Recently I've experienced a really weird issue, after installing the WaveLink software to use my dedicated microphone, once in a while, my audio would get interrupted for a split second. I thought to myself, weird, and left it there, since with wired headphones, it was more of an inconvenience to debug the issue than to just let it slide.

Fast forward some time and I switch back to my trusty AirPods (2nd gen) and, to my surprise, the issue is still there, but it got much much worse.
The symptoms were the following
> Audio disconnects
> Audio reconnects, but after 5-6 seconds

Okay, not too bad still, until I noticed that it was taking me 30 seconds to join calls / connect to a discord server, my AirPods were getting "stuck", trying to acquire the microphone, and even worse, when these audio disconnects happened, it would take a whole 30 seconds again to be able to hear / speak again. Bad. Very bad.

The Investigation

I started pulling the ABC of problem solving and the first step was to, well...

1) Different pair of AirPods
Open, pop them in, connect, use them for a while, issue persists, at this point I'm trying to see if it's any better, it seems like it, but little did I know the placebo effect was real in this one, onto the next step

2) Uninstall Wave Link
Drag the application to the trash bin, restart, try again, nothing, same issue, I went ahead and investigated a bit further and it seems that when you uninstall the application, the audio driver doesn't get removed, also, no official uninstall guide is available to fully remove the application, the solution was to remove it manually and reboot.

sudo rm -rf /Library/Audio/Plug-Ins/HAL/WaveLinkVirtualAudio.driver

Now that the basics are done, where do we stand? Try out for a few days, the issue is still present, also tried with a different pair of headphones.

The breakthrough

I thought to myself, randomly, half asleep one morning, what if... what if there was another audio driver for some reason that was causing the issue... So I went back into the audio plug ins folder, and low and behold, there are more sub folders than the "HAL" one

After opening all of them, and all of them being empty, except for the HAL folder, which had a file named ACE.driver , from an initial investigation, it seems it's used to route audio to different apps such as discord for example, so I did the only logical thing and... I removed the file and restarted my laptop and.... The issue is kinda gone? Kinda.

The aftermath

Everything now works fine, except when I open slack and I get a bit of an audio stutter/reconnect, but this time it's quick, like less than 1 second. The microphone "disconnects" are completely gone (or unnoticeable)

The company I work in has decided that in the spirit of Cyber Awareness month, to organize a cyber security capture the flag (CTF), we've been told: Here's the CyberRange, here are the prizes, hack.

And so we did. But before I get to that part, let me explain what the CyberRange is and how the challenge was structured.

The CyberRange

It's an isolated, intentionally vulnerable application, that allows you to abuse the most common vulnerabilities on it. The vulnerabilities were not disclosed beforehand, though, the macro-categories were, let's take a look at them below:

Security Misconfigurations
Those were for example leftover pieces of code that were not supposed to make it to production

Example:
1. In the HTML, there was a commented-out form with a route to authenticate without a username or password.

This could have been useful for a developer to leave to test the system out when working on it but should have never made it to production in the first place.

Cross-site scripting
Being able to execute arbitrary code via a URL parameter is not exactly intended, these exploits are dangerous as you could get access to a system via a rea, trusted URL & some social engineering.

Example:
1. You can XSS via URL like so http://url/to/site?vulnerable_query_param=<script>alert(1)</script>, if this works, nothing stops you from writing a tiny script that sends the user authentication cookie / JWT token to a Web Service.

Or maybe you want to display a fake modal asking the person for their VPN information? You can do that. Most people can't tell :)

Broken access control
Accessing parts of the site you were not supposed to access, be it routes, forms, etc.

Example:
1. You could create a user by POSTING the right form parameters to a route that didn't have authorization checks.

2. You could access the user management page as a user.

Injections
Gaining access through SQL injection through user data, and, if the service is misconfigured, to the server files as well via LOAD_FILE and INTO OUTFILE.

Example:
1. We bypassed the login form with the following query ' OR 1=1 #

2. We were able to select data from the user table by aliasing inputs in the SQL query, x'; SELECT ssn as full_name FROM users #, this would display the user's social security number in place of the user's full name in the table.

3. We were able to run a full-blown sql_shell from this injection endpoint, giving us access to the whole database. Pics below

Bonus Points

Some of the issues we managed to find did not award us points automatically as they've been unknown to the CyberRange creators themselves. In this case, our GameMaster awarded us bonus points for finding them.

Example:
1. A persistent XSS exploit, such as updating the user's Full Name that was shown in the navbar to not only show the name but also to run a script!

2. The SQL shell described in the Injection part above

Teams vs Individuals, and Prizes

You could participate in the competition as an individual or team with a minimum size of 3.

I accidentally signed up as a team, so I had to invite other team members to join. One did and we also got assigned a random teammate to fill the team to a minimum of 3 members.

Teamwork
One of our team members jumped on the challenge ASAP while the other kept lagging with challenge completion, we asked them to share their instance of the CyberRange.

Scoring
Individuals would get the full amount of points on completion of a challenge and teams would get the points divided by the number of members of the team.

So for example, if one person on the team completes the challenge, it's worth 500 points and if there are 5 team members in the team, the team would only get 100 points. As the second member completes the challenge, a further 100 points get added to the team score, and so on until all members complete the same challenge to reach the 500 points maximum.

Prizes
The prizes were structured as below, with the difference being that the team reward would be equally split by the number of team members

The process

We have set up a process with the team, once a vulnerability had been discovered, we would post it in our slack channel with the steps to reproduce. We tried to keep pace with each other while also exploring new vulnerabilities and sharing them as they were found.

Once an XSS exploit had been found, we would try it in all possible pages, places, and combinations since most of them were URL-based and had the same query parameter name.

Some XSS exploits were more complicated, for example, did you know that:

• You can do a nested DOM XSS like so: <body onload="alert('xss')"/>
• Script tags are not case sensitive <sCrIpT>alert('a')</sCrIpT> works as well and bypasses regex-based XSS filters.

The first few days we had an overview of how the teams were doing and we kept going between the 1st and 4th place. We finally started settling in the top 3 in the last few days of the challenge. It was intense.

The leaderboard
During this whole time, we had access to the leaderboard so we could monitor how other teams were doing, if they found anything interesting (purely based on points) and try to predict how many more points we would need to win.

Well, in the last 24 hours of the CTF, the leaderboard had been disabled so everyone was playing blind! This has sent me into a bit of paranoia when it comes to other teams and their points, given how close we all were to the finish line!

Trading of challenges
A few hours before the competition was about to end, I contacted one of the people that was a participant, in the Individual Category to see if we can exchange solutions/challenges to win.

It was a win/win situation as we were not competing in the same category. We exchanged a few exploits and I picked... The sql_shell exploit... Managed to replicate it locally and submitted the solution to our GameMaster who awarded us bonus points!

Conclusions

It was a very fun challenge that improved my view on the security of applications. Not every day do you get the possibility to hack something without repercussions!

We ended up winning, by a mere 300 points :) - we came first place while the person we traded challenges with, also managed to end up in first place with the same amount of points as we did!

At last, just when I ran out of ideas on how to score more points I managed to realize that ego had been preventing me from seeing further and after managing to set it aside to think logically we got to the finish line with my team :)

I'll end this article with a quote from one of my team-mates:

You should even sanitize your own hands before beginning to code

When I started getting triggered when I opened my mailbox just to see another useless email from an app I don't use anymore, a site that keeps spamming promos, and more I knew I had to do something about it.

Just like when doing a spring cleaning relieves me of stress and makes my life more peaceful, I thought, why not apply the same idea to my digital life? With the ever-increasing amount of apps and services, I feel burdened to open my mailbox daily.

My old digital cleanup routine used to be very simple, use the auto-categorization from Gmail and forget about it. But that wouldn't stop the emails from coming, taking space, and polluting my contact list when I want to send an email so I had to revise it into something that makes more sense.

The goal is the following: I want to have fewer emails, fewer apps polluting my phone and draining my battery and I want to have control over my data.

Welcome, Digital Cleanup Routine v2022.1

Every month I will try to spend a few hours doing the following:

• Organizing my pictures into Albums, deleting the ones I don't want
• Deleting accounts and apps I no longer use
• Unsubscribing from mailing lists that don't bring me any value
• Delete old chats that don't bring any value

Let's see how it goes!

When I first arrived in Malta to work for my previous employer, I had no friends, didn't know any good places to go to and for the first few months, lived a bit of a dull life which was composed mostly of work and gaming.

A couple of years later, an opportunity to work remotely came up and I dived head first into it without thinking much about any side effects of doing so. If you, like me, are thinking of taking this big step or have already taken it, here are the top 5 benefits and downsides I found during my journey.

The benefits of working remotely

1) Work from Anywhere
Having the option to work from anywhere is still a new concept for me, and let me tell you, 9 months after, it still feels too good to be true.

2) Better work-life balance
Not having to commute, naps after lunch, the quietness of my own home, and more time for my hobbies are helping me grow both as a developer and as a person.

3) Better house economy
Not having to rent an apartment near your office means you can save on rent and/or get a better place. Cooking delicious home food means you probably end up saving on living expenses as well.

4) No forced interactions
Too often I used to hang out with certain people in work groups which I didn't enjoy the company of, despite me not letting them ruin the moment it was still unpleasant.

5) Less, and better social interactions
If you are an introvert like me, making new meaningful connections can be a bit hard.

Not having a workplace as the first location where you look for friends makes you look somewhere else and forces you out of your comfort zone.

When the common thing between you and your friend is not strictly related to work anymore, this can lead to you forming a stronger bond with that person.

The downsides of working remotely

1) Lack of social interactions
Those watercooler or coffee machine discussions? The serendipity of discovering something new? That is gone.

To help this, my workplace introduced a "watercooler" weekly meeting, which helps discuss new tech and ideas.

2) Friday beers
That's how I met most of my friends, having a couple too many beers on Fridays led to some interesting discussions that rippled through the weekend and into the upcoming week.

I have replaced this by hanging out with some ex-colleagues over a nice Saturday archery session and lunch

3) Company events
Quarterly parties, team-building events, and traveling to offices in other countries are not a thing anymore for me.

I don't have a solution to this problem yet, however, I was thinking of traveling around and working from coworking spaces around Europe.

4) The cold feeling from people
While I am not the most social person on this planet, I can truly engage with someone after meeting them in person. Without this possibility, interactions with colleagues feel colder.

I haven't figured out this one yet. It's hard to network with different people of different backgrounds online.

5) Cold-start mornings
Finding motivation in the morning to wake up, and prepare to be a decent human being can be harder without the need to go to an office.

My solution to this was doing a "fake commute". I would wake up, get dressed, looks nice and tidy, and go to my favorite coffee shop to have breakfast before returning home and starting my day.

Summary

In the end, for me, the benefits of working remotely outweigh the downsides so I'll stick to that for a while.

Having to go out of my comfort zone to make new connections, and find new things to do, helps me grow both as a developer and as a person.

The newfound time helps me explore new things such as archery, side projects, and more quality time with friends and family.

How about you, what is stopping you from working remotely?

On macOS Sierra and above, you will need to input your password every time your ssh key is accessed. This can be quite annoying if you need to do it multiple times every hour, and, if your password is complex. You can let macOS handle the password for you, by following the guide below.

Edit ~/.ssh/config and add the following to the end of the file:

Host *
    UseKeychain yes

You can also use the script below to do it for you

Update .ssh/config with “UseKeychain yes” (needed on macOS sierra)

Update .ssh/config with “UseKeychain yes” (needed on macOS sierra) - macos-ssh-use-keychain.sh

Gist262588213843476