Skip to content
By using Twitter’s services you agree to our Cookies Use. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.
  • Home Home Home, current page.
  • Moments Moments Moments, current page.

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
andreasdotorg's profile
andreasdotorg
andreasdotorg
andreasdotorg
@andreasdotorg

Tweets

andreasdotorg

@andreasdotorg

I'm a hacker, pretty much in the old school sense of the word. But I do know IT security too.

Joined April 2008

Tweets

  • © 2018 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    andreasdotorg‏ @andreasdotorg 24 Feb 2017

    Here's one for the #langsec crowd. CloudFlare used a parser generator named Ragel, they didn't parse manually. Bug was in generated code.

    1:23 AM - 24 Feb 2017
    • 115 Retweets
    • 172 Likes
    • WebCorrectly Leonid Evdokimov Andrew Yourtchenko rentzsch Aaron Lennard Andrey Labunets Pedro Marrucho dnet buherator
    13 replies 115 retweets 172 likes
      1. New conversation
      2. pesco@chaos.social‏ @paskow 24 Feb 2017
        Replying to @andreasdotorg

        .@andreasdotorg Ragel's use of "==" is arguably bad, but the bug is in Cloudflare's use of its weird action language (missing "fhold").

        1 reply 0 retweets 1 like
      3. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @paskow

        This isn't about who's fault this is. It's about defense in depth.

        1 reply 0 retweets 0 likes
      4. pesco@chaos.social‏ @paskow 24 Feb 2017
        Replying to @andreasdotorg

        wasn't assigning blame, but pointing out that a central issue is using Ragel's extra features to do fancy things.

        2 replies 0 retweets 1 like
      5. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @paskow

        This actually is an issue on top of another issue. No question.

        0 replies 0 retweets 0 likes
      6. End of conversation
      1. New conversation
      2. Zaki Manian‏ @zmanian 24 Feb 2017
        Replying to @andreasdotorg

        @daveaitel The bug was apparently in misuse of the code generatorshttps://www.reddit.com/r/programming/comments/5vtv16/comment/de5ctmc?st=IZJY5ERL&sh=596ea38f …

        1 reply 2 retweets 3 likes
      3. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @zmanian @daveaitel

        The code generator allowed misuse to be exploitable.

        0 replies 0 retweets 3 likes
      4. End of conversation
      1. New conversation
      2. Tommi Enenkel‏ @tomenmeta 24 Feb 2017
        Replying to @andreasdotorg

        they moved to a newly written parser "cf-html" and the bug was introduced due to switching the parser https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ …

        1 reply 1 retweet 2 likes
      3. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @tomenmeta

        Read it again. The bug was always there. Introducing the new parser just meant it actually disclosed interesting data.

        0 replies 0 retweets 5 likes
      4. End of conversation
      1. New conversation
      2. Bert Hubert  🇪🇺‏ @PowerDNS_Bert 24 Feb 2017
        Replying to @andreasdotorg @thegrugq

        Not that clearcut with ragel. You put your C code, which can be unsafe, in Ragel blocks.https://github.com/PowerDNS/pdns/blob/master/pdns/dnslabeltext.rl …

        1 reply 1 retweet 3 likes
      3. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @PowerDNS_Bert @thegrugq

        In this specific case, no C code was involved, all just happened using Ragel primitives.

        1 reply 0 retweets 0 likes
      4. Bert Hubert  🇪🇺‏ @PowerDNS_Bert 24 Feb 2017
        Replying to @andreasdotorg @thegrugq

        I see, thanks. However, Ragel still an odd mix of goto's and pointers. It is not a "safe language" it appears.

        1 reply 0 retweets 2 likes
      5. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @PowerDNS_Bert

        Not at all, no.

        1 reply 0 retweets 2 likes
      6. Bert Hubert  🇪🇺‏ @PowerDNS_Bert 24 Feb 2017
        Replying to @andreasdotorg

        which is a shame, I was sort of hoping it was :-)

        1 reply 0 retweets 0 likes
      7. CopperheadOS‏ @CopperheadOS 24 Feb 2017
        Replying to @PowerDNS_Bert @andreasdotorg

        It's basically regex but with the ability to hook into the state machine. It's really weird and quite neat...

        1 reply 0 retweets 3 likes
      8. CopperheadOS‏ @CopperheadOS 24 Feb 2017
        Replying to @CopperheadOS @PowerDNS_Bert @andreasdotorg

        You don't have to use the C backend though, it knows how to generate other stuff. So it can be memory safe.

        1 reply 0 retweets 0 likes
      9. CopperheadOS‏ @CopperheadOS 24 Feb 2017
        Replying to @CopperheadOS @PowerDNS_Bert @andreasdotorg

        Still, it's really weird, and it's hard to come up with a good suggestion on when it's actually a good idea.

        0 replies 0 retweets 0 likes
      10. End of conversation
      1. New conversation
      2. Charlie Miller‏ @0xcharlie 24 Feb 2017
        Replying to @andreasdotorg

        @daveaitel my understanding is the bug was something they wrote and was dutifully translated.

        1 reply 0 retweets 1 like
      3. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @0xcharlie @daveaitel

        It was something like "skip this token" in Ragelese. Documented you shouldn't do that, but why no bounds checks?

        0 replies 0 retweets 3 likes
      4. End of conversation
      1. New conversation
      2. sergey bratus‏ @sergeybratus 24 Feb 2017
        Replying to @andreasdotorg

        Would make a lovely case study for the workshop. Of course, it's not proven correct until it's proven correct :) @maradydd

        1 reply 0 retweets 3 likes
      3. andreasdotorg‏ @andreasdotorg 24 Feb 2017
        Replying to @sergeybratus

        Speaking of proven correct: my latest crush in terms of tools is F*. Highly recommended.

        1 reply 0 retweets 2 likes
      4. don‏ @captain_scorpio 24 Feb 2017
        Replying to @andreasdotorg @sergeybratus

        I'm currently experimenting with nom. Although I can't say I understand what goes on behind the scenes.

        0 replies 0 retweets 2 likes
      5. End of conversation

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2018 Twitter
      • About
      • Help Center
      • Terms
      • Privacy policy
      • Cookies
      • Ads info