Some great conference talk recordings have dropped!
The premier cloud security conference, by Scott Piper et al.
Objective by the Sea, v4.0
The world’s only macOS security conference, by Patrick Wardle et al.
Cloud Metadata Dictionary useful for SSRF Testing
Useful cheatsheet from Jason Haddix.
How to speed up Burp Suite’s Turbo Intruder
Useful for finding race conditions, brute forcing passwords, or other attacks in which you need to send many requests in a short amount of time.
A Visualization of the OWASP Top 10 Over Time
A pretty neat time lapse of things that have entered, left, and changed rankings in the OWASP Top 10 over the years, by GitLab’s Wayne Haber.
Designing Least Privilege AWS IAM Policies for People
LaunchDarkly’s Alex Smolen discusses how to deploy reduced privilege IAM roles without breaking user workflows. Includes a nice overview of prior work on automatic IAM policy generation from logs.
Eating the Cloud from Outside In
By Shawn Wang: “AWS is playing Chess. Cloudflare is playing Go.”
Hacking AWS end-to-end - remastered
Talk by Daniel Grzelak that Scott Piper described as:
In 2016, @dagrz gave one of the greatest cloud security talks ever, filled with new techniques that have been rediscovered repeatedly in the years since. I’ve remastered it from video obtained from an audience member and the slide deck.
Remotely Access your Kubernetes Lab with Cloudflare Tunnel
In April Cloudflare announced Auditable Terminal, which gives you a fully features SSH client in your browser: you authenticate using Cloudflare Access, and can log into a computer - and get a terminal - just using a browser. In this post, Marco Lancini describes how to access your Kubernetes cluster using this approach.
Kubernetes YAML Generator
Create and customize a Kubernetes YAML config via a web UI that has useful explanatory text around various options.
Introducing Snowcat: World’s First Dedicated Security Scanner for Istio
Praetorian’s Anthony Weems, Dallas Kaman, and Michael Weber discuss Snowcat, which can obtain information about an Istio deployment and report on misconfigurations or deviations from best practices. Snowcat can be ran against static config info or from inside an Istio workload container.
A Graduate Course in Applied Cryptography
Free book by Stanford professor Dan Boneh and NYU professor Victor Shoup covering secret and public key cryptography, protocols, and more.
A practical guide to cryptography by my friend David Wong, including:
- Best practices for using cryptography
- Diagrams and explanations of cryptographic algorithms
- Identifying and fixing bad practices
- Choosing the right cryptographic tool for any problem
1Password’s new feature lets you safely share passwords using just a link
Psst! lets you share creds with anyone, even if they don’t have a 1Password account, by generating an expiring link that’ll give them temporary access.
An Intro to Fuzzing (AKA Fuzz Testing)
Nice intro and overview by Bishop Fox’s Matt Keeley covering types of fuzzers, how fuzzing works, popular tools and their pros/cons, writing a good test harness, etc.
See also Google’s thoughts on what makes a good fuzz target.
The Challenges of Fuzzing 5G Protocols
NCC Group’s Mark Tedman and Philip Shaw discuss fuzzing 5G protocols (NGAP, GTPU, PFCP, & DIAMETER) using both proprietary and open source fuzzers (Fuzzowski, Frizzer, AFLNet). Nice overview of the trade-offs of different approaches and tooling.
SiliFuzz: Fuzzing CPUs by proxy
By Google’s Kostya Serebryany, Maxim Lifantsev, Konstantin Shtoyk, Doug Kwan, and Peter Hochschild.
We present SiliFuzz, a work-in-progress system that finds CPU defects by fuzzing software proxies, like CPU simulators or disassemblers, and then executing the accumulated test inputs (known as the corpus) on actual CPUs on a large scale.
About 45% of SiliFuzz findings are unique and have not been previously identified by any other tool or automation available to us.
A high-performance load testing tool written in Golang, by Dddosify.
Politics / Privacy
VPN + Tor: Not Necessarily a Net Gain
Matt Traudt nicely walks through, depending on your threat model, the relative privacy value of using a VPN, Tor, or both. Hint: more is not better.
Trust-Busting as the Unsexy Answer to Google and Facebook
With some interesting context about the history of monopolies and antitrust outside of tech.
Facebook Restricts Staff Message Boards to Stop Leaks; Memo Gets Leaked
Facebook plans to limit access to groups related to platform safety and protecting elections to only people working in integrity-related groups. Checks former Facebook motto:
“To give people the power to share and make the world more open and connected,
unless it increases accountability.”
Commerce Tightens Export Controls on Items Used in Surveillance of Private Citizens and other Malicious Cyber Activities
“The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.”
Automatically remove backgrounds from any image for free.
Free and private image redaction in your browser, by Rik Schennink.
The State Of Web Scraping in 2021
Great overview of language agnostic and language-specific tools, as well as commercial offerings, by Mihai Avram.
58 infosec acronyms for 2021 explained
Useful short definitions if you’re new to the field across networking, security, and compliance, by Krit’s Andrew Askins. H/T Mike Privette.
Find music by singing or humming a few bars of it, powered by SoundHound.
Opiates and Social Media Are Symptoms, Not Causes
This post by Daniel Miessler resonated with me, in which he argues that addiction, social media, and other recent societal malaise is at least as much, if not more, a result of lack of meaning in people’s lives.
Basically, my model is that a lack of meaning, direction, and strong social ties causes depression, and that depression then opens the door to addictions such as drugs and social media.
The opposite of addiction isn’t sobriety – it’s connection. -Johann Hari
Thanks for reading!