I feel bad for Jeff and more importantly all of the staff members who are now out of a job. Laracasts was the first ever sort of online course I paid for, and I got immense value out of it at that time.
But times change. This is more true now than ever.
I implemented something similar a while back (exists just as a portfolio demo now: subpinger (dot) interrupt (dot) sh).
If you want go for that sort of "live" feeling, you should consider implementing websocket streaming instead of HTTP polling, it will feel a lot nicer for users.
Are you actually ingesting certificates or are you just showing a stream of entries from different logs? I figure the former as nothing seems to be searchable -- and ingesting this data can get very expensive very quickly.
Nevertheless, cool project! I am constantly thinking about ways to turn CT log data into meaningful, actionable streams for others. If you'd be up for working on something together, give me a shout!
You raised some red flags with the information you provided. This doesn't happen to everyone. A support rep from Hetzner has spoke a bit more about this process on WebHostingTalk before[1], although they don't get into which specific heuristics may result in flagged accounts for obvious reasons. I'd imagine it's a combination of things like unpaid balances on previous accounts, IP address reputation, uncommon e-mail domains and so on.
I've seen, or I think I've seen, AWS and Twitter giving completely fake "security" reasons for eliciting additional information. I made an account on Twitter, did nothing with it at all, next day was told I violated the T&C and needed to prove my identity by handing over phone number.
So I'm cagey about this sort of thing. Obviously, actual real security concerns are a good thing to see, people are thinking about the issue and taking care, and asking for validation is naturally what you do and it's better than a flat no. OTOH, passport is BS - solves their security risk but gives me a security risk.
I'd love to see some insight as to how they were able to generate that domain name. Surely if they can do that (years ago, even), then a well-funded adversary would be able to generate the same now, given enough time.
Maybe it took x thousands of compute years to generate the secret key for `facebokcorewww` - and they didn't care about the last character. But still, let's say you're a government agency with endless resources - how hard would it be to recreate that private key? If a private corp can do it once with finite resources - why can't you?
Was it is just a stroke of luck for those working on it? What are the chances?
They stress tested a compute farm for by brute forcing onion addresses. About 10 per week per CPU started with facebook. corewwwi was their favorite.[1] Onion addresses are longer now.
The risk has always been there with this kind of attack. The severity, as always, depends on the attackers' modus operandi. Nothing has changed. Only the tools which are dropped onto the machine have changed - which really isn't specifically relevant to this kind of attack. (Spy|Mal)ware adapts, as it always will. Harvesting saved browser passwords is nothing new. In this case, it's a marketing gimmick.
It's fun that it is customisable via a programming language. But really - this doesn't add anything new to the table at all. I bet you could do all of this with the previous generation of rubber duckies with a little bit of know-how. Drop a basic reverse shell (providing no firewall restrictions or whatever), and you can do what you want.
The same prevention guidelines apply as always. Don't plug random USB devices into your computer.
How you use it depends on your workflow. An entry like this in your pyproject.toml could suffice:
reply