Brave, the new Firefox? I’ve been using the Brave browser as my full-time web browser for two weeks now, primarily version 0.21.18. It’s easy to tell the software is not yet at version 1.0, and although I’m not ready for this to replace Vivaldi, I really want it to. Brave is fast. Really fast. It has built-in adblocking and anti-fingerprinting technology. Previously, I’ve relied on uBlock Origin and Privacy Badger for adblocking and anti-fingerprinting. The same ads and trackers are blocked using Brave, but what I really enjoy is the metric that Brave presents on each new tab: ...

I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers. However, I’ve also had a few unsatisfactory interactions with researchers. This post is directed at Bug Bounty researchers that do not have much experience in corporate environments. I think a list of do’s and don’ts is appropriate for this breakdown. ...

iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. This secure boot chain helps ensure that the lowest levels of software aren’t tampered with. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the iBoot bootloader is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures that the next is signed by Apple. When the iBoot finishes its tasks, it verifies and runs the iOS kernel. For devices with an S1, A9, or earlier A-series processor, an additional Low-Level Bootloader (LLB) stage is loaded and verified by the Boot ROM and in turn loads and verifies iBoot. ...

Recently, work hosted an event designed to bring my team closer together. Using the Surepeople PRISM, we spent the morning discussing our dominant psychological traits and how we can use them to better interact as a team. I thought the exercise was brilliant, and it led me to seek out other tools to broaden my self awareness. The first such tool I uncovered was the Johari Window. Johari Window My ultimate self awareness goal is to shrink the “Blind Spot” window as much as possible. I’m pretty sure anyone who’s met me knows that my “Arena” window is large, and probably larger than the usual person’s. My façade window is proportionately smaller. ...

Trello fascinated me upon its release in 2011. I’ve written before about my time management (lack of) skills, and Trello appeared to be my solution - it offered a sleek view of all of my outstanding tasks. Try as I might, I could not make Trello work for me. Over and over again, I would fail to use it. I just could not make myself stick with it. There was a captivating quality about Trello, however, because it was constantly mentioned in tweets, blogs, and articles. I wanted to make it work for me but it seemed that I just could not. ...

A developer at work asked a general question to the group: “I’m thinking about using either LastPass or 1Password, anything I should know?” As the team’s newest “Security Guy”, I answered with this brief response: LastPass is easier to get started with as someone who’s never used a password manager before. Their product is seamlessly >integrated into browsers and mobile devices, although it’s not the prettiest. LastPass stores your encrypted password vault on their servers. They’ve been breached or had other security issues several times (https://en.wikipedia.org/wiki/LastPass), though they have been transparent with their user community about the events and how they handled them - this is a Good Thing™ when choosing a password manager. 1Password, by default, stores your encrypted password vault locally. This is what led me to originally use it over LastPass You have the option of syncing it across devices via Dropbox or iCloud, so the security of your vault rests in these third parties and in the strength of your master password. 1Password also easily integrates into your browser via their bundled plugin, so it’s equally easy to use as LastPass. ...

Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program. This post will serve as my thoughts on setting up an AppSec Program. Measuring current performance The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives used by 95 companies of varying size across six verticals. In my organization, there is a lack of movement without consensus. This endeavour has taught me that the BSIMM’s major value has been the influence it weilds by virtue of including this swathe of companies. ...

This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path. The crux of the problem was that the JRE didn’t have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files installed. However, since this article was published, Portswigger began bundling the JRE with Burpsuite itself. ...

Recently, I celebrated a birthday. Typically, this is a joyous time, and I have many things to be grateful for. However, this birthday comes during a difficult year. As my wife and I were discussing this the other day, I realized that life can be a lot like the Atari game ‘Asteroids’. Atari Asteroids ...

In a previous post I discussed the complicated process of configuring S3 to use Letsencrypt to obtain a TLS certificate. That post served as a reference for me to re-implement Letsencrypt every 90 days. Since then, my 90-day Letsencrypt certificate expired, and I was at a loss for how to re-instate it. Using my own post as a reference didn’t help me with the arcane letsencrypt errors I was encountering. It was a pain in the ass trying to remember how to configure and use a combination of letsencrypt, awscli, virtual machines to run them in (letsencrypt has since implemented a docker option for running on OSX), et cetera, et cetera. I was hoping to get all of this done during a brief lull in my workday. Nope.jpg I’m chalking my experience up to the non-standard use case of using letsencrypt to generate a TLS certificate for a site hosted on S3. Perhaps in the future there will be native support for S3/Cloudfront sites in letsencrypt, but it’s not there yet. ...