As an engineer, I ❤️ clever engineering.
Ruby on Rails relies on signed sessions (AES GCM). They are secure, but there is a catch: you cannot invalidate them early. You have to wait for expiry. Workarounds exist, like caching sessions you want to kill, but nothing universal.
I saw a guy reporting a vulnerability today.
No logo.
No website.
No drama.
He just emailed a write-up.
Providing all the details needed to reproduce and fix the issue.
Like a psychopath.
The world needs an old-school CTF...
So far the challenges are:
- Read this 5.25" floppy
- Read this 3.5" floppy
- Burn a CD
- Crimp your own ethernet cable
- Deploy a Peg DHCP server (tools.ietf.org/html/rfc2322)
- Connect to this token ring network
Anything else?
Unpopular opinion:
No one will be work as a "pentester" in a few years.
People will perform pentest as part of their job as a security engineer, appsec engineer or redteamer.
It has already started.
$20K/mo is where your hacker life changes the most.
•Stop beg bounty.
•Buy one of the VPNs advertised by your favorite influencer.
•Start hacking from an iPad Pro.
•Go to BlackHat and RSA without speaking there.
•Buy SANS courses
Too many people fall into the traps of gamification or certification, focusing on the wrong objectives.
Your goal should be to learn, not to be at the top of the leaderboard or merely to pass an exam.
[1/2]
Blackhat swag as seen by people outside of infosec:
"This person is definitely a badass hacker".
Blackhat swag as seen by people in infosec:
"This person is most likely not doing any hacking".
Hackers: 25 years later.
Zero Cool manages a team of pre-sales engineers solving APT.
Acid Burn and Lord Nikon are both CISO.
Cereal Killer works for the government.
Joey Pardella is trying to cover up a security breach.
They are all #infosec thought leaders on twitter.
If you're looking for a job, try to blog regularly about CVEs (one you didn't find):
📚 You will learn so much
✍️ You will have something to show for it
🆓 It is completely free (unlike certifications🤔)
🎲 It removes the randomness out of your study/content (finding the bug)
Metasploit: $0
Exploiting known unpatched vulnerabilities: $0
Leveraging public security research: $0
Deploying 0-dayz to compromise random phones using public USB power charging stations: $3000000
Someone who is good at the economy help me budget this my APT group is dying.
For people being surprised to see so many security tools in the twitch leak...
This is what a modern security team looks like.
Less buying off-the-shelf tools, more building tools based on your actual needs.
🛠🧰💰
Do you want to find new vulnerabilities?
1. Look at the patch for a recent CVE (for example: CVE-2021-43350)
2. Write a @semgrep rule for them (tune your rule using the CVE you picked)
3. Scan a lot of code repository with this rule.
4. Manually confirm the matches.
When people subscribe to @PentesterLab, they give me two things... Their $ and their time, I can't refund the latter and that's why I try to provide a lot of value...
Unpopular opinion:
A lot of people stick to CTF instead of Bug Bounty or Vulnerability Research because it is a lot more comfortable.
Not easier, more comfortable, you know there is something to be found.
I remember trying to learn Linux by printing pages and pages of Mandrake/RedHat manuals and trying to read them...
THAT DID NOT WORK.
What worked?
Using Linux as my daily driver for months. It was hard, it was annoying, it was frustrating but this was the way.
Not that it matters but since I saw another tweet on this:
I have 0 CVE, 0 certification.
People judging others on CVE or certs are at best lazy, at worst downright stupid...
This one seems very relevant to security/hacking:
"It doesn’t matter if you’re a beginner or an expert as long as you’re on the path.
If a beginner is on the path, all they need is time.
If an expert is off the path, they won’t be an expert for long."
–@JamesClear
One of the cheapest and most efficient way to improve your infosec skills is to read code.
Literally, linux+vim+git on a raspberry pi with a 12” display is enough...
Read the code of opensource projects, tools you use, diff from advisories.
You don’t even need a browser!
"Do you need to learn to write code to get a job in infosec?"
Absolutely not! You need to learn to write code because that is one of the coolest things you can do with a computer.
I make a living teaching how to hack JWT, I will even run a workshop at Defcon on hacking JWT.
If you are a developer and your application uses JWT spend 5 minutes and watch this video!
Level up your #AppSec skills with our new video on JSON Web Tokens (JWT)!
Join us as we share six practical tips to enhance your security practices. Arm yourself with these insights today! Watch, learn, apply! 🔒🎥💡 piped.video/f6c0TeQSHDg
1. Take screenshot of desktop.
2. Use screenshot as screensaver/lock screen.
3. Leave laptop "unlocked" in public places.
4. Wait for outrage or LinkedIn thoughtleadership
We just shipped automated security reviews in Claude Code. Catch vulnerabilities before they ship with two new features:
- /security-review slash command for ad-hoc security reviews
- GitHub Actions integration for automatic reviews on every PR