Daniel Cuthbert Profile picture
Documentary photographer, Old creaky hacker. Co-author of the @OWASP ASVS standard. Blackhat/Brucon Review Board. Don't speak for anyone but myself.
Anson Kennedy Profile picture Colin Robinson 💉💉💉 Profile picture 2 added to My Authors
Jun 14 7 tweets 2 min read
I appreciate it's a marathon to hire amazing people today but if there are any Python/Go/Rust slingers who like scraping and probing things and fancy doing some interesting research with my team and me, I'd love to chat. Solid salary. Great benefits, and a world-class hardware/software hacking lab with all the toys you can imagine.

Got an itch you've been dying to scratch? want to tear apart enterprise products and find vulns? fancy making cool products that help secure 150 million people? A hardware lab showing tables and equipmentA hardware lab showing tables and equipmentA hardware lab showing tables and equipment
Aug 2, 2021 5 tweets 2 min read
My wife and I are launching a new business and this week is menu prep and creation. Takoyakis made with proper Katsuobishi and Nori.

All hand made and yeah I think these will be popular Image Second menu option testing. Chicken laksa curry learned from our time living in Singapore. We struggle to get a proper laksa here in London so time to change that. Image
Aug 1, 2021 21 tweets 7 min read
It's a Sunday.
Kids are playing Lego
Wife is chilled

Guess this means it's teardown and tinker time with IKEAs indoor pollution sensor Ok it's pretty well-designed. David Wahl is the designer, who's responsible for a lot of pretty damn good designs. Has usb-c to power but doesn't come with a cable.
Jan 7, 2021 5 tweets 1 min read
Sometimes you come across research that just blows you off your feet. This is that type of research

ninjalab.io/a-side-journey… Simply put, Victor and Thomas performed a side-channel attack that targeted the Google Titan Security Key’s secure element (the NXP A700X chip)
Dec 27, 2020 34 tweets 13 min read
This is a thread for @Matt_Gerlach on how one could better work with data collected from pihole. However, it could also be useful for anyone else who wants to better understand how pervasive the global tracking world is and to do something about it. #privacy #surveillance. First up, adblockers do not work anymore. The industry has moved on a lot (they use the same ones you do, don't kid yourself that this industry isn't blackhat af and do dodgy thing)

It's better to cut the snake's head off rather than make it dance to your beat.
Oct 4, 2020 25 tweets 12 min read
Based off @wimremes's request yesterday about what you need, equipment-wise, for a hardware lab, I thought maybe it useful to start a thread for the basics (well some bits aren't that basic and ill highlight them when they appear)

First a disclaimer, this is my personal lab I surround myself with super-intelligent people who are far better at this than me. I'm lucky in that they've educated me and we also have a friggin' amazing commercial lab in the office where I learned a lot.
Sep 11, 2020 5 tweets 3 min read
Arnaud Montagard's images of America are just to die for. They remind me of William Eggleston and do nothing to stop my desire to do a proper road trip from coast to coast avoiding the main roads. ImageImageImageImage As expected with such a compelling body of work, his first book is sold out and I'm a bit gutted but you snooze and you lose. Image
Aug 29, 2020 4 tweets 2 min read
Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless.

The flaws found by this researcher result in the execution of arbitrary commands on user's computer.

The TL;DR is wow For all that effort, they got awarded $1750

Seventeen Hundred and FIFTY bucks.

@SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please.

Because this would be worth much more on exploit.in
Aug 12, 2020 19 tweets 6 min read
I've agonised for days over this and chatting to my wife has made me realise it's not good to keep quiet, especially given my personal experience. This will be a long and ugly thread I'm afraid about the exploitation of children by those who should know better. It started with a friend, @duckrabbitblog who helped me hone my craft and also has become a voice of reason for an industry that has many skeletons in the closet: photography

The subject was that of agencies selling images of child prostitutes and clearly identifying them.
Aug 3, 2020 4 tweets 2 min read
This is the type of research I respect. No FUD, just the facts. Solid work @fs0c131y!

medium.com/@fs0c131y/tikt…

#TikTok Watching the whole debate, there were so many who seemed to state 'but it's obvious they are sending data to china' and many similar reports.

But those of us who have torn the app apart, and do this for a living, well we aren't seeing the obvious bit.
Jul 23, 2020 14 tweets 5 min read
There's something truly special happening in the static analysis world.

Now, this is a world that is full of dinosaurs. Tools that are monolithic and expensive and really don't work well in pipelines, no matter what the account managers tell you. Yes, some might "plug" in, but often that's via clunky connectors or you having to fork your repo so the SAST/DAST can scan and then report back.

Hello 2010, Bad Romance by Lady Gaga is a great track
May 11, 2020 20 tweets 7 min read
I really wish tech companies were more upfront with the endpoints they use and what they are used for. Trust is earned and whilst only 1% would actually review the traffic, it's still transparency at a time when the public deserves it.

30 days of traffic analysed, a thread Firstly I'm not picking on any company. This is traffic from my home network, a mixture of work/research/kids/wife/shopping and browsing. We've many a device in use (17 in total). I singled out Microsoft, Apple and Google to make life easier.
Feb 16, 2020 18 tweets 12 min read
The Sun truly is a despicable rag and recent events have shown how we have to cut off their revenue supply. Many say block the sun, but how?

I've mapped out their entire footprint on the web so you can easily import and block it via your hosts file or firewall. #TheScum You can get the latest lists from github.com/danielcuthbert…

There are 3 files:
- thesun_ips.csv (all of their infrastructure in IP format)
- thesun_web.csv (all of their domains and sub-domains)
- thesun.png (a large view of how they look on the web)
Jan 10, 2020 37 tweets 14 min read
I was intrigued about how Alexa listened, the potential for false positives and what was recorded. This was done over Xmas and the results leave me with more questions. FireTV was used on its own segregated LAN. Due to the sheer volume of data this device consumes and pushes, doing deep packet analysis is tricky. The wake words are said to be "Alexa, Echo, Amazon, and Computer"
Oct 8, 2019 11 tweets 4 min read
Ever wondered what lies beneath that cool looking chip on your bank card? What does it do? Why is it there?
Well here's a little pointless thread that delves into the magic using my @monzo card as an example Firstly, the chip is called an EMV chip, where E is Europay, M is Mastercard and V is, you guessed it, Visa. en.wikipedia.org/wiki/EMV
The specifications for the chip were published in 1996. The Fugees "Killing Me Softly with His Song", was really popular too
Aug 29, 2019 7 tweets 2 min read
Hang on a minute @Fortinet I’ve a few questions here about this #Fortinet Problematic is spilling your coffee on your pants. Problematic is kids hiding your phone. A BACKDOOR in a product designed to allow strict accsss to corporate networks, is not problematic. This rather flowery wording is an attempt at downplaying the seriousness
Jul 22, 2019 4 tweets 3 min read
Unpopular opinion: you will not buy you way into being secure. No matter what any vendor says or promises, throwing money at a solution rarely gives the results you think. Invest in people. Invest in engineering and build build build. Yes, some commercial tech helps and if you build your own, and that tech is modern and uses an API, then you build that in as a cog in the machine, NOT build your security around that.
Feb 11, 2019 8 tweets 2 min read
I've tried to keep this bottled up, but seeing as we've a whole wave of new people to our industry, maybe it's time to help rather than stand silent.

0hday/Zeroday/0-day exploits should be the least of your worry. Adversaries mostly wont be using them* Vendors have loved the term and jumped on it like a tourists at a free buffet breakfast. It sounds sexy, I mean a cyber weapon/pathogen that's mythical and unknown. My gaaawd how cool. Oh we can detect it and stop it. SIGN ME UP!!
Jan 10, 2019 10 tweets 2 min read
Having just spent the last 5 hours interviewing for a security engineer role (cloud) it became clear how bad our skills shortage is. The cloud is more than just another persons network/computer and virtualisation. If your world has been traditional security such as physical fw/routers/proxies etc, then this new world is vastly different.
Dec 27, 2018 11 tweets 3 min read
Busy doing @BlackHatEvents USA 2019 training submissions and feel many trainers are missing out on a few things. This thread should help anyone wanting to build and deliver a course

1: Know your market. Training is hard, very hard, please don't think it's a walk in the park. For a 2 day course, you need 16 hours of content and labs. You need to sketch out each hour, taking into account different levels of students. Each lab should have 90% passable rate, then 10% for those who excel. This means less idle fingers at any time. Challenge all students
Dec 5, 2018 19 tweets 9 min read
Next up, one talk I feel is huge and monumental and will impact the car hacking movement #BHEU @ToyotaMotorCorp infotec team opening up about vehicle security. The glorious and sexy world of ECUs and CAN. CAN has no concept of security at all, and was never developed with it in mind