It's a sunday and many friends sent me this paper by Maryam Motallebighomi and Aanjhan Ranganathan delving deep into their security assessment of Shimano's Di2 wireless shifting architecture and hardware Needless to say, with the football on, I delved deep into understanding it a bit more

1: Replay Attacks - let me change gear for you

2: Targeted Jamming - now you can't change gear

3: Information Leakage - gear selection leakage (meh dude i can SEE this

Ok they are meh bugs

I'm going on a web app security rant, so bear with me.

23 years ago OWASP was formed and it tried to help the web application space and those building apps to do so in a secure way. Session management was one of them.

If you had a token, in a header/cookie, make it secure We've evolved this over the decades, we collectively got better with understanding the nuances and complexities of this identity being thrown around and the consequences of not doing it right.

We have standards, STANDARDS man, github.com/OWASP/ASVS/blo…

Patch ALL teh things we constantly tell CISOs and CIOs.
Thing is, let's be honest with each other right? we can't and this graph is telling.

Patching is a pain, we get it and we do need to revolutionise the approach. Two years ago, @LargeCardinal wrote a phenomenal paper where, in essence, the idea was to prioritize patches by expressing the connectivity of various vulnerabilities on a network with a QUBO and then solving this with quantum annealing.

Now working with Mark often has me saying 'dafuq you saying bruv?'arxiv.org/pdf/2211.13740

Strap in, we's going on a ride, a static analysis ride. I recently came across this paper, which looked at a wide variety of SAST tools against a number of Java apps.

Java being the choice of enterprise, and often not the best Java approaches out there, so it's a good choice First up, what did they use and what did they benchmark it against?

They looked at free tools, tools that specifically supported Java and most importantly, are being actively maintained.

Bugs happen but it's rare you see a bug that grabs you so hard and makes you nod like a little dog..

CVE-2023-44487 did that for me

good god what a bug and here's why First up is understanding the key differences between HTTP 1.1 and 2, especially how requests work

HTTP 1.1 is a text-based protocol that uses a single connection for each request/response pair. Every time you request the / from , it will be a diff request NSA.gov

An interesting new feature found in @Apple’s latest privacy and security report is that of Link Tracking Protection and I’ve not stopped thinking about this First up it’s pretty cool. My views on the pervasive nature of the tracking industry are not something I’ve hidden away: it’s an ugly industry with no real oversight, so any efforts to put a finger in their eye is one to applaud

The approach by Apple is interesting

Here’s the thing right: if you are building any application/binary or indeed something that takes input and uses that to form the basis of further functions/actions, you kinda need to think about robustness.

Imagine a HTTP POST request to /remote/portal/bookmarks What is needed is Content-Length, which indicates the size of the corresponding body. This is how the web works, so to send and indeed accept a zero byte body is odd and you’d check for that right?

Bueller? Right??

It was 1998 and I was helping build this newfangled web thing for the Financial Times, called ft.com

We had a handful of Solaris boxes and oracle DBs (it was secure they said) but we were running out of IPv4 addresses in our allocation.

https://twitter.com/swiftonsecurity/status/1666258511557271554

The daily routine used to be monitor checkpoint FWs and add new rules to stop silly attempts at scanning Solaris, adding rules to allow apache to talk to oracle and so on. Then Cisco came out with this box that meant we could use a handful of IPv4 and then rfc1918 in our DC

When the twitter dump came out, I enjoyed having a “theoretical” chat with John about how you “theoretically” would weaponise this. It’s not a new topic per se, we did abuse this in yesteryear but it doesn’t make it any softer a threat. The post looks into the stuff you could “theoretically” do with expired domains and the likes. thecontractor.io/blog/malinheri…

This is a shockingly poor article cyberscoop.com/cisa-dhs-easte…

What @CISAJen and team are doing over at CISA is both admirable and indeed inspiring and the fact piece somewhat reduces her leadership to that of fashion and being active on social media, which actually is a plus is Baffling at best. Traditionally government hasn’t been accessible or with the times. @CISAJen has bridged that gap and it’s clear some struggle with this

As much as streaming music took over the music world, it ushered in an era of incredibly boring design. Looking at one of my fav London audio shops makes me realise how generic today's designs are

wiltonmusicmall.com I mean, HELO

A Unison Simply four-valve amp.

I appreciate it's a marathon to hire amazing people today but if there are any Python/Go/Rust slingers who like scraping and probing things and fancy doing some interesting research with my team and me, I'd love to chat. Solid salary. Great benefits, and a world-class hardware/software hacking lab with all the toys you can imagine.

Got an itch you've been dying to scratch? want to tear apart enterprise products and find vulns? fancy making cool products that help secure 150 million people?

My wife and I are launching a new business and this week is menu prep and creation. Takoyakis made with proper Katsuobishi and Nori.

All hand made and yeah I think these will be popular Second menu option testing. Chicken laksa curry learned from our time living in Singapore. We struggle to get a proper laksa here in London so time to change that.

It's a Sunday.
Kids are playing Lego
Wife is chilled

Guess this means it's teardown and tinker time with IKEAs indoor pollution sensor Ok it's pretty well-designed. David Wahl is the designer, who's responsible for a lot of pretty damn good designs. Has usb-c to power but doesn't come with a cable.

Sometimes you come across research that just blows you off your feet. This is that type of research

ninjalab.io/a-side-journey… Simply put, Victor and Thomas performed a side-channel attack that targeted the Google Titan Security Key’s secure element (the NXP A700X chip)

This is a thread for @Matt_Gerlach on how one could better work with data collected from pihole. However, it could also be useful for anyone else who wants to better understand how pervasive the global tracking world is and to do something about it. #privacy #surveillance. First up, adblockers do not work anymore. The industry has moved on a lot (they use the same ones you do, don't kid yourself that this industry isn't blackhat af and do dodgy thing)

It's better to cut the snake's head off rather than make it dance to your beat.

Based off @wimremes's request yesterday about what you need, equipment-wise, for a hardware lab, I thought maybe it useful to start a thread for the basics (well some bits aren't that basic and ill highlight them when they appear)

First a disclaimer, this is my personal lab I surround myself with super-intelligent people who are far better at this than me. I'm lucky in that they've educated me and we also have a friggin' amazing commercial lab in the office where I learned a lot.

Arnaud Montagard's images of America are just to die for. They remind me of William Eggleston and do nothing to stop my desire to do a proper road trip from coast to coast avoiding the main roads. As expected with such a compelling body of work, his first book is sold out and I'm a bit gutted but you snooze and you lose.

Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless.

The flaws found by this researcher result in the execution of arbitrary commands on user's computer.

The TL;DR is wow For all that effort, they got awarded $1750

Seventeen Hundred and FIFTY bucks.

@SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please.

Because this would be worth much more on exploit.in

I've agonised for days over this and chatting to my wife has made me realise it's not good to keep quiet, especially given my personal experience. This will be a long and ugly thread I'm afraid about the exploitation of children by those who should know better. It started with a friend, @duckrabbitblog who helped me hone my craft and also has become a voice of reason for an industry that has many skeletons in the closet: photography

The subject was that of agencies selling images of child prostitutes and clearly identifying them.

This is the type of research I respect. No FUD, just the facts. Solid work @fs0c131y!

medium.com/@fs0c131y/tikt…

#TikTok Watching the whole debate, there were so many who seemed to state 'but it's obvious they are sending data to china' and many similar reports.

But those of us who have torn the app apart, and do this for a living, well we aren't seeing the obvious bit.