Best of Security — July 2024

1
Article
builder.io·2y
Best AI Coding Tools for Developers in 2024
In 2024, AI coding tools are revolutionizing software development by enabling faster, more efficient, and innovative coding processes. Key tools like GitHub Copilot, Amazon CodeWhisperer, and Codeium enhance productivity with advanced code completion, while AI code generators like Claude and ChatGPT create entire functions from natural language descriptions. Design-to-code conversion tools like Visual Copilot streamline the transformation of Figma designs into responsive code. Additionally, tools like Snyk improve code quality and security, and AI-enhanced IDEs like Cursor offer seamless integration of AI capabilities in development environments. The future of coding is increasingly AI-driven, enhancing human creativity and efficiency.
7.4K
270
2
Video
Seytonic·2y
How the FBI Hacked the Trump Shooter's Phone
484
27
3
Article
Community Picks·2y
Security Best Practices for Your Node.js Application
Node.js applications are common targets for attacks, including XSS, DoS, and brute force. This guide outlines common security threats and provides best practices to mitigate them. Techniques include using parameterized queries, sanitizing inputs, employing ORMs, implementing rate limiting, and using multi-factor authentication. The importance of using secure headers, securing dependencies, and monitoring/logging activities is also highlighted, along with practical code examples.
374
5
4
Article
Community Picks·2y
Typesense
Typesense is a privacy-friendly, open-source search engine optimized for high performance and ease-of-use. It employs advanced search algorithms, corrects typos, offers flexible ranking, and supports a variety of search features such as synonym recognition, filtering, and geographic searches. Typesense can handle multiple users' data, sort records dynamically, and provide resilient, production-grade search services with simple setup steps.
330
10
5
Article
Cerbos·2y
Simple Role-Based Access Control in JavaScript
Learn how to integrate Cerbos, an open-source authorization layer, with a JavaScript To-Do List application to implement role-based access control (RBAC). Understand the benefits of using RBAC and Cerbos for better security and scalability. The tutorial covers policy creation, testing, and implementation. Examples demonstrate how different permissions can be assigned to various roles such as admin and user.
312
9
6
Article
freeCodeCamp·2y
How to Get Started With Cybersecurity
Cybersecurity is a vital field that involves protecting individuals and their data on the internet. To start a career in cybersecurity, one must understand basic concepts, research various career paths, choose a specialized field, gain practical knowledge, and network within the community. The post provides a step-by-step guide to becoming a cybersecurity professional, including resources and additional tips to enhance learning and career progression.
306
6
7
Article
Hacker News·2y
Reverse Engineering TicketMaster's Rotating Barcodes (SafeTix)
The post explores TicketMaster's SafeTix rotating barcode system. It critiques the system's shortcomings, such as its reliance on internet connectivity and the potential for usability issues. The author reverse engineers the barcode mechanics, revealing how static bearer tokens and TOTP-based six-digit numbers are used to validate tickets. The motivations behind SafeTix's implementation, including reducing ticket fraud and promoting TicketMaster's app, are analyzed. The conclusion stresses the drawbacks of excluding people from events through tech barriers.
255
7
8
Article
Hacker News·2y
Talos Linux
Talos Linux is a minimal, secure, and immutable operating system designed for Kubernetes. It supports multiple platforms including cloud, bare metal, and virtualization. All system management is performed through a secure API with mutual TLS authentication, eliminating the need for SSH or console access. Talos follows a hardened, immutable infrastructure approach, runs entirely in memory, and consistently delivers the latest stable versions of Kubernetes and Linux.
201
9
9
Article
Substack·2y
Rate Limiting Algorithms Explained with Code
Rate limiting is crucial for preventing your service from being overwhelmed by too many requests from single users or bots, which can degrade the experience for others. This post explains 5 common rate limiting algorithms: Token Bucket, Leaky Bucket, Fixed Window Counter, Sliding Window Log, and Sliding Window Counter. Each algorithm has its own set of pros and cons and is suited for different scenarios. Implementing these algorithms can help maintain a smooth and controlled flow of requests, ensuring stability and performance of your service.
143
1
10
Video
Awesome·2y
The Right Way To Build REST APIs
REST APIs are essential for web development, enabling smooth data exchange between servers and clients. The correct design involves following key principles like statelessness, proper URI structuring, using HTTP verbs appropriately, and ensuring security measures such as HTTPS and token-based authentication. Additionally, effective error handling and versioning are crucial for maintaining API reliability and scalability. Understanding these concepts can lead to building performant and quality REST services.
136
4
11
Article
Trunk.io·2y
🛠️ 10 Linters Every JavaScript Developer Must Know
Discover 10 essential linters for JavaScript developers, including ESLint for linting, Prettier for code formatting, and Biome as an alternative to both. Security-focused tools like OSV-Scanner, Trufflehog, and Trivy help maintain project safety, while image optimizers like Oxipng and svgo, and specialized linters for SQL, YAML, Markdown, and TOML files, ensure overall code quality.
116
10
12
Article
Hacker News·2y
yunginnanet/HellPot: HellPot is a cross-platform portal to endless suffering meant to punish unruly HTTP bots.
HellPot is a cross-platform honeypot designed to trap and punish rogue HTTP bots by sending them endless streams of data. Implemented in Go, it uses a toml configuration file, JSON logging, and offers substantial performance gains. When misconfigured or when bots ignore the standard `robots.txt`, HellPot subjects them to an eternity of useless data generated by a Markov engine. It has easy setup steps and integrates well with web servers like nginx and Apache.
100
6
13
Article
Lobsters·2y
How I Computer in 2024
The post details how the author uses their computer setup in 2024, covering their custom-built desktop, home server, Lenovo laptop, and iPhone. It emphasizes the importance of a solid audio-visual setup for remote work, the use of Tailscale for connectivity, and reliance on tools like Obsidian for note-taking and Todoist for task management. The author explains their preference for NixOS and highlights their productivity applications and development tools.
94
10
14
Article
Community Picks·2y
How to Build a Request Access Approval System using Next.js
Next.js is a robust React framework for building web applications. Creating a Request Access Approval (RAA) System is essential for managing access to sensitive data within organizations. By using Permit.io, Next.js applications can handle complex access requests and manage approvals efficiently. The guide walks through setting up a Next.js project, integrating Permit.io for authorization, and implementing user management and access request components to safeguard critical information.
87
3
15
Article
System Weakness·2y
How Hackers Exploit Vulnerabilities with Nmap and Searchsploit: Step-by-Step Guide!
Learn how to use Nmap for OS detection and vulnerability scanning, and how to employ Searchsploit to find corresponding exploits. This guide walks through the commands and outputs for effectively identifying and exploiting vulnerabilities in target systems, enhancing your penetration testing skills.
84
1
16
Article
Hacker News·2y
TOTP tokens on my wrist with the smartest dumb watch.
The Casio F-91W can be upgraded using a new ARM Cortex M0+ powered logic board from Sensor Watch, which replaces its original quartz movement while maintaining the classic LCD display and other components. This board is programmable and supports custom watchfaces and utilities, including TOTP (Time-based One-time Password) generation for 2FA codes. The process involves replacing the board, configuring 2FA secrets, and writing new watchfaces. The upgraded watch offers features like a world clock, moon phase indicator, sunrise/sunset calculator, temperature sensor readout, and more, with months-long battery life and no Bluetooth connectivity.
83
3
17
Article
Planet Python·2y
[July 2024] Python Monthly Newsletter 💻🐍
This edition of Python Monthly highlights a variety of updates and resources for Python enthusiasts. Key topics include the introduction of free-threaded CPython, modern development practices, and new tools like FastHTML. Additional highlights cover a botched update by Crowdstrike, insights into AI models, and various project ideas for portfolios.
81
1
18
Article
Community Picks·2y
A complete guide to secure password storage
The post provides a detailed guide on secure password storage, emphasizing the importance of hashing, salting, and using a pepper to protect passwords. It covers various hashing algorithms like Argon2id, Scrypt, BCrypt, and PBKDF2, and explains how to implement these techniques in practice, including handling existing applications. Additionally, it discusses the vulnerabilities of password storage, such as brute force attacks and rainbow tables, and offers methods to mitigate them.
75
4
19
Article
Community Picks·2y
What are passkeys and how do they work?
Passkeys provide a highly secure and convenient way to sign into services by using public-key cryptography. Instead of traditional passwords, passkeys use a pair of cryptographic keys: a public key stored in the service and a private key stored on the user's device. This method eliminates common security issues like password reuse and phishing by ensuring each service has a unique set of keys. Additionally, passkeys integrate multifactor authentication by default, often leveraging biometric data for an extra layer of security.
73
2
20
Article
Hacker News·2y
PySkyWiFi: completely free, unbelievably stupid wi-fi on long-haul flights
PySkyWiFi is a tool that exploits a loophole in airline airmiles accounts to access the internet on flights without paying. By using Python and implementing a simplified TCP/IP protocol, the author created a sky proxy on their laptop and a ground daemon on an internet-connected computer. This setup allows full HTTP requests to be sent via the airmiles account, albeit very slowly. The post includes detailed instructions on how the system works, as well as highlights the potential fun and productivity achieved during a long-haul flight.
70
3
21
Article
Stack Overflow Blog·2y
Java, but why? The state of Java in 2024
Java has evolved significantly since its early days, shedding its verbosity and providing robust, secure performance. Lenny highlights Java's modern features, such as production quality releases every six months and its strong security track record. Key technologies like Virtual Threads, Apache Groovy, and Jakarta EE further enhance Java programming, making it a powerful choice for developers.
69
1
22
Article
Trunk.io·2y
👏 Stop 👏 Commiting 👏 Keys 👏 In 👏 Your 👏 Code
Ensure your code doesn't contain accidentally leaked secrets by using tools like TruffleHog and GitLeaks. You can quickly set up essential linters with `trunk init` and Trunk Check to avoid any potential security issues and unexpected costs.
65
11
23
Article
System Weakness·2y
Setup SSH Keys
SSH keys provide a secure method of authenticating to remote servers, replacing traditional passwords. This tutorial covers generating an SSH key pair, copying the public key to a remote server, verifying the keys, and disabling password authentication for enhanced security.
63
4
24
Article
Community Picks·2y
0xeb/TheBigPromptLibrary: A collection of prompts, system prompts and LLM instructions
The Big Prompt Library is a comprehensive resource that includes various system prompts, custom instructions, jailbreak prompts, and protection prompts for different LLM providers including ChatGPT, Microsoft Copilot, and others. This repository aims to educate users on writing effective system prompts, safeguard against prompt injection, and provide tools and insights into reverse engineering GPTs. Contributions and proper use intended for learning and information are encouraged.
62
25
Article
Hacker News·2y
Anyone can Access Deleted and Private Repository Data on GitHub ◆ Truffle Security Co.
Data from deleted and private repositories on GitHub can be accessed indefinitely due to the platform's architectural design. This vulnerability, termed Cross Fork Object Reference (CFOR), allows users to fetch commit data via known or brute-forced SHA-1 commit hashes, even if the repository or fork has been deleted. This issue can expose sensitive information and is inherent to how GitHub manages repository networks.
59
6

See all Security archives