Documentary photographer, old creaky hacker. Co-author of @OWASP ASVS standard. Blackhat/Brucon Review Board & Co_chair UK Gov Cyber Security Advisory Board

Airport lounges.
The mob ain’t got nothing on the printer cartels
22
362
3,715
148,038
Some journalists wait an entire career just to get a headline as good as this
9
371
2,200
To this day, the most frustrating and stupidest thing mobile device manufactures have done is remove this from their devices to push inferior Bluetooth headphones
111
162
1,868
In 1999, a chap called Chris Sawyer wrote a wild game using nothing but Assembly language. The game, Rollercoaster Tycoon was super addictive, but 99% of the code in assembly? That’s pretty hardcore right?
55
140
1,911
275,057
If you’ve used @letsencrypt to make use of trivially easy free and open certificate authorities, then you owe a huge amount of gratitude to Peter Eckersley who sadly just left us. Thank you Peter and RIP
8
367
1,640
There isn't a cybersecurity/IT skills shortage. There is a shortage of modern interview skills. We rely too much on outdated whiteboard tests, questions to trick candidates, unnecessary pressure, and lengthy processes.
63
285
1,559
Bugs happen but it's rare you see a bug that grabs you so hard and makes you nod like a little dog.. CVE-2023-44487 did that for me good god what a bug and here's why
18
251
1,515
289,022
If 41 lines of code can bypass the authentication process on the administrative interface of FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances, then something is very wrong. This is not acceptable @Fortinet
45
356
1,510
if your commercial app can be owned with this one simple line, then you deserve all the hate. @PaloAltoNtwks this is just, wow I'm lost for words here.
29
146
1,299
148,659
The Sun truly is a despicable rag and recent events have shown how we have to cut off their revenue supply. Many say block the sun, but how? I've mapped out their entire footprint on the web so you can easily import and block it via your hosts file or firewall. #TheScum
50
452
1,135
Decades of UNIX and Linux use have taught me to love the terminal more than any other app out there. If there's one thing I'd recommend any newcomer learn, it's how to tame the command line.
36
127
1,087
Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless. The flaws found by this researcher result in the execution of arbitrary commands on user's computer. The TL;DR is wow
14
411
1,063
The icebreaker FPGA kit is one I've been waiting for since last year and this is why. This is @esden showing off his amazing creation
25
238
1,027
NFTs explained
18
239
945
The truth of this hurts so much #Banksy
11
271
968
Ever wondered what lies beneath that cool looking chip on your bank card? What does it do? Why is it there? Well here's a little pointless thread that delves into the magic using my @monzo card as an example
26
363
961
Well that’s an interesting p0c teddit.net/r/3Dprinting/comm…
8
164
878
The nerd in me loves seeing signs that are unhappy
22
77
863
A brutally honest depiction of this industry
17
204
868
Something tells me this street is going to be rather popular today.... #Banksy
9
68
813
Buckle up kids, dad's gonna show you what a REAL UNIX box looks like... Xmas is gonna be wild in this house I tell you.
88
55
843
Excel won’t be the same.
26
123
788
Teams, i cant be the only one saying this but WTAF???
68
19
765
125,638
hey @1Password & @LastPass here's an idea: I will give you extra money, on top of the money I give you every month, to use a U2F/FIDO token to access my password manager instead of a master password. I'm sure im not alone here.
56
152
756
This just blows my mind. From a chip encased in silicon, stripping each layer away until you see the ROM and then using 50x magnification you can see the binary 0 and 1s. @akacastor this is nerd pr0n and a half
14
213
768
Lastpast attack chain via home media centre of senior dev. Sssh, can you hear that? That’s the sound of a shitload of threat models being redone.
20
121
747
116,443
I've tried to keep this bottled up, but seeing as we've a whole wave of new people to our industry, maybe it's time to help rather than stand silent. 0hday/Zeroday/0-day exploits should be the least of your worry. Adversaries mostly wont be using them*
23
264
737
This is worrying NSO Group has a full zero-click zero-day iMessage exploit chain that can install the Pegasus spyware on the latest version of iOS at the time of writing (14.6). Not the first time iOS has struggled with messaging.
11
302
682
I've agonised for days over this and chatting to my wife has made me realise it's not good to keep quiet, especially given my personal experience. This will be a long and ugly thread I'm afraid about the exploitation of children by those who should know better.
23
277
635
I lol’d
12
356
625
Never change LinkedIn.
14
28
642
40,405
3 years ago I replaced my wifes MacBook with a Pixelbook. It was mostly done for security reasons, for she is the CFO and controls all. Was the best damn decision I've ever made, security-wise. She can click shit all day long because @Google have made a bloody good OS
27
60
658
269,141
I'm going on a web app security rant, so bear with me. 23 years ago OWASP was formed and it tried to help the web application space and those building apps to do so in a secure way. Session management was one of them. If you had a token, in a header/cookie, make it secure
14
86
650
159,797
Aaah yes, we've been here before.
26
80
564
I do apologise for the language but just f*** off now with this bullshit. We've had enough of threat intel firms/ambulance chasers telling us how the dark web was the hotbed of all criminality, and now this? GTFO
46
101
528
The kids are gonna be ok. Also very cool to see Mac address randomisation making life hard for all.
17
50
550
I just...
46
142
548
When you need to access the CANbus but a vendor has installed next-gen AI driven security controls to thwart attacks
21
70
533
I was intrigued about how Alexa listened, the potential for false positives and what was recorded. This was done over Xmas and the results leave me with more questions.
15
216
549
Laptop on tube. With RSA token on lanyard. With full company ID and name. Numerous stickies on desktop with IP’s and passwords. No matter what new products come out to protect, fixing fundamental human stupidity issues is a killer
40
244
520
"and was scanned with the free version of Malwarebytes, which reported no findings" hmmm.... blog.1password.com/files/okt…
26
49
530
103,022
One hour spent setting up father in law's devices to use 2fa, password managers and passphrases. My god we don't make this an easy journey at all. If I struggled with the quirks, how can we expect anyone else to be at ease?
32
61
472
If you are an EDR vendor right now and thinking of sending out an email trying to pitch your solution, you truly need to rethink your life choices.
26
76
470
45,789
Ransomware with a heart. Credit where credit due. Thanks @v1ad_o
12
191
469
What is very clear to me, at least, from this Conti leak is that we need to seriously stop with Active Directory now. We pretend we know how to do it but the fact is, it continues to be that pig with lipstick on that no one can secure and attackers find so easy to own
32
74
446
I guess IBM or a contractor forgot to wipe this Solaris workstation back in 2002. There’s a load of IBM hosts listed from the early days of the web
21
37
443
I get angry when people in tech don't know the cloud. IT'S SO EASY right???
29
106
437
I know it’s fashionable to hate on Meta at any give chance but respect is due to how they are handling the layoffs.
14
59
407
This isn’t getting enough exposure as it should. What is being proposed is incredibly dangerous and is a direct attack against the free press. The official secrets act has a place but classifying journalists as spies to stem whistleblowing theguardian.com/commentisfre…
21
271
369
Post a pic YOU took, use no description, and bring some Zen to the timeline.
373
20
403
That's it, hacking just went level 11 #BHUSA
13
231
413
I have 0 CVEs. I've found many many bugs, but I don't need a CVE to prove anything. If you seemingly think a CVE makes you l337, you need to rethink.
18
60
395
This is not normal... 33% of all home Internet traffic shouldn't be ad/tracking networks.
56
114
374
As far as supply chain backdoors go, this is Prada level of design and style.
wild stuff re: xz/liblzma backdoor news.ycombinator.com/item?id…
5
52
398
39,969
Worst statement ever “To date, we’ve seen no evidence that this vulnerability has been exploited” Stop using it. It means nothing. There is no all-seeing eye that could possibly give you such insights.
51
47
384
97,759
Finally got my cheatkards and I do like them. Well designed and packaged
15
33
394
Whatsapp: Pfft RCE via a missed call, check me out! Microsoft: Whateva!! hold my craft beer, RDP RCE baby! Linux: oh you two are so cute.. RCE <5.0.3 kernel. Hah, keep up A rather ugly day for the web
17
146
389
Old security vocabulary: No, can't, control, stop, force, remove, disrupt, destroy, block, denied New security vocabulary: "let me see if i can get it to work securely", "sure, ill help", openness, willingness, embracing change Old security needs to retire.
23
122
378
Great feature in android 12: permissions removed if app is unused for a few months.
10
58
345
I bet if you are of a certain age, you just made the noise in your head….
46
23
336
43,757
There is nothing more enjoyable than seeing a pentest happen where testers are part of the sprint test > defect > confirm > JIRA defect > assigned to dev > fix produced/push > sent back to tester > JIRA closed This is how it should be done. No to reports. Reports must die
26
87
356
Well take Ghidra, Obsidian and a few other tools and watch as Nathan talks you through how you’d go about RE’ing this classic 90’s game piped.video/r9gRk-Px7l4?si=KC7N…
3
39
333
34,274
Beautiful writeup about the recent Linux p0c backdoor that possibly owned a lot of people in the process
2
56
339
74,842
Watching how Zalensky is leading by example has made me yearn for more modern, younger leaders elsewhere and not shrivelled sacks of custard like we currently have.
17
16
319
My concerns right now around the security industry is that we are seemingly seeing more layoffs, less investment into security teams and yet breaches going harder than ever before. it's a worrying trend, NGL
25
36
302
67,538
For all that effort, they got awarded $1750 Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on exploit.in
6
39
308
CVE-2024-26026 Excuse the French but truly you can f*** off now. SQL INJECTION IN 2024???
14
14
324
104,516
Having lived through the first dot-com, the "firewalls will stop it", the "we've a WAF!!", the "do you even next-gen EDR bro?" and now the "AI fixes all", I think this is a bit optimistic
37
32
315
The optics here for @arm are not good at all. This is bullying behaviour and given how much Azeria has done to highlight arm security and research, a poor look for arm.
Update: my blog azeria-labs.com is currently blocked due to the C&D. It’ll (hopefully) be back up once this has been resolved and I transferred all my arm related domains to @Arm. Though I am upset about the impatience despite my willingness to cooperate.
6
69
302
47,952
I requested all the data Apple had one me since the dawn of time, which goes back to 2008 with my original iPhone 1. There is such a vast amount of data here to comb through that this will be fascinating, to me at least. Even the bloody U2 album is listed!
10
64
299
When you filter the noise, twitter can utterly brilliant sometimes.
3
187
266
<insert profanity here>. How simple minds can be influenced by men and fantasy books from the dark ages
30
103
235
It never ceases to amaze me how fellow business people look down upon you for wearing a black t-shirt and jeans and daring to stand in group 1 line. Like a poorly fitted suit jacket and awful brogues maketh the person. So cute
31
9
288
The Internet never fails to make me smile. Apple M1 benchmark comes out macrumors.com/2020/11/15/m1-… person decides they need hard facts as they arent convinced Original designer of Ultrasparc V reorder unit responds.
10
48
287
Hang on a minute @Fortinet I’ve a few questions here about this #Fortinet
17
176
269
Oh good. Shit we had backdoors but hey OOPS we removed them it's all ok.
7
121
259
One wonders why so many extremists use the car to create their content? Has their family had enough?
Anti-mask activist claims M&M’s packaging is “blasphemy” and is an attempt to “lead you down the road to Hell.”
31
25
232
Unpopular opinion: you will not buy you way into being secure. No matter what any vendor says or promises, throwing money at a solution rarely gives the results you think. Invest in people. Invest in engineering and build build build.
23
76
264
After spending 8 hours reverse engineering Javascript, I've come to the conclusion that it is indeed the work of the devil and those who use it and enjoy it are somewhat special and disturbed
16
22
252
32,750
Friend gave us a phenomenal ATM skimmer found in Old Street. We are now tearing apart and looking at structure #atmfraud
15
134
247
Infosec: our redteam will use multi-stage payloads with TLS 1.3 and heavy obsfucafion to steal the cash using anonymous relays all over. Criminals: shut it nerd, crowbar and Vinny nytimes.com/2019/12/02/nyreg… Thanks @lisetteguittard
13
83
241
I’m a solid maltego fan, for obvious reasons, but competitor is good and ⁦⁦@pdp⁩ is smashing it with his sec apps suite. This looks amazing #paint secapps.com/market/recon
6
78
261
As a father and a hacker, I’m doing all I can to disrupt and destroy tracking techniques used by all to collect data on us as a family. We need stronger protection for all, not just our kids. Online marketing needs controlling
🚨 A shocking ~72 MILLION digital data points will be collected by companies on each child by the age of 13. 🚨 This can be sold to marketers who can target and attract each child. 👉 We need stronger national protections for kids. Full report: bit.ly/38TDdko #auspol
17
57
229
Decades of networking experience and I'm still using a cheatsheet for tcpdump and nmap
25
11
238
Impressive @twitter. Generating a phrases-based password when a user creates a new account. Well done!
12
57
234
Still blows me away today. Birds aren't real but I wonder if the global chip shortage has impacted them too? #birdsarentreal
22
23
236
Spare a thought for your IT/Network admins desperately trying to make remote working work using clunky VPN tech from the 90s. If only we all embraced new ways of working sooner, and not forcing people to use on-prem/physical networking #remoteworking
14
41
232
7 days solid of log4j and I've decided a break is needed..as such watching a show about Maine people restoring cabins in Maine. Tech sucks, I'm moving to Maine to live in a cabin.
25
4
223
I too am over the "dont use public wifi" brigade. Often the advice is from tests done over a decade so, so it's good to see someone actually testing what modern devices behave like when interception is happening.
Can anyone tell me why the public WiFi with an attacker in it is unsafe? I can read all the targets traffic metadata but I can’t read their traffic. Anybody? The ASD say it’s not safe but I’m not really sure why….. If you can show me an attack that will do something let me know I’ll run it here now!
26
24
233
77,909
Evolution of the web.
10
46
233
Good god this is nothing short of perfection.
17
8
241
Count Binface’s manifesto is actually pretty good. Ceefax was amazing
14
38
218
An interesting new feature found in @Apple’s latest privacy and security report is that of Link Tracking Protection and I’ve not stopped thinking about this
3
39
224
62,072
Please stop doing pentests for customers in the clear from the Blackhat network @Grifter801
6
17
227
32,568
Everyone right now.
6
48
225
Exfil via DNS isn’t new but I do respect what @TheContractorio & @DeathsPirate have found here with regards to subtle new ways to move data out of networks thecontractor.io/data-bounci…
3
74
231
52,717