Security Engineer @ XTX. MSc in eng. physics & CompSci, dev & gamer. ❤️ music & long distance running. Wanna do a PhD sometime. Same U/N on all other sites
Waking up to a lot of bad takes on QR codes. QR codes are meant to be scanned, just as links are meant to be clicked. If your security posture requires these two things to not happen you have already lost. Blaming the user here is Dunning-Kruger riddled infosec posing.
My colleague recently reminded me that Python executes zip files which of course extends to other zip-based formats and lets you do things like this.
ALT A terminal screenshot with the following code: $ echo 'print("HELLO WORD!")' > __main__.py $ zip my-document.docx __main__.py $ (echo '#!/usr/bin/env python3'; cat my-document.docx) > legit.docx $ ./legit.docx HELLO WORD! $ # legit.docx still opens in Word but with a warning
Generally agree with the caveat that people open source things for very different reasons and "making it easy for others to use the code" may or may not be a motivation.
Nice. We sometimes used VVVVVV at university for the Swedish "Vilket Var Vad Vi Ville Visa", roughly "Which was what we wanted to show". Guess the kids nowadays have a bit more sass.
Got some fantastic personal news to kick off the weekend. Thrilled to announce that in August I will join Google in the offensive security team in Zürich. Really excited about what this new chapter will bring.
Stop suggesting input validation as a fix for XSS. You handle it by context aware escaping when outputting, not by trying to prevent double quotes in your input.
Started the audiobook recently. It's really good. Among my favorite part so far:
- They're trying to kill me
- No one's trying to kill you
- Then why are they shooting at me?
- They're shooting at everyone, They're trying to kill everyone.
- And what difference does that make?
Come join us in the Google red team! We have a position open in NYC: google.com/about/careers/app… The team is fantastic and the work is really cool. Message me if you have questions about the role but if you are interested please don't wait to get your application in.
I hate the self-deprecating personality in tech: the "I have no idea what I'm doing, I just copy-paste from SO until it works" crowd. Stop devaluing your own work and take some pride in your skills. Not only are you hurting yourself but also misrepresenting the field to beginners
I appreciate having a professional like you pointing subtle details like this out. I layman like me might have missed it otherwise. Really adds that extra depth to the viewing experience.
Yeah, call me old fashioned but I believe that to be good at security you should first learn the thing you are trying to secure. Appsec: learn how to build software. Netsec: learn how to configure a network, etc
There's some shady criminal on the loose in Zürich. Luckily I have been able to obtain some pictures of the suspect who is known to have been involved in several cyber attacks.
That's a wrap for the qualification round of the Google #CTF Hackceler8. Four matches completed with four teams moving on to the finals next weekend. Had a great time doing video production and even commentating one match. Congrats to all the teams and good luck to the finalists!
ALT My video production setup for Hackceler8 showing 4 screens with video screens and chat.
After a bit more than four amazing years in the Google red team, and almost three years in Switzerland, the time has come to move on to the next thing. At the end of October, with a mix of fear and excitement I'll move to London.
But first I'll help org Hackceler8 one last time!
This shit is absolutely gross. Just the other week I helped a colleague who suspected her ex of spying on her. Fuck this paper for helping these less than humans with this.
Are there any initiatives out there who could use some help from a reverse engineer maybe?
Less than two hours until #GoogleCTF starts. Good luck to everyone participating! Make sure to check out my reversing #CTF challenge which I will not apologize for. :)
In July I joined the Offensive Security team at Google and it has been a great experience. The red team work is challenging and fun and the team is awesome but even better, we are looking for more. Check these:
Zurich: goo.gle/3qWz71m
Sunnyvale: goo.gle/3dI0XdS
Them: Noooo! You can't just use an SMT solver for this cryptography problem. You have to fully understand the non-linear transformations over finite fields and the subtleties of working with GF(2)! Nooooo!
Me: haha, Z3 goes brrrrrr
Yesterday I handed in my notice at work. This means that I'm now openly looking for a new job. I would love to work with something related to reverse engineering, malware and/or vuln research. Willing to relocate. Open for remote. DMs are open.
If you play #CTF, which you definitely should at least try a couple of times, don't limit yourself to a single category. Try to push yourself to at least a "medium" level of proficiency in several or most of them. This will make competitions more fun and you will learn a lot.
So, anyone else experiencing this thing in security where if you try to google technical details on a topic all you find is the same 5 basic concepts copy-pasted in 100 beginner guides and blog posts?
My x-mas gift to you: The last Pwny Racing episode of the year will air on Saturday 14:00 UTC live from #36C3 Set a reminder: piped.video/watch?v=egCvtOGS… and watch the #CTF action as @_LarsH and I guide you while our participants: @0xbadcafe1, @nSinusR, @_niklasb and @phLaul compete!
I love #CTF. I think it's great for entertainment and education. I have played countless of them and learned so much from them. That's why it really hurts to admit that #CTF are currently suffering from quality issues. The density of poor challenges is just too high ATM.
For the past few years I've been using a great fiverr artist to create some artwork for work. Unfortunately they have been MIA for 2+ months now and I realise that I probably need redundancy. I'm looking for a cartoon artist with similar style.
(Suggest AI = get instant block)
ALT A cartoon astronaut in a red space suit holding a camera facing the viewer and the flash going off on the camera.
Every chapter has a beginning and an end. Today I'm working my last day at @KRYcare. Thanks for three great years with fantastic colleagues and exciting challenges. ❤️ Good luck in all the future work. Now I will enjoy some time off before starting at Google in Zürich in August.
Ok, we are doing this. Look what happens when you have crazy ideas at #35c3 I invite you to watch our 1st ed. of "pwny race" (name pending). Tune in to our stream: piped.video/watch?v=L_ZqbkCQ… on Feb 9 to see some #CTF pwnable racing with 4 excellent players and my co-host @picklepwns
ALT Pwny race - alpha test session - Saturday Feb 9th 15:00 UTC
Another day, another garbage take from a bug bounty hunter. This is what makes the field look bad. Stop the gatekeeping BS and go back to running ffuf and retweeting SQL injection tricks. #CTF is one of many forms of hacking, a great way to learn & research and a lovely community
25 minutes to Stockholm Marathon. I'm out of shape and got food poisoning yesterday so it's going to be rough. Will have to dig deep into the experience of those 13 previous finishes. Bib number 10004 if anyone wants to follow results.
Tomorrow we will open the application window for security interns at Google in Europe next summer. You can read more about the position, requirements and process here: google.com/about/careers/app… If you have any questions, don't hesitate to reach out. Come spend the summer with us!
We raised $100k for Alzheimerfonden! Thanks @esamarathon for a fantastic week! So fun to meet so many great people (and this robot). See you all at the next one!
ALT Selfie of me in a TASBot t-shirt holding the actual TASBot
Jason is 100% spot on. Additionally, many of these budgets are ridiculously low. I spent high school churning out websites for $250-$1000 that simply wouldn't be possible with any other solution (that I've seen).
The Numberphile podcast is one of very few podcasts I listen to. The episodes are always great but this latest one was fantastic. Really interesting to hear about Tadashi's philosophy on things. Strong recommendation even if you are not that into mathematics.
By popular demand, here's a podcast interview with Tadashi Tokieda...
It's pretty fascinating!
numberphile.com/videos/tadas…
(also on podcast players - search Numberphile Podcast)
Helped a friend to repair a device yesterday. The first 32 bytes of the EEPROM had broken down so I extracted the firmware, binary patched it to add a small offset on all EEPROM accesses and wrote it back together with updated EEPROM contents and it worked perfectly. Quite proud!
We played the DefCon #CTF qualifiers this weekend with the Scandinavian collaboration team @NorseCodeCTF and thanks to heroic efforts by the team we managed to qualify to the finals for a second time.
It was in the darkest hour and everything seemed desperate. The warriors of the north were on the verge of defeat. Hope was all but lost. They let out a mighty battle cry for a final charge and as if guided by Odin himself, seized not one, but two flags to triumph in the battle!
It looked really bleak for the warriors of the north but the taste for flags eventually set in and the hackers, fueled by shellcode and a desire for privescs, began their frenzy slaying challenge after challenge. In the end they stood triumphant as one of the qualifying teams.
Anyone else using their knuckles as a reminder of which months have 31 days vs which have 30/28? It's one of few "life hacks" I actually have found useful.
Another variant which doesn't cause any warnings at all:
ALT A terminal screenshot with the following code: $ echo 'print("HELLO JAVA!")' > __main__.py $ zip my-java-program.jar __main__.py $ (echo '#!/usr/bin/env python3'; cat my-java-program.jar) > legit.jar $ ./legit.jar HELLO JAVA! $ java -jar legit.jar # Still works
I had a blast hosting @livectf together with our great team. Sure it was a bit stressful and an emotional rollercoaster but the reactions have been positive. I might write more later but for now I'll settle for posting this masterpiece by the genius @zaratec4
Speaking to one of the best vuln researchers I know. His exploit server is not working. Spend 30 min trying to help troubleshooting over Signal messages. Nothing makes sense, start to believe we hit some kind of Python bug...
...his server was listening on the wrong port.
Almost euphoric right now. Despite the conditions (weather was perfect though) I performed my best marathon in many years. 13th Stockholm marathon finish (14th marathon total) in the bag. #stockholmmarathon
As a person in tech, a good way to guarantee that you will be made obsolete is to attach your whole identity to a specific language or technology.
Become an expert at things but make sure to stay diverse and keep learning things and constantly evolve.
The line-up for the second episode of the Pwny Racing (piped.video/watch?v=411Biewf…) will be: borysp, hpmv, je and vos who will be fighting to be the first one to solve the pwnable challenge created by my amazing co-commentator @0xb0bb. Mark March 9th 15:00 UTC in your calendars!
Sophia was a brilliant security researcher and a wonderful teammate when I was in HFS. I fondly remember tag-teaming on RE problems with her but also conversations about life, politics, religion and everything between.
She will be greatly missed.
Id just like to interject for a moment. What you're referring to as BusyBox, is in fact, bad firmware/BusyBox, or as I've recently taken to calling it, bad firmware + BusyBox. It is not an OS unto itself, but rather another free component of a somewhat functioning consumer router
Who needs margins? Finally finished my slides for the presentation I'm giving to some engineers at the Google Stockholm office tomorrow (today). Will hopefully be educational and inspiring and get some people more interested in security (and #CTF ofc).
ALT From Overflow to Shell - An Introduction to low-level exploitation
Preparing my move to Zürich. 100 days of learning German on Duolingo. It's pretty difficult but I am seeing a little progress at least.
Join in you too: invite.duolingo.com/BDHTZTB5…
I have been programming for over 20 years and yesterday I finally learned (the basics of) how makefiles work. :D Just like there's always a frontier of your knowledge to push forward there will also be gaps within the areas you "know" to fill in and improve.
Like many others, I'm very excited for #37C3. It does however seem like there will be no #CTF this time. We did some brainstorming in the CTF Discord and came up with the idea of a "CCC Potluck CTF". Please read about it and potentially contribute: forms.gle/FaPGE492s9rPzCGQ6
Give a 1h conference presentation where 15 minutes are about yourself, 15 minutes about basics of HTTP, 5 minutes about the bug itself and 20 minutes ranting about how everything is broken and that software developers are stupid. Last 5 min is about how much bounty you deserve.
Big update! We now host all Pwny Racing challenges on our servers so you can try your exploit against our systems. In this process, we rebuilt all challenges so you might need to adjust some offsets. Grab the updated challs from the freshly updated: pwny.racing/
Got my #FlareOn7 medal 🏅! Thanks again to @nickharbour and the rest of the @fireeye FLARE team for putting on a great #CTF event this year again. Looking forward to the next one. Happy new year to all reverse engineers out there!
Had a great weekend in Copenhagen playing the DefCon #CTF with @NorseCodeCTF. I blame @adamdoupe for making me reverse a network card for 24h+. Great job everyone! Thanks to @oooverflow for hosting and GG to all the teams. Would have loved to meet in person. Next year!
We have now opened applications for security engineer internships at Google in Zürich and Stockholm. Apply here: careers.google.com/jobs/resu… and careers.google.com/jobs/resu… if you have any questions my DMs are open but hurry up because the deadline is the 22nd.
I've never been a big reader so this year I challenged myself to read every day using @SimoneGiertz's Every Day Calendar and by the looks of it, I will succeed. In total I have managed to read 21 books with a few more started and I thought I would highlight some of my favourites:
ALT The Every Day Calendar almost completely filled
Thanks a lot to @nickharbour and team for this year's #FlareOn11. Solid challenges overall. I especially enjoyed 5, 7 & 9. Looking forward to seeing solutions for 9. I feel like there are multiple things I could have done better but overall I learned a lot this year.
ALT A screenshot from the FlareOn challenge website showing my solve times for each challenge. The first five were done in a day. Three more were done after three days. The ninth challenge took almost a week and then the last one a few hours.
Our application window for security engineer interns will open very soon: careers.google.com/jobs/resu… apply and come spend some time in Zürich at an amazing workplace with fantastic colleagues. Reach out if you have any questions, and don't wait to get your application in!
Every disagreement is not drama. Showing emotions is not "cringe". Having opinions is not "bias". Words matter. Most things are not binary. Stop pretending to be mindless robots. It's neither true nor an ideal to strive for.
Interested in the security and privacy teams at Google? The 0x0G Lounge is returning in a virtual format this year. There will be talks, panels and a #CTF. For more details, and to register, visit goo.gle/0x0g21
I used @vector35 Binary Ninja to write a tool which automatically extracts the C2 configuration (servers, port, key) from GorillaBot samples: github.com/ZetaTwo/binja-exp…. Could be useful for its functionality or as an example of Binja scripting. #CTI
Really proud to have participated as part of the Swedish/Icelandic team. I led the web application sub team and it was great fun. I'm very impressed by my teammates and how we worked together on this.
#LockedShields2023 has concluded! This year was even more competitive than previous years. As organisers, we saw a big jump in quality within the Blue Teams.
The most effective participants were the 🇸🇪-🇮🇸 joint team, followed by the 🇪🇪-🇺🇸 joint team and the 🇵🇱 team. Good job!
I played the @1ns0mn1h4ck#CTF together with @TeamTasteless in Lausanne. We managed to get a 6th place and beat most of the other boomer teams so I'm pretty happy. Thanks for having me as a guest player and thanks for a great event! :D
ALT Scoreboard from the Insomnihack 2023 CTF showing Tasteless in 6th place
This whole AI hype wave has become genuinely annoying. I mind it so mind-numbingly uninteresting and yet it's starting to get challenging to find contexts where it's extremely prevalent. AI in all products, AI in all discussions, AI jokes, AI companies AI, AI, AI. Leave me alone!
I made a video for the #MegaFavNumbers playlist about how a not so random number broke the security of the Playstation 3: piped.video/watch?v=j6yU9z8m… Check it out to learn a little bit about the security of the PS3 and elliptic curve cryptography.
Finally finished #flareon8. I had a good early start but had to take a break and didn't pick it up again until this week. With the exception of 3 & 5 I liked most challenges although sad that 10 had a cheese solution. Challenge 9 was nice. Thanks @nickharbour, @mikesiko and team!
ALT Screenshot from the FlareOn8 website with a congratulations for solving this years challenge.
I started by using separate strings: "str1.matches(str2)", set up a test program to measure time, played around with various examples of "evil regex" I found in blog posts and that one gave good results then combined them into one single string.
Just came home from giving a guest lecture at the Royal Institute of Technology (KTH), my alma mater here in Stockholm. I covered the basics of binary exploitation as part of the fairly new "Ethical Hacking" course (dislike the term, love the initiative). Seemed appreciated.
Time for the first live stream of the year. This time I will do some blind solves of some #CTF challenges from "The Nixu Challenge". Join me on YT today at 18:00 UTC: piped.video/um7J7aol0SM