Apr 16, 2019
I threw this post together because I couldn’t decide where my notes to myself on using Spacemacs should go. So here they are.
Updates will frequently happen to this page, and if you’re really curious, you can view those here.
Usage Spacemacs usage notes. Note that if you find a modal seems to have trapped you and you’re not sure how to escape it, try q first, then ESC, and C-g (hold CTRL and press g).
Thoughts on a public Bug Bounty
Apr 9, 2019
I wrote some time ago, about my thoughts on managing a bug bounty program. It’s been nearly two years, and I’ve gone through the pain of taking a bug bounty public, so I wanted to jot down some thoughts on what maturing the bug bounty program looks like and some notes for security researchers participating in bug bounty programs. The good researchers won’t need this advice, and the bad ones likely won’t read it, so this is probably futile, but these things should be shared.
Feb 15, 2019
Update: February 26, 2019 A few days after posting this, I became aware of https://crxcavator.io which performs security assessments of chrome plugins at scale.
Extract files from network capture
Jan 24, 2019
From time-to-time, it’s a requirement to grab a firmware image, binary, or other file from a captured network stream. This page outlines several methods of achieving this.
Note: These will not work if the files were transferred via TLS. That’s the whole point of TLS.
From Wireshark Find the start of the transfer if it’s obvious - GET request, server sending massive packets, etc. Right-click the first packet and select Follow > TCP stream Save the entire conversation as RAW Open your hex editor and trim any fat (HTTP response headers, etc) from the file, using the Wireshark Follow TCP stream window as a guide.
Decrypting Java TLS to View in Wireshark
Oct 26, 2018
Using Kali, grab this Library: jSSLKeyLog. Next, find the script you’re testing that invokes java and add the following parameter (or manually add the parameter if running java directly):
$ java -javaagent:jSSLKeyLog.jar==/tmp/ssl-key-log.log -jar file.jar Next, run tcpdump how you normally would:
$ tcpdump -i eth0 -w dump.cap -C 100m Now you can run the java application whose SSL session keys you want to extract:
$ java -javaagent:jSSLKeyLog.jar==/tmp/ssl-key-log.log -jar app.
Mallory in the Mobile
Oct 15, 2018
Update: October 15, 2018 Some quick notes for running mallory once the configuration steps below have been performed:
Ensure the VM has two physical Internet connections from the host VM should be set to Bridged Run this wifi-ap creation script Shovel all traffic to mallory using this command Ensure the mallory CA in (/mallory/current/src/ca) is installed on the target device Start mallory (mallory/current/src/mallory.py) Start GUI (mallory/current/src/launchgui.py) Update: July 10, 2017 I recently had to set up an environment like the one below for another app review.
The new face of the security team DoS
Sep 14, 2018
Nearly a year ago, I wrote about an emerging trend I observed with some of the bounty researchers I was interacting with. This screed can be considered an extension of that article.
There an emerging trend I’m noticing - I’ve been receiving more messages like the following:
Hey , I found Security Vulnerability in your web application ,which can damage site as well as users too.For security purpose can we report vulnerability here,then will i get bounty bounty reward in PayPal or Bitcoin for Security bug ?
Correctly Configuring Spacemacs Go Layer and Environment Variables in macOS
Aug 13, 2018
This is a quick note to future me (and anyone encountering this same issue). TL;DR - the solution
While running into issues getting the golang layer configured, I discovered that a lot of pain was caused by a cached configuration and some outdated information.
System Info OS: Darwin Golang: go version go1.10.3 darwin/amd64 (installed via Homebrew) Emacs: 26.1 Spacemacs: 0.300.0 (develop) Spacemacs branch: f2a4cc Graphics display: t Distribution: Spacemacs Editing style: vim Completion: helm Layers: html helm auto-completion emacs-lisp git go markdown (markdown :variables markdown-command "pandoc") (org :variables org-enable-reveal-js-support t org-want-todo-bindings t) themes-megapack spell-checking syntax-checking ) Incorrectly configured $GOROOT After brew install go, Homebrew suggests the following:
Spacemacs Org Mode Introduction
Aug 6, 2018
Update: 2018-08-10 Shortly after writing this post, I switched to Spacemacs develop branch - cd ~/.spacemacs && git checkout develop This upgraded my Spacemacs to version email@example.com. This had the unexpected side effect of changing several of the key bindings below.
Settinm schedules and deadlines - now require a prefix of SPC m d before entering your selection (d for deadlines, s for scheduling) Sparse trees - keybind moved to SPC m s s Archive tree - keybind moved to SPC m s A (I didn’t cover this in my original article, but this is how I archive DONE tasks) Show all TODO and deadlines - keybind moved to SPC m s s t and SPC m s s d Introduction This is a basic overview of org-mode inside of Spacemacs.
My Security 101 - 2018 update
Aug 2, 2018
In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental.
Since 2015, I’ve been exposed to several environments where I have seen the same basic security fails. In addition to my previous Security 101 items (2FA, avoiding password reuse, using a password manager, being mindful of what gets posted on social media, and inspecting email links) I would like to add the following new items to my “Security 101”: