Security Engineer @ Google. MSc in eng. physics & CompSci, dev & gamer. ❤️ music & long distance running. Wanna do a PhD sometime. Same U/N on all other sites
Waking up to a lot of bad takes on QR codes. QR codes are meant to be scanned, just as links are meant to be clicked. If your security posture requires these two things to not happen you have already lost. Blaming the user here is Dunning-Kruger riddled infosec posing.
@FreyaHolmer
Generally agree with the caveat that people open source things for very different reasons and "making it easy for others to use the code" may or may not be a motivation.
@littmath
Nice. We sometimes used VVVVVV at university for the Swedish "Vilket Var Vad Vi Ville Visa", roughly "Which was what we wanted to show". Guess the kids nowadays have a bit more sass.
Got some fantastic personal news to kick off the weekend. Thrilled to announce that in August I will join Google in the offensive security team in Zürich. Really excited about what this new chapter will bring.
Stop suggesting input validation as a fix for XSS. You handle it by context aware escaping when outputting, not by trying to prevent double quotes in your input.
@Hbomberguy
Started the audiobook recently. It's really good. Among my favorite part so far:
- They're trying to kill me
- No one's trying to kill you
- Then why are they shooting at me?
- They're shooting at everyone, They're trying to kill everyone.
- And what difference does that make?
Come join us in the Google red team! We have a position open in NYC: The team is fantastic and the work is really cool. Message me if you have questions about the role but if you are interested please don't wait to get your application in.
I hate the self-deprecating personality in tech: the "I have no idea what I'm doing, I just copy-paste from SO until it works" crowd. Stop devaluing your own work and take some pride in your skills. Not only are you hurting yourself but also misrepresenting the field to beginners
@RLewisReports
I appreciate having a professional like you pointing subtle details like this out. I layman like me might have missed it otherwise. Really adds that extra depth to the viewing experience.
@LiveOverflow
Yeah, call me old fashioned but I believe that to be good at security you should first learn the thing you are trying to secure. Appsec: learn how to build software. Netsec: learn how to configure a network, etc
After a bit more than four amazing years in the Google red team, and almost three years in Switzerland, the time has come to move on to the next thing. At the end of October, with a mix of fear and excitement I'll move to London.
But first I'll help org Hackceler8 one last time!
That's a wrap for the qualification round of the Google
#CTF
Hackceler8. Four matches completed with four teams moving on to the finals next weekend. Had a great time doing video production and even commentating one match. Congrats to all the teams and good luck to the finalists!
There's some shady criminal on the loose in Zürich. Luckily I have been able to obtain some pictures of the suspect who is known to have been involved in several cyber attacks.
Less than two hours until
#GoogleCTF
starts. Good luck to everyone participating! Make sure to check out my reversing
#CTF
challenge which I will not apologize for. :)
This shit is absolutely gross. Just the other week I helped a colleague who suspected her ex of spying on her. Fuck this paper for helping these less than humans with this.
Are there any initiatives out there who could use some help from a reverse engineer maybe?
I'm not going to link to that
@TechTimes_News
story because they don't deserve the traffic. But I promise that this screenshot will be featured in all of my future talks about stalkerware and domestic abuse.
In July I joined the Offensive Security team at Google and it has been a great experience. The red team work is challenging and fun and the team is awesome but even better, we are looking for more. Check these:
Zurich:
Sunnyvale:
Them: Noooo! You can't just use an SMT solver for this cryptography problem. You have to fully understand the non-linear transformations over finite fields and the subtleties of working with GF(2)! Nooooo!
Me: haha, Z3 goes brrrrrr
Yesterday I handed in my notice at work. This means that I'm now openly looking for a new job. I would love to work with something related to reverse engineering, malware and/or vuln research. Willing to relocate. Open for remote. DMs are open.
If you play
#CTF
, which you definitely should at least try a couple of times, don't limit yourself to a single category. Try to push yourself to at least a "medium" level of proficiency in several or most of them. This will make competitions more fun and you will learn a lot.
@alicegoldfuss
Related:
1. Wow this thing is really hard
2. *spends ~40h to learn it*
3. Why don't you understand it after my 15 min lightning talk on the subject?
So, anyone else experiencing this thing in security where if you try to google technical details on a topic all you find is the same 5 basic concepts copy-pasted in 100 beginner guides and blog posts?
I love
#CTF
. I think it's great for entertainment and education. I have played countless of them and learned so much from them. That's why it really hurts to admit that
#CTF
are currently suffering from quality issues. The density of poor challenges is just too high ATM.
For the past few years I've been using a great fiverr artist to create some artwork for work. Unfortunately they have been MIA for 2+ months now and I realise that I probably need redundancy. I'm looking for a cartoon artist with similar style.
(Suggest AI = get instant block)
Every chapter has a beginning and an end. Today I'm working my last day at
@KRYcare
. Thanks for three great years with fantastic colleagues and exciting challenges. ❤️ Good luck in all the future work. Now I will enjoy some time off before starting at Google in Zürich in August.
Ok, we are doing this. Look what happens when you have crazy ideas at
#35c3
I invite you to watch our 1st ed. of "pwny race" (name pending). Tune in to our stream: on Feb 9 to see some
#CTF
pwnable racing with 4 excellent players and my co-host
@picklepwns
Another day, another garbage take from a bug bounty hunter. This is what makes the field look bad. Stop the gatekeeping BS and go back to running ffuf and retweeting SQL injection tricks.
#CTF
is one of many forms of hacking, a great way to learn & research and a lovely community
Tomorrow we will open the application window for security interns at Google in Europe next summer. You can read more about the position, requirements and process here: If you have any questions, don't hesitate to reach out. Come spend the summer with us!
25 minutes to Stockholm Marathon. I'm out of shape and got food poisoning yesterday so it's going to be rough. Will have to dig deep into the experience of those 13 previous finishes. Bib number 10004 if anyone wants to follow results.
We raised $100k for Alzheimerfonden! Thanks
@esamarathon
for a fantastic week! So fun to meet so many great people (and this robot). See you all at the next one!
@SwiftOnSecurity
@JasonInTheWild
Jason is 100% spot on. Additionally, many of these budgets are ridiculously low. I spent high school churning out websites for $250-$1000 that simply wouldn't be possible with any other solution (that I've seen).
The Numberphile podcast is one of very few podcasts I listen to. The episodes are always great but this latest one was fantastic. Really interesting to hear about Tadashi's philosophy on things. Strong recommendation even if you are not that into mathematics.
Helped a friend to repair a device yesterday. The first 32 bytes of the EEPROM had broken down so I extracted the firmware, binary patched it to add a small offset on all EEPROM accesses and wrote it back together with updated EEPROM contents and it worked perfectly. Quite proud!
We played the DefCon
#CTF
qualifiers this weekend with the Scandinavian collaboration team
@NorseCodeCTF
and thanks to heroic efforts by the team we managed to qualify to the finals for a second time.
It was in the darkest hour and everything seemed desperate. The warriors of the north were on the verge of defeat. Hope was all but lost. They let out a mighty battle cry for a final charge and as if guided by Odin himself, seized not one, but two flags to triumph in the battle!
It looked really bleak for the warriors of the north but the taste for flags eventually set in and the hackers, fueled by shellcode and a desire for privescs, began their frenzy slaying challenge after challenge. In the end they stood triumphant as one of the qualifying teams.
Anyone else using their knuckles as a reminder of which months have 31 days vs which have 30/28? It's one of few "life hacks" I actually have found useful.
Inspired by
@0xeb
's 2018
#reconbrx
talk, I decided to write an exploit for the Starcraft EUD bug. This turned into a challenge for the
@MidnightSunCTF
#CTF
and a blog post:
I had a blast hosting
@livectf
together with our great team. Sure it was a bit stressful and an emotional rollercoaster but the reactions have been positive. I might write more later but for now I'll settle for posting this masterpiece by the genius
@zaratec4
Speaking to one of the best vuln researchers I know. His exploit server is not working. Spend 30 min trying to help troubleshooting over Signal messages. Nothing makes sense, start to believe we hit some kind of Python bug...
...his server was listening on the wrong port.
The line-up for the second episode of the Pwny Racing () will be: borysp, hpmv, je and vos who will be fighting to be the first one to solve the pwnable challenge created by my amazing co-commentator
@0xb0bb
. Mark March 9th 15:00 UTC in your calendars!
As a person in tech, a good way to guarantee that you will be made obsolete is to attach your whole identity to a specific language or technology.
Become an expert at things but make sure to stay diverse and keep learning things and constantly evolve.
Almost euphoric right now. Despite the conditions (weather was perfect though) I performed my best marathon in many years. 13th Stockholm marathon finish (14th marathon total) in the bag.
#stockholmmarathon
@0xabad1dea
Id just like to interject for a moment. What you're referring to as BusyBox, is in fact, bad firmware/BusyBox, or as I've recently taken to calling it, bad firmware + BusyBox. It is not an OS unto itself, but rather another free component of a somewhat functioning consumer router
Sophia was a brilliant security researcher and a wonderful teammate when I was in HFS. I fondly remember tag-teaming on RE problems with her but also conversations about life, politics, religion and everything between.
She will be greatly missed.
Who needs margins? Finally finished my slides for the presentation I'm giving to some engineers at the Google Stockholm office tomorrow (today). Will hopefully be educational and inspiring and get some people more interested in security (and
#CTF
ofc).
Preparing my move to Zürich. 100 days of learning German on Duolingo. It's pretty difficult but I am seeing a little progress at least.
Join in you too:
Like many others, I'm very excited for
#37C3
. It does however seem like there will be no
#CTF
this time. We did some brainstorming in the CTF Discord and came up with the idea of a "CCC Potluck CTF". Please read about it and potentially contribute:
I have been programming for over 20 years and yesterday I finally learned (the basics of) how makefiles work. :D Just like there's always a frontier of your knowledge to push forward there will also be gaps within the areas you "know" to fill in and improve.
@gynvael
Give a 1h conference presentation where 15 minutes are about yourself, 15 minutes about basics of HTTP, 5 minutes about the bug itself and 20 minutes ranting about how everything is broken and that software developers are stupid. Last 5 min is about how much bounty you deserve.
Big update! We now host all Pwny Racing challenges on our servers so you can try your exploit against our systems. In this process, we rebuilt all challenges so you might need to adjust some offsets. Grab the updated challs from the freshly updated:
Got my
#FlareOn7
medal 🏅! Thanks again to
@nickharbour
and the rest of the
@fireeye
FLARE team for putting on a great
#CTF
event this year again. Looking forward to the next one. Happy new year to all reverse engineers out there!
Had a great weekend in Copenhagen playing the DefCon
#CTF
with
@NorseCodeCTF
. I blame
@adamdoupe
for making me reverse a network card for 24h+. Great job everyone! Thanks to
@oooverflow
for hosting and GG to all the teams. Would have loved to meet in person. Next year!
We have now opened applications for security engineer internships at Google in Zürich and Stockholm. Apply here: and if you have any questions my DMs are open but hurry up because the deadline is the 22nd.
I've never been a big reader so this year I challenged myself to read every day using
@SimoneGiertz
's Every Day Calendar and by the looks of it, I will succeed. In total I have managed to read 21 books with a few more started and I thought I would highlight some of my favourites:
Our application window for security engineer interns will open very soon: apply and come spend some time in Zürich at an amazing workplace with fantastic colleagues. Reach out if you have any questions, and don't wait to get your application in!
Interested in the security and privacy teams at Google? The 0x0G Lounge is returning in a virtual format this year. There will be talks, panels and a
#CTF
. For more details, and to register, visit
Really proud to have participated as part of the Swedish/Icelandic team. I led the web application sub team and it was great fun. I'm very impressed by my teammates and how we worked together on this.
#LockedShields2023
has concluded! This year was even more competitive than previous years. As organisers, we saw a big jump in quality within the Blue Teams.
The most effective participants were the 🇸🇪-🇮🇸 joint team, followed by the 🇪🇪-🇺🇸 joint team and the 🇵🇱 team. Good job!
Every disagreement is not drama. Showing emotions is not "cringe". Having opinions is not "bias". Words matter. Most things are not binary. Stop pretending to be mindless robots. It's neither true nor an ideal to strive for.
This whole AI hype wave has become genuinely annoying. I mind it so mind-numbingly uninteresting and yet it's starting to get challenging to find contexts where it's extremely prevalent. AI in all products, AI in all discussions, AI jokes, AI companies AI, AI, AI. Leave me alone!
I played the
@1ns0mn1h4ck
#CTF
together with
@TeamTasteless
in Lausanne. We managed to get a 6th place and beat most of the other boomer teams so I'm pretty happy. Thanks for having me as a guest player and thanks for a great event! :D
The wait is soon over! Ep. 3 of Pwny Racing will go live on Sat April 13th at 15:00 UTC with
@0xb0bb
and me commentating our players
@David3141593
,
@OwariDa
,
@jinmo123
and
@maciekkotowicz
trying to be the first to solve a pwnable challenge. Tune in:
I made a video for the
#MegaFavNumbers
playlist about how a not so random number broke the security of the Playstation 3: Check it out to learn a little bit about the security of the PS3 and elliptic curve cryptography.
@LiveOverflow
I started by using separate strings: "str1.matches(str2)", set up a test program to measure time, played around with various examples of "evil regex" I found in blog posts and that one gave good results then combined them into one single string.
Finally finished
#flareon8
. I had a good early start but had to take a break and didn't pick it up again until this week. With the exception of 3 & 5 I liked most challenges although sad that 10 had a cheese solution. Challenge 9 was nice. Thanks
@nickharbour
,
@mikesiko
and team!
Just came home from giving a guest lecture at the Royal Institute of Technology (KTH), my alma mater here in Stockholm. I covered the basics of binary exploitation as part of the fairly new "Ethical Hacking" course (dislike the term, love the initiative). Seemed appreciated.
@MalwareTechBlog
You could make a browser extension that screenshots and saves their last tweet or the last interaction with you or something like that.
Pretty sad how the goto reaction in the comments is "just ignore them" and not "yeet these despicable fuckers out of this community so hard they can't tell up from down". There's more than enough respectful people to go around, no need to pad out with absolute trash.
This is why some women dont want to be apart of the
#BugBounty
community. Although there are of course really lovely people, messages like this can be a stark reminder of how far we have left to go
@MurmusCTF
Imo that's still a very weak argument. The QR reader should ask for a confirmation before opening other apps and furthermore, if an intent can cause a state-change in an app without user interaction, that's a vulnerability in the same vein as a CSRF.
Time for the first live stream of the year. This time I will do some blind solves of some
#CTF
challenges from "The Nixu Challenge". Join me on YT today at 18:00 UTC: