Shellsharks Blogroll - BlogFlock

Updating forgejo's robots.txt - Posts feed

2025-11-15T22:10:00.000Z

I've moved all of my personal, private projects over to my own forgejo instance. It's been reliable and an altogether simple transition — I even have it mirroring the ai.robots.txt repo.

While most of my projects on the instance are private (like the source for this site and for Cadence), I wanted the robots.txt file for forgejo to align with this site's. Thankfully, updating the forgejo robots.txt is straightforward. I'm deploying my instance in a Docker container using Coolify and update the file as follows:

ssh into the server where the container is running.
Run docker ps -a | grep forgejo to get the forgejo container name.
Log into the container using docker exec -it <NAME> sh.
Navigate to forgejo's public directory: cd data/gitea/public.
Open robots.txt: vi robots.txt.
Add entries as you see fit.

I've mirrored my site's robots.txt to my forgejo instance and I've also included the rules from Codeberg's (up until the # Codeberg-specific changes to the end of the file). You can view the full file here.

robots.txt is, of course, a voluntary mechanism, but including these directives is still prudent.

Small Web, Big Voice - Kev Quirk

2025-11-15T16:22:00.000Z

Small Web, Big Voice

by Andre Franca

Andre argues that independent blogging isn’t about scale at all, but about integrity — choosing a place you control, writing in your own voice, and keeping the web human.

Read Post →

I read this post this morning while I was perusing my RSS feeds with a coffee. Firstly, I’m not sharing this because Andre called out my blog (although being bundled with people like Rach and Manu is extremely flattering). I’m sharing it because I agree with everything he says in the post.

Having a place on the web that I’m 100% in control of, where I can share my own thoughts, feelings, and opinions is very powerful for me. Over time this blog has evolved from me sharing technical posts most of the time, to a legit personal blog with a technical twist.

Despite what sites like ProBlogger say, I don’t have a niche, and I don’t try to grow my audience (I don’t even know how big my audience is). I just write whatever is on my mind at any given time, and people usually get in touch with me to discuss the topic. It’s fantastic.

If you’re on the fence about starting a blog, I implore you to do so. It’s probably the best thing I’ve ever done with a computer. If you, please drop me an email with the link - I love discovering new blogs!

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

Gadget Review: Benfei USB-C Video Capture ★★★★★ - Terence Eden’s Blog

2025-11-15T12:34:43.000Z

Want to capture video from your phone or console? You could just point a camera at the screen, but a more sensible way to do it is to capture the video directly via USB-C.

The good folks at Benfei have sent me another gadget to review! This is a USB-C Video/Audio capture dongle. Plug one end into a device and the other into your computer - it will show up as a USB video capture device.

Notice the extra USB socket there?

USB Power

One great thing about this device is that it has USB Power Delivery pass through. This means you can charge your device while grabbing video from it. That's more than a "nice to have" - the Nintendo Switch will refuse to output video over USB-C unless it is connected to a power supply.

The capture device claims to be able to pass through 100W - I don't have any devices which need that much power, but my USB-C Power Meter showed devices happily slurping down between 5W and 20W depending on the device I was using.

So how does it do?

Video and Audio

It is limited to 1080p @ 60Hz, which is good enough for most things.

Here's a short clip from the Nintendo Switch:

https://shkspr.mobi/blog/wp-content/uploads/2025/11/Benfei-Switch.mp4

And here's a capture from my Android phone:

https://shkspr.mobi/blog/wp-content/uploads/2025/11/Benfei-Android-Video.mp4

Linux

For the nerds amongst us, this shows up in lsusb as 345f:2130 MACROSILICON USB3 Video which should be well supported.

OBS Studio was able to capture the video and audio input perfectly:

It is the epitome of Plug & Play. Shove one end into your device and plug the other end into your computer's USB-C port. That's it. Done. No software to install, no drivers to download, no switches to flip. There's also a handy adapter if you want to use a USB-A socket - although it will need to support USB 3 speeds.

Limitations

As with most HDMI devices, it will refuse to stream video protected by HDCP DRM. That means you probably can't stream your Netflix / Disney / Whatever subscription to your laptop.

It is limited to stereo sound. I couldn't convince the Nintendo Switch to output surround sound.

Obviously, it only works with devices which have USB-C video output. Modern Android and most hand-held consoles will work. Your PS5 won't.

So what about those devices without USB-C?

Bonus HDMI Dongle!

So you're a wannabe Twitch streamer, or you just want to capture something from your HDMI output? The good folks at Benfei also sent me their HDMI Capture Dongle to review.

There's absolutely nothing else to say about this one. It has the same internals - 345f:2130 MACROSILICON USB3 Video - and works exactly the same.

Shove an HDMI cable in there and you're good to go,

Price

The USB-C to USB-C cable a surprisingly reasonable £15. If you need to capture video for presentations or streaming, it will do the job splendidly. The cable is long enough to drape from a machine to a source - and the Power Delivery is useful.

The HDMI capture is only £12. They both work identically well and are supported on Linux.

Highly recommended!

Level up your Solidity LLM tooling with Slither-MCP - Trail of Bits Blog

2025-11-15T12:00:00.000Z

We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine. Slither-MCP benefits virtually every use case for LLMs by exposing Slither’s static analysis API via tools, allowing LLMs to find critical code faster, navigate codebases more efficiently, and ultimately improve smart contract authoring and auditing performance.

How Slither-MCP works

Slither-MCP is an MCP server that wraps Slither’s static analysis functionality, making it accessible through the Model Context Protocol. It can analyze Solidity projects (Foundry, Hardhat, etc.) and generate comprehensive metadata about contracts, functions, inheritance hierarchies, and more.

When an LLM uses Slither-MCP, it no longer has to rely on rudimentary tools like grep and read_file to identify where certain functions are implemented, who a function’s callers are, and other complex, error-prone tasks.

Because LLMs are probabilistic systems, in most cases they are only probabilistically correct. Slither-MCP helps set a ground truth for LLM-based analysis using traditional static analysis: it reduces token use and increases the probability a prompt is answered correctly.

Example: Simplifying an auditing task

Consider a project that contains two ERC20 contracts: one used in the production deployment, and one used in tests. An LLM is tasked with auditing a contract’s use of ERC20.transfer(), and needs to locate the source code of the function.

Without Slither-MCP, the LLM has two options:

Try to resolve the import path of the ERC20 contract, then try to call read_file to view the source of ERC20.transfer(). This option usually requires multiple calls to read_file, especially if the call to ERC20.transfer() is through a child contract that is inherited from ERC20. Regardless, this option will be error-prone and tool call intensive.
Try to use the grep tool to locate the implementation of ERC20.transfer(). Depending on how the grep tool call is structured, it may return the wrong ERC20 contract.

Both options are non-ideal, error-prone, and not likely to be correct with a high interval of confidence.

Using Slither-MCP, the LLM simply calls get_function_source to locate the source code of the function.

Simple setup

Slither-MCP is easy to set up, and can be added to Claude Code using the following command:

claude mcp add --transport stdio slither -- uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp

It is also easy to add Slither-MCP to Cursor by adding the following to your ~/.cursor/mcp.json:

{
 "mcpServers": {
 "slither-mcp": {
 "command": "uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp",
 "env": {
 "PYTHONUNBUFFERED": "1"
 }
 }
 }
}

Figure 1: Adding Slither-MCP to Cursor

For now, Slither-MCP exposes a subset of Slither’s analysis engine that we believe LLMs would have the most benefit consuming. This includes the following functionalities:

Extracting the source code of a given contract or function for analysis
Identifying the callers and callees of a function
Identifying the contract’s derived and inherited members
Locating potential implementations of a function based on signature (e.g., finding concrete definitions for IOracle.price(...))
Running Slither’s exhaustive suite of detectors and filtering the results

If you have requests or suggestions for new MCP tools, we’d love to hear from you.

Licensing

Slither-MCP is licensed AGPLv3, the same license Slither uses. This license requires publishing the full source code of your application if you use it in a web service or SaaS product. For many tools, this isn’t an acceptable compromise.

To help remediate this, we are now offering dual licensing for both Slither and Slither-MCP. By offering dual licensing, Slither and Slither-MCP can be used to power LLM-based security web apps without publishing your entire source code, and without having to spend years reproducing its feature set.

If you are currently using Slither in your commercial web application, or are interested in using it, please reach out.

22.00.0168 How to remember the Markdown link syntax - Johnny.Decimal

2025-11-15T02:16:10.000Z

How to remember the Markdown link syntax

In Markdown, a universally-handy text formatting language, you create a link like this:

[Title of link](https://…)

Easy enough, but there's a bunch to remember there. Which comes first, the title or the link? And which is in square brackets, which in regular brackets?

Get any of those things wrong, and your link won't work.

'Name and address please, sir'

Let's do the stuff inside the brackets first. When you get pulled over by the cops you'd never be asked for your 'address and name', would you? Same here.¹

Name and address in that order.

Addresses contain numbers

Those regular brackets () live on the keys 9 and 0.

What contains numbers? An address.

What doesn't? Your name.²

That's it

[Johnny](90 Main St)

100% human. 0% AI. Always.

Yeah, yeah, you're innocent. Save it for the judge. ↩
Unless you're this guy. ↩

Maple Vanilla Mead - Cool As Heck

2025-11-14T13:14:14.000Z

My next experimental mead recipe is going to be a maple vanilla mead. Here's the base recipe:

- 2lb raw acacia blossom honey (primary)

- 12oz Vermont maple syrup (primary)

- 1 vanilla bean (secondary)

- 2 whole allspice berries (secondary)

- 6g of oak chips (secondary)

- 4-6oz Vermont maple syrup for back sweetening and taste

Yeast: Lalvin 71B

This will hit about 12% ABV. This will be my first time working with acacia honey, raw honey, maple syrup, and oak chips, so this is going to be fun and interesting. 🍷

Giving My Jekyll Site a CDN Front End - Kev Quirk

2025-11-14T12:55:00.000Z

I've managed to get my Jekyll based site working behind Bunny CDN, while maintaining my .htaccess redirects. Here's how I did it...

Giving My Jekyll Site a CDN Front End

Since switching back to Jekyll recently, I’ve been running this site on a Ionos-hosted VPS, then using a little deploy script to build the site and rsync it up.

This all worked fine, but I really wanted to use Bunny CDN for more than just hosting a few images and my custom font. Being a static site, I could have dumped everything onto their storage platform, but I have a metric tonne of redirects in a .htaccess file from various platform migrations over the years.

Bunny’s Edge Platform could have handled these, but with the number of redirects I have, it would have been a slog to maintain. So I assumed I’d never be able to put Bunny in front of my Jekyll site easily and went about my business.

💡 Then I had an epiphany.

What if I created a Bunny pull zone that uses kevquirk.com as the public domain, then set up a separate domain on my VPS, host the site there, and use that as the pull zone origin?

My theory was that Bunny would still be requesting content from the VPS, so my .htaccess redirects might still work.

…turns out, they did.

Some small bugs

I duplicated my live site so I could experiment safely. The setup looked like this:

test.kevquirk.com - the domain configured in the Bunny pull zone
src.qrk.one - the origin domain on my VPS, where the site actually lives

The first thing I had to do was update the url field in my Jekyll _config.yml from kevquirk.com to test.kevquirk.com, rebuild the site, and upload it to src.qrk.one.

Now, you might be thinking, “Kev, why build the site with the wrong domain?”

But I haven’t. By building the site with the test domain, all links point to test.kevquirk.com/.... If I built it with the origin domain, all internal links would lead to the wrong place. They would still work, but the site would be served from src.qrk.one, which is not what I want.

Next up was redirect testing. I visited /feed, which should hit .htaccess and redirect to /feed.xml. The redirect worked fine, but the resulting URL was being served from the origin domain.

So instead of seeing test.kevquirk.com/feed.xml I saw src.qrk.one/feed.xml.

This happened because Bunny requested the file from the origin using its own hostname, not the hostname I typed. In simple terms:

I visited test.kevquirk.com/feed.
Bunny checked its cache. It wasn’t there, so it asked my origin for the file.
But Bunny made that request using its own hostname (src.qrk.one), not the one I typed.
Apache saw the request coming from src.qrk.one/feed and applied the .htaccess redirect to /feed.xml.
Apache then rebuilt the redirect URL using the hostname it was given, which was src.qrk.one.

So Apache went:

“Oh, you want /feed? Sure. That’s at src.qrk.one/feed.xml. Here ya go…”

Fixing the problem

This would not break anything for visitors, but I didn’t want src.qrk.one appearing anywhere. It looked messy.

Two changes fixed it:

Enable Forward Host Headers in my Bunny pull zone.
Add test.kevquirk.com as a domain alias of src.qrk.one on my VPS.

Forward Host Headers makes Bunny tell the VPS the hostname the visitor used. So instead of:

“I’m asking for this on behalf of src.qrk.one.”

Bunny says:

“I’m asking for this on behalf of test.kevquirk.com, not src.qrk.one.”

The domain alias ensures Apache accepts that hostname and serves it correctly.

Magic. 🪄🐇

The other thing to double-check is that every page sets a proper canonical URL. The origin domain is publicly accessible, so crawlers need to know which domain is the real one. That should always be the Bunny pull zone domain.

In Jekyll this is simple. Add the following to the head section of your layout:

<link rel="canonical" href="{{ page.url | absolute_url }}">

The final straight

With the redirect behaviour sorted, the last step was to add a purge step to my deploy script so Bunny knows to fetch the latest version whenever I publish a new post or update something.

Here’s the snippet I added:

# --- Clear Bunny Cache ---
echo "🗑 Clearing Bunny Cache..."
PURGE_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
  -H "AccessKey: $BUNNY_ACCESS_KEY" \
  "https://api.bunny.net/pullzone/$PULL-ZONE-ID/purgeCache")

if [ "$PURGE_RESPONSE" -ne 200 ] && [ "$PURGE_RESPONSE" -ne 204 ]; then
  echo "⚠️  Bunny purge failed (HTTP $PURGE_RESPONSE)"
  exit 1
fi

I set my Bunny API key and Pull Zone ID as variables at the top of the script. The if statement simply says, “If the response isn’t 200 or 204, tell Kev what went wrong.”

And that is it. Last night I flipped the switch. Bunny CDN now sits in front of the live site. I also moved the VPS from Ionos to Hetzner because Ionos now charge extra for a Plesk licence. I went with Hestia as the control panel on the new server.

If you spot any bugs, please do let me know, but everything should be hopping along nicely now. (See what I did there? God I’m funny!)

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

22.00.0167 An(other) advantage of the creative pattern - Johnny.Decimal

2025-11-14T00:43:29.000Z

An(other) advantage of the creative pattern

Our creative system here at JDHQ is in heavy use with production of the upcoming JDU series 'task and project management', seeing me create ID 50092 yesterday. We'll crack that hundred before long.

Previous creative projects -- recording the workshop, say -- tended to sit in their own isolated world. They take up a bunch of disk space, and if you're on a laptop you don't want to (or simply can't) carry those files around forever.

You produce a series, upload the final videos, and archive the original files. So it feels simpler to have all of those files in one folder, and you can just move that folder around.

This is a problem, though, if you ever want to re-edit those videos. To correct a mistake, say. Now you have to get the vidoes off 'the archive drive' and put them back either exactly where they were, which involves you remembering exactly where that was, or you have to re-point your video editing software to their new location. DaVinci Resolve calls this 're-linking the media'.

Neither of us are video editing professionals. This is an exercise fraught with danger that often results in us looking at this dreaded screen. We're not the only ones.

Figure 22.00.0167A. DaVinci Resolve's dreaded 'unlinked media' icon.

What if the files never moved?

With the creative pattern, the path to the file never changes. It's always (truncated for simplicity)
D25/50-59/50082/file.mov.

What changes is whether the original video files are actually at that location on disk. On my laptop, I've told Syncthing, which keeps our files in sync across the world, to remove those files. Lucy, our editor, still holds a copy.

I'll eventually remove all of these files from both laptops. We say that I'm 'dehydrating' those folders. At this point, launching DaVinci will look like the screenshot above. But the only thing I'll need to do if Lucy wants to edit a video is 'rehydrate' those files, synchronising them across the network from our server in Melbourne.

Nothing changed from DaVinci's perspective. Nothing ever will. Bye bye, red timeline of confusion.

100% human. 0% AI. Always.

Mead Update - November 13, 2025 - Cool As Heck

2025-11-13T21:05:22.000Z

This week I deoxidized and stabilized the pumpkin mead after back sweetening it last week. It turned out pretty good! If I had to do it again I would go a little less heavy on the amount of spices or the amount of time I left them in. Still, it turned out nice and I can't wait to see how it tastes after a few weeks in the bottle.

I've got a batch of ginger peach cyser going now. Well, it's just peach at the moment. It still has a week or two of fermentation left before I can test it, rack it, and add the ginger. I also got some peach syrup to use as a sweetener if it needs a little more post-fermentation sugar or an extra kick of peach flavor.

Honor The Maker's Schedule - Werd I/O

2025-11-13T16:41:04.000Z

[Corey Ford at Point C]

Everything Corey says here, all day long.

“Everyone needs (some) meetings for alignment, feedback, brainstorming, hiring, speculative networking, etc. And everyone also needs the space to focus on deep work, whether they consider themselves a "maker" or not.

The problem is that the people with the most power (leaders like you!), tend to work more on a manager's schedule and, if they're not intentional about establishing team norms regarding how time is valued, they can suck away the ability for anyone else to do deep work.”

As always, Corey breaks a problem that may seem intractable down into an easy-to-follow framework.

The key here is shared norms, created through intention — which also means that there needs to be a shared agreement with leadership that protecting deep work really is important.

In turn, that’s about respect: a culture where a manager can drop an event on your calendar at any time signals that they don’t really care about your experience or needs. That’s the kind of culture that can easily evolve organically if nobody’s tending to it; it’s not necessarily intentionally disrespectful, but it’s disrespectful nonetheless.

As an aside, I was delighted to see that Corey’s turned his week-long training camp — something I’ve both participated in and helped to participate back in my Matter days — into a service that anyone can book for their team. I found it transformative, and I think a lot of teams could use it.

[Link]

Jack Dorsey funds diVine, a Vine reboot that includes Vine's video archive - Werd I/O

2025-11-13T14:47:23.000Z

[Sarah Perez at TechCrunch]

I didn’t have Rabble bringing back Vine on my bingo card, but I should have.

This is fascinating:

“On Thursday, a new app called diVine will give access to more than 100,000 archived Vine videos, restored from an older backup that was created before Vine’s shutdown.

The app won’t just exist as a walk down memory lane; it will also allow users to create profiles and upload their own new Vine videos. However, unlike on traditional social media, where AI content is often haphazardly labeled, diVine will flag suspected generative AI content and prevent it from being posted.”

This time around, it’s all based on Nostr, a decentralized social networking protocol that is intentionally not owned or controlled by a single entity. The game-changer is including Vine’s back archives, which is presumably only possible because of Jack Dorsey’s involvement.

Dorsey has been a major backer of Nostr for the last few years, investing in the protocol and apps that have the potential to make it successful. Rabble, of course, was one of the core group at Odeo that was present for the inception of Twitter, along with Dorsey; they’re frequent collaborators and Dorsey backed Rabble’s startup nos.social. Clearly Dorsey has had, or been able to negotiate, access to the Vine back catalogue, which makes sense as a potential way to encourage folks to join the Nostr network.

[Link]

RE: Reassess time spent enjoying luxury - Joel's Log Files

2025-11-13T14:20:00.000Z

Reassess time spent enjoying luxury

Every time my wife is away for business travel, I take the opportunity to do things I don't have time for when we're together: video games, movies and TV shows my wife won't watch, that sort of thing. Inevitably I wind up spending too much time with these luxuries. Just last night (Monday), when I had all day to play with a vacation day, I didn't go to sleep until 12:50 AM.

Read the Full Post by Steve on An Almost Anonymous Blog

I recently saw this post by Steve and found it kinda relatable.

Every once in a while, I get to have the house for myself too, and the options for me are similar. While hobbies like books, manga or certain games I can do at any time—even during my commute to work—or when others are present. Some activities are simply more enjoyable when there’s nobody around that may require my attention, or that may ~~send me to clean up my bedroom instead~~. Living with parents has its perks, but it’s a double-edged sword.

Even if staying up late is not ideal when I have to wake up early to work, I personally have no issues with my sleep schedule. I wake up on the first beep of my alarm and continue the morning like nothing happened. I am not sure this power will last forever, but I’ll take advantage of it when I can. Obviously, this is not a daily thing, but a few times a year aren’t too bad.

Because of this, my reassessment is not because I stay up late or watch too much anime at once. It comes from the number one reason I end up actually wasting my time: YouTube, YouTube Shorts.

I find value in videogames, anime, movies or other media, I enjoy my time with them. However, every once in a while, I’ll just do nothing but watch random stuff from the YouTube algorithm. I know I just said a few posts ago that I don’t have an issue with algorithms, and that is the case most of the time, but when I literally have nothing else to do, and I can choose between a gaming session, bingewatching a show or a movie marathon, for some reason, my brain will default to sitting on my laptop (I don’t use the YouTube app at least) and scrolling through random videos.

All that time to be spent on things that I can only do at moments like this, like solving some dungeon on CrossCode or defeating a boss on Silksong, you know? finish a book or at least try a new anime. But no, endless scrolling.

Like, it could be great. It has been great before, I have managed to accomplish a lot of stuff some times after all.

Like that time I binged all the 70+ episodes of Hajime No Ippo, or when I watched almost all of the Alien movies, or played through The Hundred Line: Last Defense Academy for the first time. All of that was rather awesome, stuff that I can’t afford to do at such a pace on a regular basis.

I think I just need to set my priorities properly, I am consciously making the wrong choice, which means I can consciously not do it. Right?

I really envy the people who can actually get things done using time-blocking or to-do lists, calendars and all that mumbo jumbo sometimes, I mostly go by feel, and unfortunately I feel like being lazy and consuming “content” way more often than putting some effort on enjoying the creative output of artists who pour so much passion into their work.

One of the details that struck me when I read the original post, was the choice for the word “luxury”. Sometimes I don’t appreciate it that much, and take things for granted, but yeah, a couple of evenings after work just to relax by yourself and not worry until tomorrow’s workday comes is a luxury, so I shouldn’t let it go to waste.

And of course, it’s at moment like this when I not only get to digest all of that media, I also get to work on my own stuff!

From writing longer blog posts (I always write my reviews at home where I can quickly access screenshots and the like), to spending time on a different project (like the Rockbox theme for the Innioasis Y1 which I just published).

However, those things are something I can do when others are around the house, I just gotta work on my desk. So I’m going off-topic.

In the end, the main thing is that I get to use the big TV in the living room for whatever I want.

Freedom!

So, how do you spend time when you get to be by yourself for a bit?

Reply to this post via email | Reply on Fediverse

Book Review: Master Flea by E. T. A. Hoffmann ★★★⯪☆ - Terence Eden’s Blog

2025-11-13T12:34:18.000Z

While visiting Goethe Haus in Franfurt, I read a summary of the 1822 book "Meister Floh" and thought it might be fun to read.

It is curious. Half the satire has long since lost all relevance to the world, yet it is still an entertaining and mysterious novel. Much like 1827's "The Mummy! A Tale of the Twenty-Second Century" things just happen. People wander into rooms, announce their plot-point, and push the story along.

Parts of it are hilarious, other tedious. Long passages feel like allegories which would have benefited from a translator's footnote. It melds science-fiction with fairy-tales and comes up with something inexplicably weird. Perhaps, given the subject matter, it should be regarded at "scientific fiction"?

In truth, the story is weak. It's all hidden identities and bumbling heroes. What makes it is the wry narrator who is quite content to pierce the fourth-wall (do books have walls?) and give us his opinion on how the story is progressing. At times it almost becomes a meta-novel; playing with what must have been early tropes. For example, the narrator announces:

It is an established custom, that when the hero of a tale is under any violent agitation, he should run out into a forest, or, at least, into some lonely wood; and the custom is good, because it really prevails in life.

Towards the end, it becomes increasingly silly and convoluted. It's a story of horny old men chasing eternal life. Perhaps Hoffmann's immortality in the pantheon of great German writers brings him close to that goal.

Building checksec without boundaries with Checksec Anywhere - Trail of Bits Blog

2025-11-13T12:00:00.000Z

Since its original release in 2009, checksec has become widely used in the software security community, proving useful in CTF challenges, security posturing, and general binary analysis. The tool inspects executables to determine which exploit mitigations (e.g., ASLR, DEP, stack canaries, etc.) are enabled, rapidly gauging a program’s defensive hardening. This success inspired numerous spinoffs: a contemporary Go implementation, Trail of Bits’ Winchecksec for PE binaries, and various scripts targeting Apple’s Mach-O binary format. However, this created an unwieldy ecosystem where security professionals must juggle multiple tools, each with different interfaces, dependencies, and feature sets.

During my summer internship at Trail of Bits, I built Checksec Anywhere to consolidate this fragmented ecosystem into a consistent and accessible platform. Checksec Anywhere brings ELF, PE, and Mach-O analysis directly to your browser. It runs completely locally: no accounts, no uploads, no downloads. It is fast (analyzes thousands of binaries in seconds) and private, and lets you share results with a simple URL.

Using Checksec Anywhere

To use Checksec Anywhere, just drag and drop a file or folder directly into the browser. Results are instantly displayed with color-coded messages reflecting finding severity. All processing happens locally in your browser; at no point is data sent to Trail of Bits or anyone else.

Figure 1: Uploading 746 files from /usr/bin to Checksec Anywhere

Key features of Checksec Anywhere

Multi-format analysis

Checksec Anywhere performs comprehensive binary analysis across ELF, PE, and Mach-O formats from a single interface, providing analysis tailored to each platform’s unique security mechanisms. This includes traditional checks like stack canaries and PIE for ELF binaries, GS cookies and Control Flow Guard for PE files, and ARC and code signing for Mach-O executables. For users familiar with the traditional checksec family of tools, Checksec Anywhere reports maintain consistency with prior reporting nomenclature.

Privacy-first

Unlike many browser-accessible tools that simply provide a web interface to server-side processing, Checksec Anywhere ensures that your binaries never leave your machine by performing all analysis directly in the browser. Report generation also happens locally, and shareable links do not reveal binary content.

Performance by design

From browser upload to complete security report, Checksec Anywhere is designed to rapidly process multiple files. Since Checksec Anywhere runs locally, the exact performance depends on your machine… but it’s fast. On a modern MacBook Pro it can analyze thousands of files in mere seconds.

Enhanced accessibility

Checksec Anywhere eliminates installation barriers by offering an entirely browser-based interface and features designed to provide accessibility:

Shareable results: Generate static URLs for any report view, enabling secure collaboration without exposing binaries.
SARIF export: Generate reports in SARIF format for integration with CI/CD pipelines and other security tools. These reports are also generated entirely on your local machine.
Simple batch processing: Drag and drop entire directories for simple bulk analysis.
Tabbed interface: Manage multiple analyses simultaneously with an intuitive UI.

Figure 2: Tabbed interface for managing multiple analyses

Technical architecture

Checksec Anywhere leverages modern web technologies to deliver native-tool performance in the browser:

Rust core: Checksec Anywhere is built on the checksec.rs foundation, using well-established crates like Goblin for binary parsing and iced_x86 for disassembly.
WebAssembly bridge: The Rust code is compiled to Wasm using wasm-pack, exposing low-level functionality through a clean JavaScript API.
Extensible design: Per-format processing architecture allows easy addition of new binary types and security checks.
Advanced analysis: Checksec Anywhere performs disassembly to enable deeper introspection (like to detect stack protection in PE binaries).

See the open-source codebase to dig further into its architecture.

Future work

With an established infrastructure for cross-platform binary analysis and reporting, we can easily add new features and extensions. If you have pull requests, we’d love to review and merge them.

Additional formats

A current major blind spot is lack of support for mobile binary formats like Android APK and iOS IPA. Adding analysis for these formats would address the expanding mobile threat landscape. Similarly, specialized handling of firmware binaries and bootloaders would extend coverage to critical system-level components in mobile and embedded devices.

Additional security properties

Checksec Anywhere is designed to add new checks as researchers discover new attack methods. For example, recent research has uncovered multiple mechanisms by which compiler optimizations violate constant-time execution guarantees, prompting significant discussion within the compiler community (see this LLVM discourse thread, for example). As these issues are addressed, constant-time security checks can be integrated into Checksec Anywhere, providing immediate feedback on whether a given binary is resistant to timing attacks.

Try it out

Checksec Anywhere eliminates the overhead of managing format-specific security analysis tools while providing immediate access to comprehensive binary security reports. No installation, no dependencies, no compromises on privacy or performance. Visit checksec-anywhere.com and try it now!

I’d like to extend a special thank you to my mentors William Woodruff and Bradley Swain for their guidance and support throughout my summer here at Trail of Bits!

Monet - James' Coffee Blog

2025-11-13T11:57:20.000Z

On the ground floor of the Musee de l’Orangerie in Paris – a long building by the river banks of the Seine, and at the start of the Jardin des Tuileries – there is an exhibit of eight Monet paintings. The museum website introduces the paintings like so:

Offered to the French State by the painter Claude Monet on the day that followed the Armistice of November 11, 1918 as a symbol for peace, the Water Lilies are installed according to plan at the Orangerie Museum in 1927, a few months after his death.

The exhibit spans two rooms: each an oval. The two ovals connect together in a figure-of-eight. The walls of the rooms are white, each adorned with a wide-canvas Monet painting. When you are in either of the oval rooms, you are surrounded by colour: reds and yellows and blues and purples. You get a feeling that there is more detail than you can possibly comprehend, but you do your best to take in the works. From up close and afar, you study, appreciating the colours, the gradients, the trees, the reflections.

The painting on the left as you enter shows a gradient as if the sun is rising or setting – you don’t yet have a perfect grasp of how to distinguish between the two moments of day in art, and so you see both: a beginning and an end. You proceed further and see blue skies and white clouds reflected on the pond – blue a theme of several of paintings, you will later realise. What does it mean to appreciate a work?, you consider. Do I need to understand every detail? The answer to this question reveals itself as a smile adorns your face for reasons that you cannot quite put into words. Maybe the colour is brightening your mood. Or maybe the realisation that the more you look, the more you see satisfies a certain part of your mind that loves details.

You walk around the two rooms once and then realise you want to keep going. You keep walking. You look at all of the works with a new perspective – the perspective of having seen all that comes before and after each individual painting. You wonder if there are themes between the works, and you start to think more about whether the painting to the left as you entered was of a sunrise or a sunset.

In the back of your mind, you think about how the structure of the rooms – the two ovals – encourages you to keep going. You are in a place that encourages you to walk in circles. You learned from the plaque on your way in that this was designed: that the place is intentionally a figure-of-eight, the symbol of infinity.

At one point, after spending some time looking at a painting, you realise that there is a colour you didn’t notice before. You realise that there is an infinite amount to appreciate, and that you don’t feel an obligation to understand everything for the colours and the vastness of the paintings and the context in which they were offered – as a symbol for piece – take your breath away.

You realise that you don’t need to understand all the details of the works for them to have an impact, to leave you with some feeling.

I left with a sense of wonder. I came back the next day.

Email Is Amazing, but People Try Their Best to Ruin It - Kev Quirk

2025-11-13T10:59:00.000Z

Email Is Amazing, but People Try Their Best to Ruin It

by Alex White

Alex has written a lovely reflection on rediscovering the joy of email as a slower, more deliberate way to talk with people. Well worth a read if you miss when the inbox felt like a conversation, not a chore.

Read Post →

Alex’s blog is a one that I only discovered a couple days ago when he emailed me about my previous post. We ended up having a good old natter about all kinds of things.

As is par for the course, I checked out his blog, quickly found we have a lot in common, and our love of email is one of them.

As I’ve mentioned before, I’m very anal with my email and like Alex, I also look forward to checking my email every morning as there’s usually at least 1 interesting email from a reader. Today I have 5 of them to reply to (including a response from Alex) - it’s one of my favourite times of the day.

Anyway, I digress. Like Alex, I love email - it’s a fantastic way to communicate with the rest of the world. It’s a tried and tested, robust tool. It’s not email that’s the problem, it’s the people who use it.

Alex is also building his own CMS for HTML, which is another thing we have in common.

Anyway, go read his blog. It’s great.

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

What’s in my inventory? - James' Coffee Blog

2025-11-12T13:51:33.000Z

Wherever I go, I usually bring my backpack. In it, I always keep a few things. First, I try to always bring a book with me. I usually pack a book to read before I leave the house, for the book I am reading is either at my bedside or next to my chair. Right now, I am reading the art of explanation by Ron Atkins, a book about how to communicate clearly written by a senior reporter at the BBC. If I am out and about, I might read in a cafe, on the train, or really anywhere that I can sit down and relax.

I bring my AirPods wherever I go, as well as my phone (I wish my phone were lighter though). I can’t read in noisy environments; the AirPods noise isolation feature is thus useful. I also enjoy listening to music where I go – songs by Taylor Swift, Lorde, Florence and the Machine, Oh Wonder, MisterWives, and several other artists are among those I listen to the most. I love podcasts, too.

I also bring a notebook in which to write. This is essential. Sometimes I need to write something down or sketch it out. My notebook is where I will write down a few ideas that I want to explore on paper rather than jotting down on my phone. I draw wireframes for web pages. I write stories. My notebook has a sticker of my blog mascot on the front, a little bit of personalisation.

I bring a few pencils. I don’t think I bring a pen anywhere; I prefer to write with pencil in notebooks. I like to use Blackwing pencils, which have a rubber – is “rubber” widely understood outside the UK? An alternate term is an “eraser” – on the end. I bring a pencil sharpener, too – all stationery is kept in my pencil case.

I bring some stickers where I go, in case I run into friends to whom I want to give stickers. I bring hand sanitiser – absolutely essential.

I bring various charging cables, some that I use and others that I keep in case someone needs them. (I once went on a trip abroad and forgot a charger converter. A friend kindly lent me a spare they had. Ever since then I try to keep a few cables.)

I also bring all of myself where I go – my thoughts, my hopes, my dreams, my anxieties, my ideas.

This is my submission for the Bear Blog Carnival this month, hosted by Absurd Pirate on the topic “What’s in my inventory?”.

I’m going to study art history - James' Coffee Blog

2025-11-12T09:08:00.000Z

Over the last few months, I have been taking a part-time online course with the V&A focused on the history of art. The course has taken me through eras from Classical art and sculpture all the way to Impressionism, Cubism, and Surrealism. With every lecture, I feel like my mind is being opened, both by the pieces of art I study and the context around the art – the cultural commentary that arose from pivotal art works, how technology changed art, and more.

With that said, I have an announcement to make: Starting in January next year, I am going to be studying for a bachelor’s degree in History of Art. I’ll be studying with the Open University, a university based in the UK that specialises in distance and online learning.

It’s a big change for me: for the last six years, I have been a technical writer, focused on documentation and tutorials of all kinds. I moved straight from secondary school to work. I had an eagerness to start my career, and, looking back, I feel I made the right decision by not starting with university.

But this year in particular, I felt like I was no longer growing as much as I wanted to. I was yearning for a new challenge. I started thinking about new things to do, and, looking back on what brought me the most joy this year, my time in art galleries was close to the top of the list. I could study art history, I thought.

When I am in galleries, I love trying to understand an artwork. I love looking for details. I love the moment where you realise a new detail after studying an artwork closely for ten minutes. I love noticing patterns between different paintings – whether themes or icons or common objects. Over the last year, I have found myself being able to understand paintings more as a result of spending more time in galleries, but there is so much more I want to learn – a realisation that fills me with great excitement.

Last week, in my part-time course, I learned how to interpret a Cubist painting, which has helped me appreciate that period to a much greater extent. I learned that Cubists strive to paint a picture of a space by showing you only the minimum details you need to build your own image of the space. An occluded part of a musical instrument and a glass may indicate the scene is in a bar, for example. An hour of learning helped open my eyes to a form of art I found interesting but was unable to appreciate to a great extent. Cubist paintings make me consider the questions What is essential to create an image? And how do I know?

After many months of thought, the idea of studying turned into a reality. My blog home page now reads I'm a soon-to-be art history student., a statement I added fuelled by the excitement I feel for the coming months. Despite this big change, one thing is for sure: I will continue to be here blogging as normal – indeed, writing, like analysing art, excites me to an extent that may take a lifetime to encapsulate in words.

22.00.0166 Decimal Diary: Business links and food trucks - Johnny.Decimal

2025-11-12T09:00:00.000Z

Decimal Diary: Business links and food trucks

Today's blog is a guest post by Lucy.

Dear Decimal Diary,

Yesterday I added a bunch of new resource links to several IDs in the Small Business System. And one of them led me to start an imaginary food truck business.

Sensible, governmenty links

Turns out there's a lot of great small-business-related information out there. But it can be hard to find if you don't know where to start (or have the time).¹ We originally planned to include a few curated links in most Small Business IDs. There aren't many yet – I add new ones as I discover and vet them to check they're reputable.

Since we're Australian they're mostly from our Government or 'sensible' government-adjacent organisations. But I do try to find things that are relevant no matter where a business is. For example, there's links to some good general advice in:

14.42 Technical cybersecurity, and
14.43 Behavioural cybersecurity.

But if you need country-specific guidance, hopefully anything we find can help you search for similar advice from your government.

This may or may not be a useful feature, but we thought we'd give it a go and see if it evolves into anything.² At the very least I'm learning heaps of stuff about running a small business that I didn't know before.

Refining search

At the same time I also try to think of new keywords for JDHQ's search feature (remember you can just type / to activate search).

So if you've tried to find something in Small Business (or elsewhere) and search didn't surface it, let us know. The words we use to describe something in Australian business might be different to yours. But it's easy to add keywords that will help you find what you need.

For example, we learned from a Decimal this week that it's common to have an 'operating charter' in American business. So I added that to the examples list for 11.11 Structure & registrations. And now it appears in search.

My imaginary food truck

The first link I found for 11.12 Licences, permits, & accreditations is from the Australian Business Licence and Information Service (ABLIS). ABLIS has a handy tool to research licences, regulations, council approvals, and compliance requirements for different businesses. So I thought I'd take it for a spin.

I pretended I wanted to start a:

Simple food truck business (aka 'mobile food van operation'),
Located in central Canberra in the Australian Capital Territory,
And I would operate as a sole trader.

Figure 22.00.0166A. Simple Joe.

I then answered a short series of questions about how I thought my business would run. And I got back this list of 40 (!) things that I might need to consider. To anyone out there who has a business that involves any regulation, I tip my cap. I had no idea how much there was to know.

I was just playing around and some of my results were more important than others, like safe food handling. But there's so many other hangers on that might be relevant – there's an entire code of practice just for having a movable sign! But I think my favourite is the Workplace and Telephone on Hold Music Licence.

Like many people, Johnny and I have pretend-talked about having a simple hospitality business.³ However, I reckon if more budding entrepreneurs went to a licencing site like ABLIS before committing money to their idea, they might find it quite sobering.

I'm not saying don't dream big dreams.

The world needs successful small business owners – you make daily life so much more interesting than big corporations.

Just try hard not to procrastinate reading all the tediously boring government regulatory information before taking out a big business loan on a food truck in Canberra. 😉

From Lucy

100% human. 0% AI. Always.

Of course everyone probably just uses AI now. But given its lacklustre citation skills I would personally always check what reference sites it's using for serious business stuff. As a former science writer this is a habit I will never drop, sorry Chatty-G. ↩
A library of recommendations for go-to, trustworthy small business sites from around the world? ¯\_(ツ)_/¯ ↩
Not seriously, we're not qualified. But we often do back-of-the-envelope maths and logistics to see if something is food truck-able. At the moment though, we wish someone would start cheap filter-coffee-only carts in Australia, hint hint. You can even use our proposed business name – Simple Joe. ↩

52 Week Notes later - Joel's Log Files

2025-11-11T13:00:00.000Z

It’s been a whole year now since I decided to start writing my own weeknotes, a lot of stuff has happened since then, and a portion of that has been documented week after week on this website.

I was inspired by many people, such as Jeremy who was the one who gave me the final push, Jedda who was at it since earlier, or Ariadne, who was among the first I saw!

There’s also Thomas, TK, Tracy (woah that’s three T’s!), Cassie, Sylvia, Sam (wooah that’s CSS!?), and many, many more!

Since the day I started, I’ve asked myself how worth it is it to actually write down stuff like this, the random things that happen day after day, that are just a part of everyone’s life.

I have great friends and fellow bloggers who kind of don’t see the point of it, some people want to portray a certain character to their websites, which is perfectly understandable to me. But hey, my website is mostly about my life, not really just gaming or technology or reviews, if I feel like writing it, I’ll probably end up sharing it here, so weeknotes felt right to me.

Somehow, some people even said I’m part of why they decided to start doing their own weekly notes, a huge honor for me, I must say.

I am always looking forward to see what people are up to week after week sharing their story, slices of a life that are as familiar as they are unrelatable, as fascinating as they are stressful, and as fun as they are a chore. It’s life after all!

This act of documenting our day, each project, idea, event or shenanigan, is just so interesting to me, both to write myself, and to read up from others. My feed reader is almost like a weekly newsletter of everyone’s updates and thoughts, the same topic, and yet different all the time.

Of course, while some people I admire have lost motivation or gotten busy. Some others have continued to be fascinated by the everyday. In the end, not everyone has the time or the energy to commit on a regular basis, priorities are set somewhere else, and that agency is a beautiful thing too.

I will continue to write these for another year, and more, I hope! And I look forward to all of yours as well, to inspire new ones and uncover old ones, because those small parts of life are the ones that make us realize we are all just people living under the same sun, on this pot of land we call earth.

Reply to this post via email | Reply on Fediverse

Shellsharks Blogroll - BlogFlock

Updating forgejo's robots.txt - Posts feed

Small Web, Big Voice - Kev Quirk

Small Web, Big Voice

Gadget Review: Benfei USB-C Video Capture ★★★★★ - Terence Eden’s Blog

USB Power

Video and Audio

Linux

Limitations

Bonus HDMI Dongle!

Price

Level up your Solidity LLM tooling with Slither-MCP - Trail of Bits Blog

How Slither-MCP works

Example: Simplifying an auditing task

Simple setup

Licensing

22.00.0168 How to remember the Markdown link syntax - Johnny.Decimal

How to remember the Markdown link syntax

'Name and address please, sir'

Addresses contain numbers

That's it

Footnotes

Maple Vanilla Mead - Cool As Heck

Giving My Jekyll Site a CDN Front End - Kev Quirk

Giving My Jekyll Site a CDN Front End

Some small bugs

Fixing the problem

The final straight

22.00.0167 An(other) advantage of the creative pattern - Johnny.Decimal

An(other) advantage of the creative pattern

What if the files never moved?

Mead Update - November 13, 2025 - Cool As Heck

Honor The Maker's Schedule - Werd I/O

Jack Dorsey funds diVine, a Vine reboot that includes Vine's video archive - Werd I/O

RE: Reassess time spent enjoying luxury - Joel's Log Files

Reassess time spent enjoying luxury

Book Review: Master Flea by E. T. A. Hoffmann ★★★⯪☆ - Terence Eden’s Blog

Building checksec without boundaries with Checksec Anywhere - Trail of Bits Blog

Using Checksec Anywhere

Key features of Checksec Anywhere

Multi-format analysis

Privacy-first

Performance by design

Enhanced accessibility

Technical architecture

Future work

Additional formats

Additional security properties

Try it out

Monet - James' Coffee Blog

Email Is Amazing, but People Try Their Best to Ruin It - Kev Quirk

Email Is Amazing, but People Try Their Best to Ruin It

What’s in my inventory? - James' Coffee Blog

I’m going to study art history - James' Coffee Blog

22.00.0166 Decimal Diary: Business links and food trucks - Johnny.Decimal

Decimal Diary: Business links and food trucks

Sensible, governmenty links

Refining search

My imaginary food truck

Footnotes

52 Week Notes later - Joel's Log Files