Can't believe I'm voluntarily wading into this, but here we go.
When you share those full details, that's when I drop everything & get to work (and I usually pull in my teammates too 💁🏽♀️). It's not just another cool vuln, it's something being used to harm. 1/6
As an example, here's how I approach it as soon as the details are out:
-understand the root cause & exploit method
-think of potential detection methods & talk to the folks who can implement them if it's not us 2/6
-find variants that the attackers either already have (and may even be using) or could easily switch to and try to get them fixed at the same time as the original bug
-brainstorm fixes, mitigations, system improvements & share them 3/6
The attackers already have all the details & are actively using them. When they're not shared, I & others who have the resources & the want to help, can't. I sit twiddling my thumbs, a very sad Maddie. This creates an asymmetry of information w the attackers knowing more. 4/6
I personally think it's *even more* important to do these things quickly when a mitigation is not available. After ~1yr of focusing exclusively on ITW 0days, I'm learning just how much I, my teammates, & other researchers really can help. 5/6
I know not everyone will agree: disclosure debates will be the one constant in our lives. 🤪 But I thought I'd share, how I, a defender, can make an impact, but I need the details to do it. 6/6.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Dondi is a proud #HBCU graduate & attended @aamuedu, earning a B.S. in Math w a focus in Applied Stats, & as an ugrad student, published research in regression analysis & number theory. As a student, Dondi went everywhere w his TI-82 graphing calculator, which he still has.
I’m really fucking tired. On average, about every week I receive some message about how I’m “unskilled”, “P0’s biggest mistake”, “not technical”. And about every other month one of these messages is posted very publicly or emailed to my managers. 1/7
This is nothing new since I first was an intern. It’s damn clear that the comments are bullshit. That the people taking the time to send me these msgs or create the anonymous accounts are telling a lot more about themselves than about me. But it’s still exhausting. 2/7
If you’re getting these messages too, it’s not about you. I’ve quite literally done everything these folks asked: I’ve done novel research at every level between a die on a CPU and applications. I have the CVEs. Large volumes of my work are publicly available...and yet. 3/7
Lately, I've been watching talks from pre-2010. There's so much important infosec work/history out there, but you need to know what to look for.
What are some of your favorite talks, blogs, events, etc from 2012 or before that you'd recommend to those newer to the industry?
For my "learning Windows" adventure, these have been awesome
* Analyzing local privilege escalations in win32k - @mxatone (2008)
* Kernel exploitation – r0 to r3 transitions via KeUserModeCallback -@j00ru (2010)
* Kernel Attacks through User-Mode Callbacks - @kernelpool (BH 2011)
I had a conversation today w a man who manages a security team. For me, tbqh this convo was pretty upsetting, but I do think he was coming from a sincere place so hopefully this helps someone else who is also coming from a good place, but is just getting it wrong. THREAD.
The man was chatting about hiring. He said his team is only men, but he gets other women he knows in the industry to come to recruiting events w him because women are much more interested when they see another women there & don’t tend to come up to his booth when it’s just him.
I said, yes, of course. When we see another woman or someone like us on the team, it at least means we won’t be alone. I told him I thought it was false advertising to use other women in this way in order to recruit.
I get asked all the time how to get started in binary RE. There are tons of great resources out there, so #1 is just get started with something, anything! But if you're open to suggestions for building a strong, general reverse engineering foundation, here are my suggestions:
1. If you've never taken a computer architecture course or need a refresher: NAND2Tetris. It's free! coursera.org/learn/build-a-… Seriously. It will give you a great understanding of the relationship between Software, Hardware, and the assembly we RE, and it's fun!
2. Learn C. Anyway that sounds good to you is the right way. Why? Pointers & memory are hard. It's even harder to learn them in ASM. Play with C & understand bit operations & how arrays work so they'll be known patterns when you look at them in asm.