Michal Špaček
@spazef0rze.bsky.social
In your web, securing your app. Hacker, webdev, speaker, engineer. Security shoptet.cz, ex-report-uri.com, ex-teenager. HTTPS = How To Transfer Private Sh💩. Also https://infosec.exchange/@spazef0rze
My random number generator just did a Dilbert
September 23, 2025 at 11:17 PM
My random number generator just did a Dilbert
Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) developers.facebook.com/tools/ct
September 18, 2025 at 10:31 PM
Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) developers.facebook.com/tools/ct
You can configure it any way you want or need, but the extension comes with a bundled configuration files you can use out of the box. One of them disallows dangerous functions like var_dump() or put_env(), while another one blocks insecure functions like hash() with MD5 github.com/spaze/phpsta...
September 14, 2025 at 10:11 PM
You can configure it any way you want or need, but the extension comes with a bundled configuration files you can use out of the box. One of them disallows dangerous functions like var_dump() or put_env(), while another one blocks insecure functions like hash() with MD5 github.com/spaze/phpsta...
Just noticed that my PHPStan extension to detect disallowed calls, methods, attributes, constants etc. has been installed more than 15M times, wow! Not bad for a weekend project (a long weekend since 2018). PHPStan itself has 300M installs, so 5% of all PHPStans installs use the extension, nice! :-)
September 14, 2025 at 10:02 PM
Just noticed that my PHPStan extension to detect disallowed calls, methods, attributes, constants etc. has been installed more than 15M times, wow! Not bad for a weekend project (a long weekend since 2018). PHPStan itself has 300M installs, so 5% of all PHPStans installs use the extension, nice! :-)
Just got one certificate using the tlsserver profile and of course as expected, the browsers are doing just fine, they just omit the field (Chrome), or say unknown (Firefox, could be confusing though).
August 23, 2025 at 11:50 PM
Just got one certificate using the tlsserver profile and of course as expected, the browsers are doing just fine, they just omit the field (Chrome), or say unknown (Firefox, could be confusing though).
Here's one information for you: should be more specific when phishing IT folks
August 1, 2025 at 3:16 PM
Here's one information for you: should be more specific when phishing IT folks
Setting up a new server and I'm so happy I can do it remotely because it must be absolutely cold in the data center
July 29, 2025 at 3:14 PM
Setting up a new server and I'm so happy I can do it remotely because it must be absolutely cold in the data center
It's been 0 days since git reflog saved my ass (and files) again. Instead of rebase this branch, I did reset this branch, losing my commits. `git reflog`, find out what happened (reset at {46} and {48} in the pic), then `git branch name id` (id ends with 67 at {50}, commits are back.
July 23, 2025 at 9:30 PM
It's been 0 days since git reflog saved my ass (and files) again. Instead of rebase this branch, I did reset this branch, losing my commits. `git reflog`, find out what happened (reset at {46} and {48} in the pic), then `git branch name id` (id ends with 67 at {50}, commits are back.
What do you do when you can't sleep? I fine-tune my HTTP reasons 💤
July 9, 2025 at 12:53 AM
What do you do when you can't sleep? I fine-tune my HTTP reasons 💤
I've asked ChatGPT to generate me a temp profile picture and when I've praised the creation it didn't know what to say, so it gave me back some JSON with a prompt that has resembled my instructions. ChatGPT then claimed, multiple times that I asked for the JSON 😁 I haven't talked about JSON before.
July 7, 2025 at 9:12 PM
I've asked ChatGPT to generate me a temp profile picture and when I've praised the creation it didn't know what to say, so it gave me back some JSON with a prompt that has resembled my instructions. ChatGPT then claimed, multiple times that I asked for the JSON 😁 I haven't talked about JSON before.
Stored XSS via an archive file stored in a RAR archive, nice 😁 Fixed in WinRAR 7.12 released yesterday.
June 26, 2025 at 5:50 PM
Stored XSS via an archive file stored in a RAR archive, nice 😁 Fixed in WinRAR 7.12 released yesterday.
Oops, being a web developer can be dangerous! 🤣
June 25, 2025 at 3:58 PM
Oops, being a web developer can be dangerous! 🤣
I have a battery powered outdoor camera, it can last several weeks on a single charge in that environment. But suddenly, the battery went from 20% to 0% overnight. I was curious what happened so I checked the last pic it has recorded. Yeah, thanks little fella 😂
June 25, 2025 at 3:03 PM
I have a battery powered outdoor camera, it can last several weeks on a single charge in that environment. But suddenly, the battery went from 20% to 0% overnight. I was curious what happened so I checked the last pic it has recorded. Yeah, thanks little fella 😂
Oh, I can also see it spinning on one of my sites, but not on the other even if both are the same codebase, the same app. Also found yet another .cz site where the icon spins. Spooky.
May 11, 2025 at 9:30 PM
Oh, I can also see it spinning on one of my sites, but not on the other even if both are the same codebase, the same app. Also found yet another .cz site where the icon spins. Spooky.
My mobile Chrome got bored and started spinning the site settings icon whenever I reload the page. It does that on 2nd reload but only on this particular site. What sorcery is that? What is Chrome trying to tell me? I don't see anything unusual when I click it. Or am I just tripping?
May 11, 2025 at 9:25 PM
My mobile Chrome got bored and started spinning the site settings icon whenever I reload the page. It does that on 2nd reload but only on this particular site. What sorcery is that? What is Chrome trying to tell me? I don't see anything unusual when I click it. Or am I just tripping?
When your boss tells you to go phishing but you can't just be bothered today.
May 8, 2025 at 3:56 PM
When your boss tells you to go phishing but you can't just be bothered today.
The validation data reuse period will be reduced similar to the certificate validity period, except for certs issued after Mar 15, 2028, the reuse period will be 10 days. Again, this is not a certificate validity period, this is a different period, probably not as important for browsers.
April 16, 2025 at 2:25 PM
The validation data reuse period will be reduced similar to the certificate validity period, except for certs issued after Mar 15, 2028, the reuse period will be 10 days. Again, this is not a certificate validity period, this is a different period, probably not as important for browsers.
The reduction will be gradual. Max validity of HTTPS certificates issued:
- before March 15, 2026 is 398 days
- before March 15, 2027 will be 200 days
- before March 15, 2028 will be 100 days
- after March 15, 2028 will be 47 days
- before March 15, 2026 is 398 days
- before March 15, 2027 will be 200 days
- before March 15, 2028 will be 100 days
- after March 15, 2028 will be 47 days
April 16, 2025 at 2:25 PM
The reduction will be gradual. Max validity of HTTPS certificates issued:
- before March 15, 2026 is 398 days
- before March 15, 2027 will be 200 days
- before March 15, 2028 will be 100 days
- after March 15, 2028 will be 47 days
- before March 15, 2026 is 398 days
- before March 15, 2027 will be 200 days
- before March 15, 2028 will be 100 days
- after March 15, 2028 will be 47 days
It doesn't happen very often, but a new timezone was created earlier this year in March. It's called America/Coyhaique and has been created because a region called Aysén has stopped shifting from UTC-4 to -3 and will stay UTC-3 all year round, joining the Magallanes region below.
April 8, 2025 at 3:36 PM
It doesn't happen very often, but a new timezone was created earlier this year in March. It's called America/Coyhaique and has been created because a region called Aysén has stopped shifting from UTC-4 to -3 and will stay UTC-3 all year round, joining the Magallanes region below.
PHP has a function to compare two hashes (non-password hashes): hash_equals.
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better:
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better:
March 14, 2025 at 7:32 PM
PHP has a function to compare two hashes (non-password hashes): hash_equals.
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better:
It has two parameters: known_string and user_string and I never knew which one is which, because even the known_string was a user string once 😅
The manual page was rewritten some time ago and it's now much better:
Some time ago, my mobile Chrome seemingly removed the option to view page source by prefixing the URL with `view-source:`. It always goes to Google whenever I hit Enter on the on-screen keyboard. Not sure why, but now you have to select/tap the other item in the URL bar, the one with the globe.
February 27, 2025 at 1:46 PM
Some time ago, my mobile Chrome seemingly removed the option to view page source by prefixing the URL with `view-source:`. It always goes to Google whenever I hit Enter on the on-screen keyboard. Not sure why, but now you have to select/tap the other item in the URL bar, the one with the globe.
Had to send someone a hard drive with some data and wanted to know if no one had copied them when the drive was in the hands of the courier company. Yes, that's "tamper-evident" nail polish and tape 💅
January 18, 2025 at 8:02 PM
Had to send someone a hard drive with some data and wanted to know if no one had copied them when the drive was in the hands of the courier company. Yes, that's "tamper-evident" nail polish and tape 💅
You can view a list of all those partners, and allow or deny them one by one. Got 2 hours to spare? Even 276 partners would be a lot but that would hardly surprise me nowadays. But 1000 more....
December 21, 2024 at 4:18 PM
You can view a list of all those partners, and allow or deny them one by one. Got 2 hours to spare? Even 276 partners would be a lot but that would hardly surprise me nowadays. But 1000 more....
"We and our 1276 technology partners ask you to consent to the use of cookies to store and access personal data on your device."
1276... technology... partners. I don't usually see those popups, my content blocker hides them, but this one caught my attention... that's a crazy number.
1276... technology... partners. I don't usually see those popups, my content blocker hides them, but this one caught my attention... that's a crazy number.
December 21, 2024 at 4:18 PM
"We and our 1276 technology partners ask you to consent to the use of cookies to store and access personal data on your device."
1276... technology... partners. I don't usually see those popups, my content blocker hides them, but this one caught my attention... that's a crazy number.
1276... technology... partners. I don't usually see those popups, my content blocker hides them, but this one caught my attention... that's a crazy number.
I love website easter eggs! og:image is a pic displayed when the link is shared on Facebook etc. and in this case it's just a logo but still. Nice one altisport #iddqd
December 6, 2024 at 7:50 PM
I love website easter eggs! og:image is a pic displayed when the link is shared on Facebook etc. and in this case it's just a logo but still. Nice one altisport #iddqd