No longer loading Disqus by default

13 Jun, 2017 (unlisted)

Personally, I don't have anything against Disqus. They're a valuable (free!) service that provides a pretty frictionless method of adding comments to a blog (frictionless because they're everywhere – if you've commented on a blog before you likely already have an account).

That said, there are also articles like this, which highlight the huge amount of tracking that Disqus does, or lets other ad-networks do.

I don't plan on replacing Disqus any time soon, because I find having comments inline a valuable addition. However I also want to accomodate for the concerns by those who prefer not to have so many unrelated network requests when they visit a page.

Thus, I am introducing a "Comment with Disqus" button to allow those who want to read comments, or comment themselves to opt to load Disqus. But for those that would rather the network stay silent: that'll be the default.

17 Apr, 2017

Leveraging the new RPi0w to build a WiFi enabled keystroke injection tool (a.k.a. USB Rubber Ducky with WiFi)...[read more]

28 Mar, 2017

The other day I noticed something cool in Chrome. I can disable JavaScript and cookies + local storage on HTTP!...[read more]

1 Jan, 2017

Recently I've been working on a drop in class to manage certain "Secure Headers" in PHP.

By "Secure Headers", I'm of course talking about those mentioned in the OWASP Secure Headers Project.

The project, SecureHeaders is available on GitHub.


If you're familiar with PHP, you'll know that...[read more]

27 Aug, 2016

Disclosure and Google's Response

This one feels very strange writing, because the vulnerability detailed below is currently exploitable. Google has been notified of this vulnerability, yet they have chosen to do nothing.
GoogleThanks for your bug report and research to keep our users secure! We've investigated your submission and made the decision not to track it as a security bug.
In hope that public disclosure will encourage Google to do otherwise, here goes...[read more]
2 May, 2016
In this post I'll address one specific task: obtaining a manual certificate from Let's Encrypt.

Who is this for?

If you don't have direct command line access, or the necessary permissions to install Let's Encrypt on your webserver; then you won't be able to obtain a certificate using the automated process.
If you can install Let's Encrypt on your webserver, you should. It simplifies the process down to a single command. You'll also enjoy the benefits of being able to setup an auto renew process directly on the machine serving the certificate...[read more]