My Security 101 - 2018 update
Aug 2, 2018
In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental.
Since 2015, I’ve been exposed to several environments where I have seen the same basic security fails. In addition to my previous Security 101 items (2FA, avoiding password reuse, using a password manager, being mindful of what gets posted on social media, and inspecting email links) I would like to add the following new items to my “Security 101”:
Jul 10, 2018
I found this DevTube on HackerNews the other day and I want to save it for later.
Lisp on MacOS
Jul 6, 2018
Background Lisp is a programming language that’s been on my radar for a while, but I’ve never investigated until now. While browsing the web last night, I came across this Paul Graham article about the start of Viaweb and my curiousity was piqued.
This post is my attempt to consolidate my experience of getting a lisp development environment set up in July 2018.
Note: For the rest of this post, [~] $ is my terminal prompt, and * is the sbcl Common Lisp interpreter prompt
MacOS open source apps
Jul 3, 2018
I found this MacOS Open Source apps list on HackerNews the other day and I want to save it for later.
Static Analysis with Burp Suite
Apr 10, 2018
Simply navigate to the local directory containing the app and serve it using Python’s built-in HTTP server.
python2 syntax: python -m SimpleHTTPServer <port> python3 syntax: python3 -m http.
Cross-Account file access on AWS S3
Mar 30, 2018
The Problem Secure file sharing using AWS S3:
I upload a file to an S3 bucket with restricted permissions The client downloads the file and processes it The client uploads the results to the S3 bucket I download the processed file and the transaction is complete I thought setting the permissions on the bucket would be enough. I was wrong.
The Setup I use a federated login to AWS and assume a role under a corporate account.
Hands on with Brave Browser
Mar 6, 2018
Brave, the new Firefox? I’ve been using the Brave browser as my full-time web browser for two weeks now, primarily version 0.21.18. It’s easy to tell the software is not yet at version 1.0, and although I’m not ready for this to replace Vivaldi, I really want it to.
Brave is fast. Really fast. It has built-in adblocking and anti-fingerprinting technology. Previously, I’ve relied on uBlock Origin and Privacy Badger for adblocking and anti-fingerprinting.
A Lesson for Bug Bounty Researchers
Oct 20, 2017
I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers. However, I’ve also had a few unsatisfactory interactions with researchers. This post is directed at Bug Bounty researchers that do not have much experience in corporate environments. I think a list of do’s and don’ts is appropriate for this breakdown.
iOS and Android Native Code Protections
Jun 19, 2017
iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. This secure boot chain helps ensure that the lowest levels of software aren’t tampered with.
When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM.
Jun 15, 2017
Recently, work hosted an event designed to bring my team closer together. Using the Surepeople PRISM, we spent the morning discussing our dominant psychological traits and how we can use them to better interact as a team. I thought the exercise was brilliant, and it led me to seek out other tools to broaden my self awareness.
The first such tool I uncovered was the Johari Window.
My ultimate self awareness goal is to shrink the “Blind Spot” window as much as possible.