute arbitrary shell code. Clearly I didn’t want players to be able to destroy the challenge for others, so I wanted my process to have ~no privileges. This proved to be more of a challenge than expected.

Learning to trust: a gpg primer

I’ve had brief encounters with gpg in the past, but never enough to warrant grokking the different types of things you can do with it. However, Stripe uses gpg enough internally that I figured it was time to actually learn how this thing worked.

OAuth from Scratch

I was surprised to learn this week that I wasn’t the only person in the world who was scared by OAuth. Given its popularity (Login with Facebook! Login with Google!) it seemed like it must be fairly well understood, but asking around I could find few people who said they felt comfortable with it, and no one able to describe it to me succinctly, especially without using the terms “resource owner” or “client”.

Matasano Crypto Challenges: Set 1

I’ve played around with the Matasano Crypto Challenges several times in the last few years. I finally decided to just sit down and go through them all - partly to prove to myself that I could actually understand crypto problems, if only I tried. It also seemed like a great opportunity to brush up on my Ruby, as a long-time Python advocate.