Ethical hacker. CEO & Co-founder @Corridor. Prev @CISAgov @Stanford

San Francisco, CA
Today we're announcing @Corridor's $25M Series A led by @Felicis. More code will be written this year than ever before. At Corridor, securing AI coding at the source, enabling companies to their development without security being a blocker. 🧵
23
25
171
28,185
I reverse engineered @cluely – and their desktop source code exposes their entire system prompts and models used. What's inside? 🧵
178
476
8,530
2,700,365
Update: @cluely filed a DMCA takedown for my tweet about their system prompt, alleging that it contained "proprietary source code" Making legal threats against security researchers is not a good look, and I encourage Cluely to reflect on this and open doors to researchers. 🧵
I reverse engineered @cluely – and their desktop source code exposes their entire system prompts and models used. What's inside? 🧵
126
255
4,805
1,272,146
Q: Where did the Russian cybercriminal go? A: I don't know, they ransomware.
57
489
2,919
Hey @im_roy_lee, your employee @Kevining filed this request. As the CEO, I'd expect you to be on top of these things and take responsibility. Making legal threats is no joke. Here's the full takedown notice I received: gist.github.com/cablej/ff2a0…
we never filed this bro 😭😭
Community note
Cluely employee Kevin Grandon did, in fact, file this bro nitter.app/Kevining/statu
30
37
1,930
452,721
Cluely instructs the prompt to "NEVER mention the specific LLM providers", but we can see that Cluely uses GPT 4.1 (in most cases) and can also use Claude Sonnet 3.7.
7
16
1,011
190,164
It’s been an honor to work under @CISAKrebs to advance the state of election security. Election security is not political. Director Krebs should be commended for his nonpartisan approach to protecting democracy and ensuring a secure 2020 election.
11
91
770
Today, I'm excited to launch Ransomwhere, the open, crowdsourced ransomware payment tracker. Check out the site and contribute data at ransomwhe.re/ and follow @ransomwhere_ for updates. Thread on where I see this going:
19
345
745
The app also includes Cluely's 400+ line enterprise prompt – featuring examples about dolphins, conversations about Databricks, and chats with Palantir interns.
6
14
756
188,179
AI revolutionized coding. Security hasn't kept up–until now. Introducing @CorridorSecure: the future of secure coding. We just raised a $5.4M seed from @Conviction and hired @alexstamos. Corridor is trusted by leading companies like @cursor_ai–and we’re just getting started. 🧵
40
78
571
123,549
I've filed a counter notice to restore the tweets. Security research is essential to improving safety for everyone. @Cluely should choose transparency over animosity – and drop the legal threats that silence good-faith research.
9
8
476
39,920
Some news! I've now finished at Stanford and will be headed to Congress, via the TechCongress program. I'll be working full-time for a Congressional office on tech policy. Excited to dive into the world of policy!
📢 We are thrilled to announce our 2022 Fellows! They are cyber security experts, software engineers, and civic technologists seeking to make an impact on the Hill. techcongress.io/blog/announc…
46
19
404
Just finished 2x read-through of the new Executive Order. The EO can significantly shift not only how the federal gov treats cybersecurity, but also the state of security across industry and broader public sector. A thread on what I’m hoping to see from it. 🧵
6
108
373
I also privately disclosed 7 vulnerabilities to Cluely, which Cluely asked me to not disclose. Consistent with coordinated vulnerability disclosure best practices and in the interest of transparency, I plan to publicly disclose these vulnerabilities.
4
7
432
35,685
Cluely alleged that my tweets contained "proprietary source code". But: 1. This didn't require any circumvention. Every Cluely user at the time of my Tweet had a copy of the prompt on their computer (and it's still available at github.com/cluely/releases/r…)
6
8
407
46,705
New from @stanfordio: Clubhouse transmits user IDs and channel IDs in plaintext to Agora (a Chinese company), allowing a network adversary to see which users are talking to each other.
Replying to @stanfordio
(2) .@joinClubhouse user IDs (not their username — more like a unique serial number) are transmitted in plaintext over the internet, making them trivial to intercept. Chatroom IDs (again, more like serial number) also transmitted in plaintext. (3/8)
8
220
351
Cluely also attempts to silence security researchers through their bug bounty program, which states that researchers must "remove any public disclosure of vulnerabilities that put Cluely at risk as a condition of payment."
1
3
321
33,234
Excited to share that I joined @CISAgov this week as a Senior Technical Advisor! CISA’s mission has never been more important. Looking forward to working with the fantastic team at CISA to help ensure a safer digital future for all.
We’re delighted to welcome top cyber talent like senior technical advisor Jack Cable to the team! He believes that “as cyberattacks become increasingly common, CISA’s mission to reduce risk to critical infrastructure and to the Federal government has never been more important.”
20
20
262
71,800
With the launch of Stanford's bug bounty program today, I published "Getting Started in Bug Bounties" on Medium. Link: medium.com/@cablej/getting-s…. Thanks to @yaworsk for providing copies of Web Hacking 101 to Stanford students! #bugbounty
2
51
152
Can't wait to get started! Crazy how bug bounties can take you from no knowledge of security to a job at the Pentagon in a few years.
Excited to have @jackhcable come join the Rebel Alliance at DDS in just a couple weeks! Oh, and we are hiring for other talented hackers, engineers, designers, and product people 🇺🇸 chicagomag.com/city-life/Jun…
15
16
142
New blog post about bypassing payments using webhooks: lightningsecurity.io/blog/by… #bugbounty
3
72
132
Turns out the first bug bounty payment was made in 1836, when a sewerman discovered a hidden entrance to the Bank of England - “For his honesty, the Bank rewarded him with a gift of £800” bankofengland.co.uk/knowledg…
1
35
128
For the first time ever, Congress has included memory safety in a law, requiring the National Cyber Director to study memory safety in the government. The omnibus is expected to pass this week. Proud to have worked on this provision while in the Senate! appropriations.senate.gov/im…
2
27
120
50,802
REVil is now asking for $50 million (lower than previously reported $70 million). Quickly lowering prices makes me wonder if they're getting desperate.
6
46
116
Excited to share new research with Ian Gray, Ben Brown, Vlad Cuiujuclu and Damon McCoy. This is the first in-depth peer-reviewed research into the Conti leaks. We mapped over $80 million in new payments to Conti. Read the paper: arxiv.org/abs/2304.11681 Some takeaways 🧵
3
38
122
35,425
If anyone's dealing with the QLocker QNAP NAS ransomware, feel free to DM me. I can help recover data. #qlocker @QNAP_nas
54
36
118
How I compromised any Yahoo Flurry account: lightningsecurity.io/blog/pa…
5
55
119
Today, the nation's largest voting vendor released a vulnerability disclosure policy giving hackers authorization to test their systems. This is a great step towards transparency for election security. I hope that other vendors follow suit and welcome hackers with open arms. 🧵
2
34
113
I told Congress the story of how I got into hacking: winning the Hack the Air Force competition at 17, and helping start Stanford's bug bounty program as a freshman. While we've made progress, we need to do more to normalize security research. I called on Congress to reform the Computer Fraud and Abuse Act by exempting good-faith security research.
7
17
117
9,987
I recently finished my fellowship in the Senate via @congressfellows, working for the Homeland Security and Governmental Affairs Committee under Sen. Gary Peters. I had a fantastic experience working on cybersecurity and tech policy. Here's some of what I worked on: 🧵
2
27
105
I told Voatz about this flaw (hardcoded keys from stack overflow) in February via their bug bounty. They lied and told me the key was just used for demos and not any "election specific activity". Props to @trailofbits for releasing this report.
That Voatz had the audacity to paint researchers as malicious when they were using hardcoded encryption keys from a stack overflow answer to "protect" ballot receipts says everything you need to know about e-voting vendors. Closed source e-voting has no future.
3
46
100
Read this bipartisan letter from election officials charting a path forward for CISA to keep fighting disinformation about electoral processes. CISA has gained remarkable trust from election officials in a few years. Why? Election security is not political sos.state.co.us/pubs/newsRoo…
1
29
91
Security research is to everyone’s benefit and must be protected. Read the letter I signed with 70+ security experts urging the Supreme Court to adopt a narrow interpretation of the Computer Fraud and Abuse Act and disregard Voatz’s bad-faith brief: disclose.io/voatz-response-l…
44
103
Replying to @im_roy_lee
Hey @im_roy_lee, your employee @Kevining filed this request. As the CEO, I'd expect you to be on top of these things and take responsibility. Making legal threats is no joke. Here's the full takedown notice I received: gist.github.com/cablej/ff2a0…
1
102
14,608
Bug bounty tip: JavaScript files are a great way to gain insight into hidden/inaccessible functionality of a website, but minified files are a pain. Chrome reconstruct original source code files using source maps which makes reading code much more efficient.
4
23
99
Hey @im_roy_lee, your employee @Kevining filed this request. As the CEO, I'd expect you to be on top of these things and take responsibility. Making legal threats is no joke. Here's the full takedown notice I received: gist.github.com/cablej/ff2a0…
4
1
93
49,022
[Blogged] Don't Trust the Host Header for Sending Password Reset Emails - lightningsecurity.io/blog/ho…
4
37
92
Slides from my speech at @thotcon - Bug Bounty Methodologies in a Maturing Ecosystem - slideshare.net/JackCable1/bu… #thotcon #bugbounty
2
33
90
Honored to have been named to Time’s list of 25 most influential teens for 2018. time.com/5463721/most-influe…
4
7
81
New blog post: Exploiting and Protecting Against Race Conditions lightningsecurity.io/blog/ra… #bugbounty
51
73
Can you hack your university? A list of schools with bug bounty programs. github.com/cablej/hack-your-… #bugbounty
29
69
Update: it looks like this may have been fixed by the ransomware operators, unfortunately. I apologize if I was not able to get to yours before it was fixed. In total decrypted around 50 keys worth $27k.
29
8
66
Crossed the line of 5k rep on @Hacker0x01! Didn't realize programs accepted that many content injections.
4
75
Just to make it clear: - A vulnerability report is not a data breach - Credential stuffing is not a data breach Disclosing vulnerabilities is normal. Reporters, take note.
2
11
71
CISA’s vulnerability disclosure policy directive is live! Within 6 months we can expect every federal civilian executive agency to have a VDP. Major kudos to folks at @CISAgov who made this happen (@hmft_xyz)! cisa.gov/blog/2020/09/02/imp…
26
71
Open redirect filter bypass: 'example.com%23@whitelisted.com'. Encoded pound causes redirect to example.com.
3
14
60
After two incredible years, today is my last day at CISA. Immensely grateful to have been able to drive CISA's work on Secure by Design, spurring commitments from over 250 software manufacturers. My exit interview with @timstarks: cyberscoop.com/jack-cable-ci…
2
6
52
8,501
Thank you, Secretary Mayorkas! Glad to have had the opportunity to serve with @CISAgov, and I look forward to continuing to work to advance the state of cybersecurity across government and industry.
Great work by @jackhcable! From disrupting #ransomware schemes to working with @CISAgov to #Protect2020, you are a tremendous example of how even a single person can make a difference.
5
56
It’s wonderful to see coordinated vulnerability disclosure (CVD) and Software Bill of Materials (SBOM) right next to each other. These are efforts the security community has been working on advancing for years that we know are effective in using transparency to foster security.
2
5
49
Completed federal bug bounty trio with Hack the Air Force coin. Props to @Hacker0x01 + @DefenseDigital for organizing such awesome programs.
3
4
57
I was nominated for the @fedscoop "Disruptor of the Year" award for my work under @DefenseDigital @CISAgov! See the list of nominees and vote here: fedscoop.com/fedscoop50/vote…
7
7
54
See you in Vegas! I’ll be speaking at Black Hat and DEF CON this year: - Black Hat CISO Summit Tues Aug 6 - DEF CON Aviation Village Fri Aug 9 - DEF CON Voting Village Sat Aug 10
3
3
53
CISA has released a script to allow organizations to attempt recovery from the ESXiArgs ransomware attempt. Any PRs or issues are encouraged! Download the script here: github.com/cisagov/ESXiArgs-… Days like these make working in government worth it.
🚨We released an ESXiArgs ransomware recovery script on GitHub to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks: github.com/cisagov/ESXiArgs-… #StopRansomware
30
47
33,574
Stanford’s launching a bug bounty program! Open to all students and faculty, the program kicks off this Saturday. Join us Saturday at Lathrop 282 from 10am - 4pm for a launch hackathon. Details at bounty.stanford.edu. #bugbounty
6
12
51
Congrats to @jobertabma @michielprins being named to Inc. 30 under 30. Onward and upward for @Hacker0x01! inc.com/will-yakowicz/30-und…
1
5
51
First: CISA! @CISAgov is at a defining moment coming out of 2020 as a several years-old agency. The EO entrusts CISA with well-deserved responsibilities, and this will further elevate its role leading the charge to secure the federal gov and critical infrastructure.
1
2
44
One of the most impactful sections of the EO is sec 4 on supply chain security. The federal gov is the largest buyer of goods+services. Combined with the fact that software supply chains are exponential, gov action can have wide-ranging effects on software people use every day.
1
3
46
Thank you, Secretary LaRose! Honored to be able to share cybersecurity best practices with Ohio’s local election officials. I’m hopeful more states will follow Ohio’s lead and launch vulnerability disclosure policies this summer! (@NASSorg)
This 21-year old white hat hacker is changing the face of election cybersecurity. @jackhcable has done big things to boost our efforts, and I’m so appreciative he could share his ideas with our summer conference attendees. #VoteOhio
8
46
Voatz, the company that reported a student to the authorities for participating in a bug bounty, is now trying to damage security research at a national level. This cannot go unnoticed.
1
20
43
Introducing canidisclose.it, the largest directory for security contacts. Made for security researchers attempting to disclose vulnerabilities, the list contains over 2,000 organization contacts. Check it out: cybertransparency.org/disclo…
2
21
47
Six major voting vendors committed today under @ITISAC to launching vulnerability disclosure policies. I am happy to have helped advise these companies via IT-ISAC to reach this important milestone.
Replying to @ITISAC
Take a look at what the EI-SIG has accomplished over the past two years in this new white paper: bit.ly/EISIGPROGRESS
17
45
Voatz tried to fake a DHS CISA audit, presenting their summary as the real audit. Version 1, seen on @NBCNews, is presented as the official report and has CISA's logo. Version 2 (voatz.com/Hunt-Engagement-Su…) adds "Voatz prepared this Hunt Engagement Summary" and removes CISA's logo.
2
19
43
Capital One discovered the vulnerability thanks to a report on their VDP, which surfaced the past exploitation / data breach: “The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program” press.capitalone.com/phoenix…
13
45
If the crypto scams were the worst of it, then the Twitter hack may have been a blessing in disguise. Let’s hope Twitter can learn from this and improve so this doesn’t happen in November by attackers who know what they’re doing this time around.
3
47
Michigan's voter records were not hacked. A Michigan voters file was posted on the site "raidforums" by user Gorka9. The file itself, available at anonfiles.com/BdG0y6E4o3/Mic…, contains only publicly available information from Michigan's qualified voter file. Thread:
1
21
37
If we want to go even further: the gov can fund development, maintenance, and security testing of crucial open source components.
2
5
42
Update: for those reaching out, it may be possible to recover QLocker keys if you have not shut down or rebooted your device. See QNAP’s statement here to install their malware remover tool. qnap.com/en-us/news/2021/res…
If anyone's dealing with the QLocker QNAP NAS ransomware, feel free to DM me. I can help recover data. #qlocker @QNAP_nas
4
18
36
It looks like REVil is no longer allowing new infections to pay ransom, whether intentionally or due to a bug. Submitting a previously unseen key now returns an error "Something wrong. Please try again in a few minutes". (generated a key on a VM at tria.ge/210705-amslxqt9ea/be…)
2
21
38
Excited to announce that I'll be speaking at @thotcon! First time giving a talk at a security conference.
4
3
47
Addendum: multi-factor authentication (MFA) and zero trust are big, if implemented correctly. In particular I'd love to see guidance on which forms of MFA are most secure and how agencies should implement it (read: security keys as most secure, authentication apps as baseline)
3
4
39
Unfortunate to see criticism when companies launch VDPs. VDPs are a crucial first step in increasing openness + transparency that every org should have. We need to encourage more companies to get involved, not push back.
3
4
40
This is huge news! First vulnerability disclosure policy I'm aware of that goes beyond web systems to anything publicly accessible such as "frequency-based communication, Internet of Things, industrial control systems". Kudos to @DC3VDP and @DefenseDigital for making this happen!
We are excited to announce that the @DeptofDefense VDP scope has been expanded to include ALL publicly accessible information systems. See something say something! Thanks to our friends at @DefenseDigital and @DoD_CIO for the support to make this happen. defense.gov/Explore/News/Art…
1
7
43
I’d view widely deployed open source software as a subset of the EO’s def of “critical software”. We can take a page from open source software: due to its transparency, we’ve seen the largest advances in supply chain security such as via package dependency auditing mechanisms.
1
5
35
Yesterday, security vendor Area 1 Security released a report covering supposed widespread phishing flaws that election administrators face. The story reached national news headlines. I take some issue with the contents of this report, outlined here:
1
18
42
DEF CON Black Badge: ✅ cc @CyberApplied @CryptoVillage
3
2
41
2,969
This election was overwhelmingly well-administered and secure. Proud to join other election security experts in signing this letter rebuking claims of election fraud and rigging.
Today, I joined 58 other election security experts to set the record straight on voting system vulnerabilities: the mere existence of flaws does not equate to a rigged election. nytimes.com/2020/11/16/busin…
1
3
34
Election systems fall under the Government Facilities Sector - see election infra subsector - cisa.gov/government-faciliti…
1
2
32
Hackers, come work with us at Krebs Stamos Group! 👇
Wanted: Security Researcher, Purple Team 🟣 An ideal candidate will have experience applying a range of offensive security tactics across a variety of operating systems while thinking with an adversary mindset. Is this you? Apply today! ks.group/careers
5
36
Blogged: LinkedIn AutoFill Exposes Visitor Name, Email to Third-Party Websites lightningsecurity.io/blog/li…
4
38
Excited to be presenting work @StanfordIO by @f00th0ld, @GSmaragdakis, and myself analyzing the ransomware payments ecosystem (based on $101M in payments from @ransomwhere_!) See agenda at cryptosymposium.org Read the preprint at arxiv.org/pdf/2205.05028.pdf. Some takeaways 👇
3
13
31
To further “early detection of vulnerabilities” in sec 7, in addition to the mentioned CDM efforts, CISA can more widely deploy Crossfeed to assess the public attack surface of federal agencies. A refresher on Crossfeed: nitter.app/jackhcable/status/1384…
1
2
31
A sign of the times: a significant number of articles on electiontruth[.]net, a new Russian Internet Research Agency-linked site, are copied straight from right-wing sites like the Gateway Pundit and Fox News. No need to create new content when Americans will write it for you.
1
11
35
In Singapore for #h165. Can’t wait to see everyone, explore the city, and hack!
1
35
ESXiArgs actors appear to be reinfecting servers with more dangerous malware. Upgrade and/or disconnect ESXi servers immediately if you have not already done so.
Based on Shodan data, Ransomwhere has observed 894 IP addresses displaying the new ESXiArgs ransom note. Only 85 of these IP addresses appear to be new, meaning that the remaining 809 are reinfections -- and may now be unable to recover files. bleepingcomputer.com/news/se…
18
31
13,704
The administration of this election has been an overwhelming success. Thank an election official for a smooth election, and be careful not to spread false claims like these.
False claims have been circulating that Dominion Voting Systems is responsible for widespread election errors. There is no evidence to support these claims, which use isolated incidents to allege malfeasance. Voting across the country remains a secure and auditable process. (1/5)
6
31
Commerce and NIST should take a page from CISA’s Binding Operational Directive 20-01 for how to correctly frame VDPs. In essence, they must be open to anyone, offer a legal safe harbor, and not restrict disclosure beyond a set timeframe. For more: piped.video/watch?v=_SJ8Am0j…
1
4
26
I had missed this, but putting security contact details in a DNS record is a great idea. Every organization should have a public security contact point, and making it machine readable makes it even easier to surface.
.@YoSignals and I had an idea to make security reporting/disclosure contact and policy details more accessible, more authoritative, and easier to maintain: dnssecuritytxt.org @dnssecuritytxt - open for comments! #foss #vulnerabilitydisclosure #bugbounty #github
3
9
35