Decrypting Java TLS to View in Wireshark

Use this to recover TLS session keys for a java program.

October 26, 2018 · 1 min · Me

Mallory in the Mobile

Use mallory proxy to view non-https encrypted mobile traffic

October 15, 2018 · 8 min · Me

The new face of the security team DoS

Nearly a year ago, I wrote about an emerging trend I observed with some of the bounty researchers I was interacting with. This screed can be considered an extension of that article. There an emerging trend I’m noticing - I’ve been receiving more messages like the following: Hey , I found Security Vulnerability in your web application ,which can damage site as well as users too.For security purpose can we report vulnerability here,then will i get bounty bounty reward in PayPal or Bitcoin for Security bug ?...

September 14, 2018 · 2 min · Me

Spacemacs Go Layer and Environment Variables on macOS

Configuring Spacemacs Go layer and environment variables on macOS

August 13, 2018 · 3 min · Me

Spacemacs Org Mode Introduction

Update: 2018-08-10 Shortly after writing this post, I switched to Spacemacs develop branch - cd ~/.spacemacs && git checkout develop This upgraded my Spacemacs to version [email protected]. This had the unexpected side effect of changing several of the key bindings below. Settinm schedules and deadlines - now require a prefix of SPC m d before entering your selection (d for deadlines, s for scheduling) Sparse trees - keybind moved to SPC m s s Archive tree - keybind moved to SPC m s A (I didn’t cover this in my original article, but this is how I archive DONE tasks) Show all TODO and deadlines - keybind moved to SPC m s s t and SPC m s s d Introduction This is a basic overview of org-mode inside of Spacemacs....

August 6, 2018 · 6 min · Me

My Security 101 - 2018 update

In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental. Since 2015, I’ve been exposed to several environments where I have seen the same basic security fails. In addition to my previous Security 101 items (2FA, avoiding password reuse, using a password manager, being mindful of what gets posted on social media, and inspecting email links) I would like to add the following new items to my “Security 101”:...

August 2, 2018 · 2 min · Me

DevTube

I found this DevTube on HackerNews the other day and I want to save it for later.

July 10, 2018 · 1 min · Me

Lisp on MacOS

Towards a working LISP environment on macOS

July 6, 2018 · 5 min · Me

MacOS open source apps

I found this MacOS Open Source apps list on HackerNews the other day and I want to save it for later.

July 3, 2018 · 1 min · Me

Static Analysis with Burp Suite

I’m so far behind the times, it’s sad. Burp Suite gained the ability to perform static analysis on JavaScript libraries back in 2014. Some sites and authors have already blogged about what their approach is for implementing this.I’d like to echo Lukas’s method, but with an easier setup. Simply navigate to the local directory containing the app and serve it using Python’s built-in HTTP server. python2 syntax: python -m SimpleHTTPServer <port> python3 syntax: python3 -m http....

April 10, 2018 · 1 min · Me

Cross-Account file access on AWS S3

The Problem Secure file sharing using AWS S3: I upload a file to an S3 bucket with restricted permissions The client downloads the file and processes it The client uploads the results to the S3 bucket I download the processed file and the transaction is complete I thought setting the permissions on the bucket would be enough. I was wrong. The Setup I use a federated login to AWS and assume a role under a corporate account....

March 30, 2018 · 3 min · Me

Hands on with Brave Browser

Brave, the new Firefox? I’ve been using the Brave browser as my full-time web browser for two weeks now, primarily version 0.21.18. It’s easy to tell the software is not yet at version 1.0, and although I’m not ready for this to replace Vivaldi, I really want it to. Brave is fast. Really fast. It has built-in adblocking and anti-fingerprinting technology. Previously, I’ve relied on uBlock Origin and Privacy Badger for adblocking and anti-fingerprinting....

March 6, 2018 · 4 min · Me

A Lesson for Bug Bounty Researchers

I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers. However, I’ve also had a few unsatisfactory interactions with researchers. This post is directed at Bug Bounty researchers that do not have much experience in corporate environments. I think a list of do’s and don’ts is appropriate for this breakdown....

October 20, 2017 · 4 min · Me

iOS and Android Native Code Protections

iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. This secure boot chain helps ensure that the lowest levels of software aren’t tampered with. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM....

June 19, 2017 · 27 min · Me

Self Evaluation

Recently, work hosted an event designed to bring my team closer together. Using the Surepeople PRISM, we spent the morning discussing our dominant psychological traits and how we can use them to better interact as a team. I thought the exercise was brilliant, and it led me to seek out other tools to broaden my self awareness. The first such tool I uncovered was the Johari Window. Johari Window My ultimate self awareness goal is to shrink the “Blind Spot” window as much as possible....

June 15, 2017 · 2 min · Me