Notes on Compiling Emacs for Macos Sep 17, 2019 Background Skip to the notes on compiling Emacs Since my last post, I’ve abandoned spacemacs in favor of building my own Emacs environment. I’ve done this so that I can better learn how Emacs works and to, hopefully, become passably proficient with emacs lisp. Spacemacs is a wonderful and robust package that served to whet my appetite for discovering what Emacs is all about. Unfortunately, it was too much for me to grok on top of learning Emacs. ...
Spacemacs Cheatsheet Apr 16, 2019 I threw this post together because I couldn’t decide where my notes to myself on using Spacemacs should go. So here they are. Updates will frequently happen to this page, and if you’re really curious, you can view those here. Usage Spacemacs usage notes. Note that if you find a modal seems to have trapped you and you’re not sure how to escape it, try q first, then ESC, and C-g (hold CTRL and press g). ...
Thoughts on a public Bug Bounty Apr 9, 2019 I wrote some time ago, about my thoughts on managing a bug bounty program. It’s been nearly two years, and I’ve gone through the pain of taking a bug bounty public, so I wanted to jot down some thoughts on what maturing the bug bounty program looks like and some notes for security researchers participating in bug bounty programs. The good researchers won’t need this advice, and the bad ones likely won’t read it, so this is probably futile, but these things should be shared. ...
JavaScript: Methods for sending and receiving network data Feb 15, 2019 JavaScript offers several methods for sending and receiving network data. This post attempts to enumerate all forms known at this time, to make it possible to audit code for potentially malicious activity (I’m looking at you, Chrome extensions requiring access to read or modify all data on a page) Update: February 26, 2019 A few days after posting this, I became aware of https://crxcavator.io which performs security assessments of chrome plugins at scale. ...
Extract files from network capture Jan 24, 2019 From time-to-time, it’s a requirement to grab a firmware image, binary, or other file from a captured network stream. This page outlines several methods of achieving this. Note: These will not work if the files were transferred via TLS. That’s the whole point of TLS. From Wireshark Find the start of the transfer if it’s obvious - GET request, server sending massive packets, etc. Right-click the first packet and select Follow > TCP stream Save the entire conversation as RAW Open your hex editor and trim any fat (HTTP response headers, etc) from the file, using the Wireshark Follow TCP stream window as a guide. ...
Decrypting Java TLS to View in Wireshark Oct 26, 2018 Using Kali, grab this Library: jSSLKeyLog. Next, find the script you’re testing that invokes java and add the following parameter (or manually add the parameter if running java directly): $ java -javaagent:jSSLKeyLog.jar==/tmp/ssl-key-log.log -jar file.jar Next, run tcpdump how you normally would: $ tcpdump -i eth0 -w dump.cap -C 100m Now you can run the java application whose SSL session keys you want to extract: $ java -javaagent:jSSLKeyLog.jar==/tmp/ssl-key-log.log -jar app. ...
Mallory in the Mobile Oct 15, 2018 Update: October 15, 2018 Some quick notes for running mallory once the configuration steps below have been performed: Ensure the VM has two physical Internet connections from the host VM should be set to Bridged Run this wifi-ap creation script Shovel all traffic to mallory using this command Ensure the mallory CA in (/mallory/current/src/ca) is installed on the target device Start mallory (mallory/current/src/mallory.py) Start GUI (mallory/current/src/launchgui.py) Update: July 10, 2017 I recently had to set up an environment like the one below for another app review. ...
The new face of the security team DoS Sep 14, 2018 Nearly a year ago, I wrote about an emerging trend I observed with some of the bounty researchers I was interacting with. This screed can be considered an extension of that article. There an emerging trend I’m noticing - I’ve been receiving more messages like the following: Hey , I found Security Vulnerability in your web application ,which can damage site as well as users too.For security purpose can we report vulnerability here,then will i get bounty bounty reward in PayPal or Bitcoin for Security bug ? ...
Correctly Configuring Spacemacs Go Layer and Environment Variables in macOS Aug 13, 2018 This is a quick note to future me (and anyone encountering this same issue). TL;DR - the solution While running into issues getting the golang layer configured, I discovered that a lot of pain was caused by a cached configuration and some outdated information. System Info OS: Darwin Golang: go version go1.10.3 darwin/amd64 (installed via Homebrew) Emacs: 26.1 Spacemacs: 0.300.0 (develop) Spacemacs branch: f2a4cc Graphics display: t Distribution: Spacemacs Editing style: vim Completion: helm Layers: ...
Spacemacs Org Mode Introduction Aug 6, 2018 Update: 2018-08-10 Shortly after writing this post, I switched to Spacemacs develop branch - cd ~/.spacemacs && git checkout develop This upgraded my Spacemacs to version 0.300@26.1. This had the unexpected side effect of changing several of the key bindings below. Settinm schedules and deadlines - now require a prefix of SPC m d before entering your selection (d for deadlines, s for scheduling) Sparse trees - keybind moved to SPC m s s Archive tree - keybind moved to SPC m s A (I didn’t cover this in my original article, but this is how I archive DONE tasks) Show all TODO and deadlines - keybind moved to SPC m s s t and SPC m s s d Introduction This is a basic overview of org-mode inside of Spacemacs. ...