Maddie Stone Profile picture
Security Researcher. Previously Google Project Zero and TAG | 0days all day. Love all things bytes, assembly, and glitter. she/her.
Feb 6 5 tweets 2 min read
We're naming names 🔥 because the harm is not hypothetical.

Today we share "Buying Spying", our new report diving into the commercial surveillance/spyware industry. We dive into the players, the campaigns, the spyware, & the harm it perpetuates.

blog.google/threat-analysi…
Headline image that is blue with a lighter blue shield. It's covered with white text that says: "Buying Spying: How the commercial surveillance industry works and what can be done about it". At the bottom it says "Google -- Threat Analysis Group" There's also lots of goodies that we've never released before like:

👀 That Chrome 0-day (CVE-2023-7024) @_clem1 discovered in Dec? NSO Group
🤔 Which vendor gets caught the most
🕐 In April, it took Intellexa 45 days to come back after their Chrome 0days were caught & patched
Jan 25, 2022 4 tweets 1 min read
Lesley is right on the money (literally).

My therapist said something to me back in 2020 (we talked about my anxiety around money a lot) that's stuck with me: How does you making your life more difficult help anyone else? It's only been in the last few years that I have truly felt stable and comfortable financially. Previously I was always trying to pay bills, debts, and just dreaming of being able to maybe save an emergency fund and donate to causes I care about.
Jan 6, 2022 11 tweets 6 min read
2021 was a wild year for 0-day exploitation detection. 2021 was also full of Google Project Zero & TAG publishing lots of good (in my biased opinion) stuff on 0-day exploits. 🧵ICYMI here they are:

#itw0days 1. In January, Project Zero published a 6 part series about a watering hole attack. The series covers the Chrome, Android, & Windows exploits, & the Android post-exploitation behavior of this attack.
Part #1: googleprojectzero.blogspot.com/2021/01/introd…
Jun 30, 2021 12 tweets 3 min read
Here we go. I read NSO's 32 page "Transparency Report" published today so you don't have to. 🧵

It says nothing of substance. None of the "approvals" and "processes" and "misuse" and "human rights" that make up much of the report are defined.

nsogroup.com/wp-content/upl… The few glimmers of details we get confirm to me we need to be concerned about who NSO's technology is being sold to & how it's being used.

I "live chatted" my reading of this to my teammates as my frustration & rage grew. There was so much. I'll limit this to just a few. 2/12
Jun 19, 2021 9 tweets 3 min read
This thread from ~yr ago was a turning point for me. Not because the harassment stopped, but because I finally no longer dealt with all this bs predominantly alone. As illogical & irrational as it is, I think I felt shame every time I received one of these messages. 1/x *I* must have been doing something wrong, *I* must have been less than if all these people took the effort to say these things to me. If colleagues weren’t dealing with this, then *I* must be the problem. I’m *drama*. These were the quiet thoughts. 2/x
Dec 15, 2020 9 tweets 2 min read
Along with many others in infosec, I've always cautioned against any of the voice activated smart gadgets, largely thinking there's only marginal benefit for the risks of an always-on microphone.

Recovering from surgery with only one usable arm has completely changed my views.1/ Using voice control, which has required turning on the mics on my phone and home mini, has made my quality of life substantially better and even prevented physical pain. 2/
Oct 31, 2020 6 tweets 2 min read
Can't believe I'm voluntarily wading into this, but here we go.

When you share those full details, that's when I drop everything & get to work (and I usually pull in my teammates too 💁🏽‍♀️). It's not just another cool vuln, it's something being used to harm. 1/6 As an example, here's how I approach it as soon as the details are out:
-understand the root cause & exploit method
-think of potential detection methods & talk to the folks who can implement them if it's not us 2/6
Oct 23, 2020 27 tweets 10 min read
Today is the day we've been waiting for! Follow this thread as I highlight @DondiWest as part of the #ShareTheMicInCyber campaign. I am proud to give this talented #cybersecurity practitioner the spotlight. #BlackNatSec #BlackTechTwitter #Share the Mic in Cyber graphic. Says "#ShareTheMicInCy @DondiWest is a #Cybersecurity Attorney @Microsoft where he tracks global cybersecurity laws and regulations in order to identify and mitigate legal risk stemming from compliance obligations. #sharethemicincyber Connect with Dondi on LinkedIn linkedin.com/in/dondi
Aug 27, 2020 7 tweets 2 min read
I’m really fucking tired. On average, about every week I receive some message about how I’m “unskilled”, “P0’s biggest mistake”, “not technical”. And about every other month one of these messages is posted very publicly or emailed to my managers. 1/7 This is nothing new since I first was an intern. It’s damn clear that the comments are bullshit. That the people taking the time to send me these msgs or create the anonymous accounts are telling a lot more about themselves than about me. But it’s still exhausting. 2/7
Feb 21, 2020 5 tweets 5 min read
Lately, I've been watching talks from pre-2010. There's so much important infosec work/history out there, but you need to know what to look for.

What are some of your favorite talks, blogs, events, etc from 2012 or before that you'd recommend to those newer to the industry? For my "learning Windows" adventure, these have been awesome
* Analyzing local privilege escalations in win32k - @mxatone (2008)
* Kernel exploitation – r0 to r3 transitions via KeUserModeCallback -@j00ru (2010)
* Kernel Attacks through User-Mode Callbacks - @kernelpool (BH 2011)
Nov 9, 2019 9 tweets 2 min read
I had a conversation today w a man who manages a security team. For me, tbqh this convo was pretty upsetting, but I do think he was coming from a sincere place so hopefully this helps someone else who is also coming from a good place, but is just getting it wrong. THREAD. The man was chatting about hiring. He said his team is only men, but he gets other women he knows in the industry to come to recruiting events w him because women are much more interested when they see another women there & don’t tend to come up to his booth when it’s just him.
Feb 14, 2019 6 tweets 2 min read
I get asked all the time how to get started in binary RE. There are tons of great resources out there, so #1 is just get started with something, anything! But if you're open to suggestions for building a strong, general reverse engineering foundation, here are my suggestions: 1. If you've never taken a computer architecture course or need a refresher: NAND2Tetris. It's free! coursera.org/learn/build-a-… Seriously. It will give you a great understanding of the relationship between Software, Hardware, and the assembly we RE, and it's fun!