Getting the maximum of your C compiler, for security
Airbus Security Lab’s Raphaël Rigo and Sarah Zennou list the flags you should use in GCC, Clang or MSVC, in order to: detect the maximum number of bugs or potential security problems, enable security mitigations in the produced binaries, and enable runtime sanitizers to detect errors (overflows, race conditions, etc.) and make fuzzing more efficient.
Authorization Testing: AuthMatrix - Part 1
White Oak Security’s Tib3rius describes how to effectively test access controls in web apps with complicated authz logic (e.g. multiple role types with different permissions) using the AuthMatrix Burp Suite extension.
For testing authorization logic, and I’d also recommend Justin Moore’s AutoRepeater Burp extension.
By Dolev Farhi: A fingerprinting tool for GraphQL endpoints that sends a number of benign and malformed queries to determine the GraphQL engine being used. graphw00f then provides insights into what security defences each technology provides out of the box, and whether they are on or off by default.
The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
WunderGraph’s Jens Neuse does a good job outlining common GraphQL issues and how and why they occur.
API Tokens: A Tedious Survey
Fly.io’s Thomas Ptacek gives a great, opinionated overview of various token types: simple random tokens, platform tokens, OAuth 2.0, JWT, Macaroons, throws shade on SAML, and more.
What’s also very cool about this trick and will give a hard time to anyone trying to debug the attacker’s code is that the callback to be called when the function is being debugged cannot be debugged in the devtools because it is a piece of code that is being called by the devtools itself. Meaning the only way to successfully debug this function is via the developer tools of the developer tools!
Reddit: Open Source CSPMs?
Inside Figma: getting out of the (secure) shell
Figma’s Hongyi Hu describes how they got rid of SSH and replaced it with AWS Systems Manager, Okta for SSO, and required WebAuthN for multi-factor authentication.
Great stuff: focus on developer experience, minimizing security team toil, adding guardrails for users, locking down Session Manager, and more.
Leaving Bastion Hosts Behind Part 1: GCP
Netskope’s Colin Estep
discusses the GCP services, OS Login and Identity-Aware Proxy (IAP) to show how they can be used as an alternative to bastion hosts.
Summer Blog Backlog: Distributed Systems
This post argues that Kubernetes has fundamentally too much accidental complexity, and that in the future it’ll replaced by something with fewer new concepts and that’s more compositional. I found the historical references to other domains interesting.
A visual guide on troubleshooting Kubernetes deployments
An impressively detailed and thorough guide by Daniele Polencic. Includes this great overview diagram, which, like looking up at the stars at night, reminds us of our insignificance in the face of Kubernetes’ complexity.
Politics / Privacy
Srsly Risky Biz: Thursday, September 2
If you didn’t know, Risky Biz has a newsletter! And it’s great. In this edition, Tom Uren had a long chat with The Grugq on distinguishing hacktivists vs nation state actors posing as them, as well as other topics.
How to find hidden cameras in Airbnbs
TikTok by Marcus Hutchins.
Top counterintelligence official Mike Orlando on foreign espionage threats facing U.S.
Acting director of the National Counterintelligence and Security Center: the U.S. has experienced $200 billion to $600 billion dollars a year in losses to intellectual property theft by China. For the past 20 years.
How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users
WhatsApp analyzes messages in two ways: a) AI that scans unencrypted metadata (names, profile images, phone numbers, related Facebook accounts, etc.) and b) a content moderation team, that whenever a message is “reported,” receives that message + the four previous ones unencrypted.
If you want a messaging app whose financial incentives aren’t “know everything about you and target you with ads,” nor is it “0-click RCE as a service” (sorry iMessage): use Signal.
Gladys Berejiklian Takes Over The World
Someone remixed this Australian politician to say some… mean things, hilariously.
Some nice visual overviews.
Wassim Chegham: What happens when you type a URL in a browser’s address bar
Linux Kernel Defense Map
Awesome resource by Alexander Popov
covering vulnerability classes, exploitation techniques, bug detection mechanisms, and defense technologies. The following is a small snippet:
You know, errr, totally unrelated to this newsletter 😅 But really, it’s important to remember stuff like this. Something I have to work on sometimes.
It’s okay to love a hobby the same way you’d love a pet; for its ability to enrich your life without any expectation that it will help you pay the rent.
What if we allowed ourselves to devote our time and attention to something just because it makes us happy? Or, better yet, because it enables us to truly recharge instead of carving our time into smaller and smaller pieces for someone else’s benefit?
How did we get to the point where free time is so full of things we have to do that there’s no room for things we get to do?
We don’t have to monetize or optimize or organize our joy. Hobbies don’t have to be imbued with a purpose beyond our own enjoyment of them. They, alone, can be enough.
Thanks for reading!