Security Engineer @ XTX. MSc in eng. physics & CompSci, dev & gamer. ❤️ music & long distance running. Wanna do a PhD sometime. Same U/N on all other sites

London, England
After intense debate we have concluded the following: * IDA - Gryffindor * Ghidra - Slytherin * Binja - Ravenclaw * r2 - Hufflepuff
19
191
714
Waking up to a lot of bad takes on QR codes. QR codes are meant to be scanned, just as links are meant to be clicked. If your security posture requires these two things to not happen you have already lost. Blaming the user here is Dunning-Kruger riddled infosec posing.
23
96
642
My colleague recently reminded me that Python executes zip files which of course extends to other zip-based formats and lets you do things like this.
6
98
555
Everyone's always posting threads about how to get into security but where are the threads about how to get out of it? 🤔
44
34
494
Replying to @FreyaHolmer
Generally agree with the caveat that people open source things for very different reasons and "making it easy for others to use the code" may or may not be a motivation.
1
1
431
73,263
Replying to @littmath
Nice. We sometimes used VVVVVV at university for the Swedish "Vilket Var Vad Vi Ville Visa", roughly "Which was what we wanted to show". Guess the kids nowadays have a bit more sass.
8
16
424
91,281
Got some fantastic personal news to kick off the weekend. Thrilled to announce that in August I will join Google in the offensive security team in Zürich. Really excited about what this new chapter will bring.
29
2
294
Want to find good security content creators who make videos and streams? Check out this little thing I built: securitycreators.video
17
83
226
Stop suggesting input validation as a fix for XSS. You handle it by context aware escaping when outputting, not by trying to prevent double quotes in your input.
8
27
210
Replying to @Hbomberguy
Started the audiobook recently. It's really good. Among my favorite part so far: - They're trying to kill me - No one's trying to kill you - Then why are they shooting at me? - They're shooting at everyone, They're trying to kill everyone. - And what difference does that make?
171
Come join us in the Google red team! We have a position open in NYC: google.com/about/careers/app… The team is fantastic and the work is really cool. Message me if you have questions about the role but if you are interested please don't wait to get your application in.
10
37
142
40,815
I hate the self-deprecating personality in tech: the "I have no idea what I'm doing, I just copy-paste from SO until it works" crowd. Stop devaluing your own work and take some pride in your skills. Not only are you hurting yourself but also misrepresenting the field to beginners
4
20
132
Replying to @RLewisReports
I appreciate having a professional like you pointing subtle details like this out. I layman like me might have missed it otherwise. Really adds that extra depth to the viewing experience.
1
129
Just published my write-up for the @Hacker0x01 #h1702 #CTF zeta-two.com/ctf/2018/06/30/… for your reading and commenting pleasure.
3
48
113
Replying to @LiveOverflow
Yeah, call me old fashioned but I believe that to be good at security you should first learn the thing you are trying to secure. Appsec: learn how to build software. Netsec: learn how to configure a network, etc
8
12
110
13,424
Absolutely, and MacOS rhymes with tacos.
2
7
93
There's some shady criminal on the loose in Zürich. Luckily I have been able to obtain some pictures of the suspect who is known to have been involved in several cyber attacks.
15
2
98
That's a wrap for the qualification round of the Google #CTF Hackceler8. Four matches completed with four teams moving on to the finals next weekend. Had a great time doing video production and even commentating one match. Congrats to all the teams and good luck to the finalists!
6
95
After a bit more than four amazing years in the Google red team, and almost three years in Switzerland, the time has come to move on to the next thing. At the end of October, with a mix of fear and excitement I'll move to London. But first I'll help org Hackceler8 one last time!
7
2
101
9,327
This shit is absolutely gross. Just the other week I helped a colleague who suspected her ex of spying on her. Fuck this paper for helping these less than humans with this. Are there any initiatives out there who could use some help from a reverse engineer maybe?
5
13
93
Less than two hours until #GoogleCTF starts. Good luck to everyone participating! Make sure to check out my reversing #CTF challenge which I will not apologize for. :)
3
10
93
In July I joined the Offensive Security team at Google and it has been a great experience. The red team work is challenging and fun and the team is awesome but even better, we are looking for more. Check these: Zurich: goo.gle/3qWz71m Sunnyvale: goo.gle/3dI0XdS
1
26
93
Them: Noooo! You can't just use an SMT solver for this cryptography problem. You have to fully understand the non-linear transformations over finite fields and the subtleties of working with GF(2)! Nooooo! Me: haha, Z3 goes brrrrrr
1
7
90
Yesterday I handed in my notice at work. This means that I'm now openly looking for a new job. I would love to work with something related to reverse engineering, malware and/or vuln research. Willing to relocate. Open for remote. DMs are open.
7
18
82
If you play #CTF, which you definitely should at least try a couple of times, don't limit yourself to a single category. Try to push yourself to at least a "medium" level of proficiency in several or most of them. This will make competitions more fun and you will learn a lot.
4
10
81
First day at new job: survived. Let's go!
5
79
Replying to @LiveOverflow
Trivial denial-of-service, PoC: "(.*a){100}aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
2
79
8,663
Replying to @alicegoldfuss
Related: 1. Wow this thing is really hard 2. *spends ~40h to learn it* 3. Why don't you understand it after my 15 min lightning talk on the subject?
1
69
So, anyone else experiencing this thing in security where if you try to google technical details on a topic all you find is the same 5 basic concepts copy-pasted in 100 beginner guides and blog posts?
5
2
73
My x-mas gift to you: The last Pwny Racing episode of the year will air on Saturday 14:00 UTC live from #36C3 Set a reminder: piped.video/watch?v=egCvtOGS… and watch the #CTF action as @_LarsH and I guide you while our participants: @0xbadcafe1, @nSinusR, @_niklasb and @phLaul compete!
2
17
75
I love #CTF. I think it's great for entertainment and education. I have played countless of them and learned so much from them. That's why it really hurts to admit that #CTF are currently suffering from quality issues. The density of poor challenges is just too high ATM.
5
7
73
For the past few years I've been using a great fiverr artist to create some artwork for work. Unfortunately they have been MIA for 2+ months now and I realise that I probably need redundancy. I'm looking for a cartoon artist with similar style. (Suggest AI = get instant block)
68
61
8,730
Every chapter has a beginning and an end. Today I'm working my last day at @KRYcare. Thanks for three great years with fantastic colleagues and exciting challenges. ❤️ Good luck in all the future work. Now I will enjoy some time off before starting at Google in Zürich in August.
8
72
Ok, we are doing this. Look what happens when you have crazy ideas at #35c3 I invite you to watch our 1st ed. of "pwny race" (name pending). Tune in to our stream: piped.video/watch?v=L_ZqbkCQ… on Feb 9 to see some #CTF pwnable racing with 4 excellent players and my co-host @picklepwns
5
19
74
Another day, another garbage take from a bug bounty hunter. This is what makes the field look bad. Stop the gatekeeping BS and go back to running ffuf and retweeting SQL injection tricks. #CTF is one of many forms of hacking, a great way to learn & research and a lovely community
7
71
25 minutes to Stockholm Marathon. I'm out of shape and got food poisoning yesterday so it's going to be rough. Will have to dig deep into the experience of those 13 previous finishes. Bib number 10004 if anyone wants to follow results.
9
61
Tomorrow we will open the application window for security interns at Google in Europe next summer. You can read more about the position, requirements and process here: google.com/about/careers/app… If you have any questions, don't hesitate to reach out. Come spend the summer with us!
2
27
60
23,987
We raised $100k for Alzheimerfonden! Thanks @esamarathon for a fantastic week! So fun to meet so many great people (and this robot). See you all at the next one!
2
53
3,738
Jason is 100% spot on. Additionally, many of these budgets are ridiculously low. I spent high school churning out websites for $250-$1000 that simply wouldn't be possible with any other solution (that I've seen).
4
2
49
Running my 14th Stockholm Marathon in 50 minutes with bib number 12245. See you on the other side.
6
55
The Numberphile podcast is one of very few podcasts I listen to. The episodes are always great but this latest one was fantastic. Really interesting to hear about Tadashi's philosophy on things. Strong recommendation even if you are not that into mathematics.
By popular demand, here's a podcast interview with Tadashi Tokieda... It's pretty fascinating! numberphile.com/videos/tadas… (also on podcast players - search Numberphile Podcast)
1
2
46
Turning 0b11111 today. Going to need another bit soon.
11
1
54
Helped a friend to repair a device yesterday. The first 32 bytes of the EEPROM had broken down so I extracted the firmware, binary patched it to add a small offset on all EEPROM accesses and wrote it back together with updated EEPROM contents and it worked perfectly. Quite proud!
3
2
52
We played the DefCon #CTF qualifiers this weekend with the Scandinavian collaboration team @NorseCodeCTF and thanks to heroic efforts by the team we managed to qualify to the finals for a second time.
It was in the darkest hour and everything seemed desperate. The warriors of the north were on the verge of defeat. Hope was all but lost. They let out a mighty battle cry for a final charge and as if guided by Odin himself, seized not one, but two flags to triumph in the battle!
3
1
51
Awww yes! Sub 90kg! My lowest weight since 2016. Still like 15 more to go but it's a great start.
2
51
We did it! We are going to DefCon, or at least virtually, to the DefCon #CTF finals. Great job everyone!
It looked really bleak for the warriors of the north but the taste for flags eventually set in and the hackers, fueled by shellcode and a desire for privescs, began their frenzy slaying challenge after challenge. In the end they stood triumphant as one of the qualifying teams.
5
1
54
Anyone else using their knuckles as a reminder of which months have 31 days vs which have 30/28? It's one of few "life hacks" I actually have found useful.
11
53
Another variant which doesn't cause any warnings at all:
2
7
49
Want to learn about GDB scripting? Check my article. Or maybe check some of the other amazing articles in this issue!
Issue #4 is out – enjoy! pagedout.institute/?page=iss… Please RT and tell your friends :)
2
4
52
5,763
Inspired by @0xeb's 2018 #reconbrx talk, I decided to write an exploit for the Starcraft EUD bug. This turned into a challenge for the @MidnightSunCTF #CTF and a blog post: zeta-two.com/software/exploi…
2
22
52
I had a blast hosting @livectf together with our great team. Sure it was a bit stressful and an emotional rollercoaster but the reactions have been positive. I might write more later but for now I'll settle for posting this masterpiece by the genius @zaratec4
1
7
52
12,636
Speaking to one of the best vuln researchers I know. His exploit server is not working. Spend 30 min trying to help troubleshooting over Signal messages. Nothing makes sense, start to believe we hit some kind of Python bug... ...his server was listening on the wrong port.
3
1
53
5,254
Almost euphoric right now. Despite the conditions (weather was perfect though) I performed my best marathon in many years. 13th Stockholm marathon finish (14th marathon total) in the bag. #stockholmmarathon
9
51
As a person in tech, a good way to guarantee that you will be made obsolete is to attach your whole identity to a specific language or technology. Become an expert at things but make sure to stay diverse and keep learning things and constantly evolve.
6
2
48
8,217
The line-up for the second episode of the Pwny Racing (piped.video/watch?v=411Biewf…) will be: borysp, hpmv, je and vos who will be fighting to be the first one to solve the pwnable challenge created by my amazing co-commentator @0xb0bb. Mark March 9th 15:00 UTC in your calendars!
1
17
48
OMG, finally! I solved challenge 11 and finished #FlareOn7 Big thanks to @nickharbour and the @FireEye FLARE team for organizing a great #CTF again!
2
51
New delivery of books. I somehow feel this is @carste1n's fault. Now the question is just: which one do I start with?
4
49
Sophia was a brilliant security researcher and a wonderful teammate when I was in HFS. I fondly remember tag-teaming on RE problems with her but also conversations about life, politics, religion and everything between. She will be greatly missed.
Sophia d’Antoine was walking just half a block from her Upper East Side apartment when the Land Rover hit her. trib.al/egDcAHi
3
1
47
4,044
Replying to @0xabad1dea
Id just like to interject for a moment. What you're referring to as BusyBox, is in fact, bad firmware/BusyBox, or as I've recently taken to calling it, bad firmware + BusyBox. It is not an OS unto itself, but rather another free component of a somewhat functioning consumer router
3
48
Replying to @InfoSecHotSpot
I could tell you a UDP joke but you might not get it.
2
23
41
Who needs margins? Finally finished my slides for the presentation I'm giving to some engineers at the Google Stockholm office tomorrow (today). Will hopefully be educational and inspiring and get some people more interested in security (and #CTF ofc).
2
4
49
Preparing my move to Zürich. 100 days of learning German on Duolingo. It's pretty difficult but I am seeing a little progress at least. Join in you too: invite.duolingo.com/BDHTZTB5…
7
46
I just published my #BinaryNinja plugin for deobfuscating level 9, Evil, of the #flareon8 challenge: github.com/ZetaTwo/binja-exp…
3
10
47
I have been programming for over 20 years and yesterday I finally learned (the basics of) how makefiles work. :D Just like there's always a frontier of your knowledge to push forward there will also be gaps within the areas you "know" to fill in and improve.
1
47
Like many others, I'm very excited for #37C3. It does however seem like there will be no #CTF this time. We did some brainstorming in the CTF Discord and came up with the idea of a "CCC Potluck CTF". Please read about it and potentially contribute: forms.gle/FaPGE492s9rPzCGQ6
1
13
44
19,029
Replying to @gynvael
Give a 1h conference presentation where 15 minutes are about yourself, 15 minutes about basics of HTTP, 5 minutes about the bug itself and 20 minutes ranting about how everything is broken and that software developers are stupid. Last 5 min is about how much bounty you deserve.
1
44
Big update! We now host all Pwny Racing challenges on our servers so you can try your exploit against our systems. In this process, we rebuilt all challenges so you might need to adjust some offsets. Grab the updated challs from the freshly updated: pwny.racing/
1
16
44
Got my #FlareOn7 medal 🏅! Thanks again to @nickharbour and the rest of the @fireeye FLARE team for putting on a great #CTF event this year again. Looking forward to the next one. Happy new year to all reverse engineers out there!
2
41
Had a great weekend in Copenhagen playing the DefCon #CTF with @NorseCodeCTF. I blame @adamdoupe for making me reverse a network card for 24h+. Great job everyone! Thanks to @oooverflow for hosting and GG to all the teams. Would have loved to meet in person. Next year!
1
3
43
We have now opened applications for security engineer internships at Google in Zürich and Stockholm. Apply here: careers.google.com/jobs/resu… and careers.google.com/jobs/resu… if you have any questions my DMs are open but hurry up because the deadline is the 22nd.
2
8
41
I've never been a big reader so this year I challenged myself to read every day using @SimoneGiertz's Every Day Calendar and by the looks of it, I will succeed. In total I have managed to read 21 books with a few more started and I thought I would highlight some of my favourites:
2
2
45
Thanks a lot to @nickharbour and team for this year's #FlareOn11. Solid challenges overall. I especially enjoyed 5, 7 & 9. Looking forward to seeing solutions for 9. I feel like there are multiple things I could have done better but overall I learned a lot this year.
2
38
3,724
Our application window for security engineer interns will open very soon: careers.google.com/jobs/resu… apply and come spend some time in Zürich at an amazing workplace with fantastic colleagues. Reach out if you have any questions, and don't wait to get your application in!
3
41
4,983
Replying to @LiveOverflow
My lawyer has advised me to not answer this question. :P
2
39
4,452
Every disagreement is not drama. Showing emotions is not "cringe". Having opinions is not "bias". Words matter. Most things are not binary. Stop pretending to be mindless robots. It's neither true nor an ideal to strive for.
2
2
38
Yes sure but it's fun that you can manage to translate it using only words starting with V.
2
36
2,579
Interested in the security and privacy teams at Google? The 0x0G Lounge is returning in a virtual format this year. There will be talks, panels and a #CTF. For more details, and to register, visit goo.gle/0x0g21
9
42
I used @vector35 Binary Ninja to write a tool which automatically extracts the C2 configuration (servers, port, key) from GorillaBot samples: github.com/ZetaTwo/binja-exp…. Could be useful for its functionality or as an example of Binja scripting. #CTI
8
43
4,250
Really proud to have participated as part of the Swedish/Icelandic team. I led the web application sub team and it was great fun. I'm very impressed by my teammates and how we worked together on this.
#LockedShields2023 has concluded! This year was even more competitive than previous years. As organisers, we saw a big jump in quality within the Blue Teams. The most effective participants were the 🇸🇪-🇮🇸 joint team, followed by the 🇪🇪-🇺🇸 joint team and the 🇵🇱 team. Good job!
4
41
6,276
Om ni behöver hjälp med reverse engineering av kod i framtiden får ni gärna höra av er.
1
36
Replying to @edzitron
Black Mirror S04E02
2
34
I'll live stream some blind #CTF challenge solving later today at 18:00 CEST. Check it out: piped.video/watch?v=ngPTdKjv… This time I will try the "Hack AB" CTF by @KnowitSecure
1
12
40
I played the @1ns0mn1h4ck #CTF together with @TeamTasteless in Lausanne. We managed to get a 6th place and beat most of the other boomer teams so I'm pretty happy. Thanks for having me as a guest player and thanks for a great event! :D
4
43
4,764
This whole AI hype wave has become genuinely annoying. I mind it so mind-numbingly uninteresting and yet it's starting to get challenging to find contexts where it's extremely prevalent. AI in all products, AI in all discussions, AI jokes, AI companies AI, AI, AI. Leave me alone!
11
4
39
4,606
I made a video for the #MegaFavNumbers playlist about how a not so random number broke the security of the Playstation 3: piped.video/watch?v=j6yU9z8m… Check it out to learn a little bit about the security of the PS3 and elliptic curve cryptography.
3
14
40
The wait is soon over! Ep. 3 of Pwny Racing will go live on Sat April 13th at 15:00 UTC with @0xb0bb and me commentating our players @David3141593, @OwariDa, @jinmo123 and @maciekkotowicz trying to be the first to solve a pwnable challenge. Tune in: piped.video/watch?v=SD8m_35Q…
3
11
41
Exercising my rights and duties. Time to vote. Let's get rid of the nationalists. #FuckSD
3
1
34
Representing @HackingForSoju in Tunisia. The #CTF starts soon. Go me!
7
1
40
Finally finished #flareon8. I had a good early start but had to take a break and didn't pick it up again until this week. With the exception of 3 & 5 I liked most challenges although sad that 10 had a cheese solution. Challenge 9 was nice. Thanks @nickharbour, @mikesiko and team!
3
40
Replying to @MACHINEgg
Also, who tf wants to watch that? The personalities and small shenanigans is what elevates a decent match to a great viewing experience.
35
...and other hilarious jokes Germans tell themselves", out now in stores, on Amazon and Audible.
2
37
Replying to @LiveOverflow
I started by using separate strings: "str1.matches(str2)", set up a test program to measure time, played around with various examples of "evil regex" I found in blog posts and that one gave good results then combined them into one single string.
2
38
4,204
Siri, show me pain in one image.
2
1
36
Posted write-ups for the @Hacker0x01 #h1702 #CTF on my blog: zeta-two.com/ctf/2017/07/17/… Feel free to read and comment.
13
38
Just came home from giving a guest lecture at the Royal Institute of Technology (KTH), my alma mater here in Stockholm. I covered the basics of binary exploitation as part of the fairly new "Ethical Hacking" course (dislike the term, love the initiative). Seemed appreciated.
2
3
38
Replying to @MalwareTechBlog
You could make a browser extension that screenshots and saves their last tweet or the last interaction with you or something like that.
34
Time for the first live stream of the year. This time I will do some blind solves of some #CTF challenges from "The Nixu Challenge". Join me on YT today at 18:00 UTC: piped.video/um7J7aol0SM
1
4
39