Hi! This is my Shaarli server, a site where I will be adding random links to talks and blog posts I find interesting or inspiring. Maybe if you look around you'll find something inspiring too.

My homepage: ivyfanchiang.ca

If your service needs to trust the clients, hold my Big Mac

After my last blog post about Hurl, someone asked me, and I quote: "... why?" The simple answer is "for the joke." But the longer answer is that useless software is a fantastic way to explore and experience the joy of computing. Play is an important part of exploration and joy.

Back when this profession of ours was trying to find its place in the world, some smart people who thought the state of computing was shit got together and started to make some noise. The L0pht fellas testified in front of the US Congress, the cDc folks released tools that not only mocked Microsoft but pretty much made the company do something to at least save face, and hacker conferences were all the rage. Those were the days of smashing stacks for fun and profit, and the days some people realized that powerful technology companies were putting us all at risk for profit and no fun.
Some of those folks went on to start their own cybersecurity companies, some went on to work for governments, or work for the very companies they were ridiculing not too long ago. Some have tried to keep the flame alive and bring back that vibe. And, somewhere along the way, shit got weird.

In addition to being certified as a Forensic Locksmith and a Safe and Vault Technician, it sometimes surprises people to learn that I am a Life Safety NFPA & ADA Consultant and Fire Door Inspector. "Deviant, do you make a lot of money doing safety inspections like that?" I get asked. The answer is a resounding no. I didn't take this training for the money, however. I learned about fire doors and fire suppression systems so that I can speak knowledgeably about them if I'm using this field as a cover identity during a break-in job.
This presentation is a comprehensive crash course in the field of National Fire Prevention Association knowledge and building codes. The rundown offered will afford you a lot of useful tips, terminology, and insider knowledge that you can rattle off at an unsuspecting employee or guard who is curious as to what you're doing inside of their building.

What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives.

Rendering text, how hard could it be? As it turns out, incredibly hard! To my knowledge, literally no system renders text “perfectly”. It’s all best-effort, although some efforts are more important than others.

Back in 2017, I was building a rich text editor in the browser. Unsatisfied with existing libraries that used ContentEditable, I thought to myself "hey, I'll just reimplement text selection myself! How difficult could it possibly be?" I was young. Naive. I estimated it would take two weeks. In reality, attempting to solve this problem would consume several years of my life, and even landed me a full time job for a year implementing text editing for a new operating system.

More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for 60 milliseconds?

This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud.

A few years ago, my cat gave me my most memorable middle of the night software engineering incident. I was working at a startup, and we didn’t have a formal on-call rotation yet. That was a deliberate decision, since being on-call is painful, and the team was good about just collectively keeping an eye out for urgent alerts. We eventually set up an on-call rotation, but before that happened, I had a fun night.

Hello friends! Hope your weekend plans did not go to shit because of some open source library you have no clue if it's being used in your environment or not because, well, let's face it: nobody fucking knows these things. Nobody has time for this. YoloOps is alive and well, boys!
Here's the thing that you will absolutely see written everywhere by some dumbass sycophant: "We need to secure the software supply chain!" Sure thing, bro. One problem, though: in order for a supply chain to be a supply chain, the chain must be comprised of suppliers. The masochist hero maintaining that library you just npm install without even thinking about it is not your fucking supplier.

Software provided under open source licenses is widely used, from forming high-profile stand-alone applications (e.g., Mozilla Firefox) to being embedded in commercial offerings (e.g., network routers). Despite the high frequency of use of open source licenses, there has been little work about whether software developers understand the open source licenses they use. To our knowledge, only one survey has been conducted, which focused on which licenses developers choose and when they encounter problems with licensing open source software. To help fill the gap of whether or not developers understand the open source licenses they use, we conducted a survey that posed development scenarios involving three popular open source licenses (GNU GPL 3.0, GNU LGPL 3.0 and MPL 2.0) both alone and in combination. The 375 respondents to the survey, who were largely developers, gave answers consistent with those of a legal expert's opinion in 62% of 42 cases. Although developers clearly understood cases involving one license, they struggled when multiple licenses were involved. An analysis of the quantitative and qualitative results of the study indicate a need for tool support to help guide developers in understanding this critical information attached to software components.

In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.

Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes:
Last week, someone reached out to me with what they claimed was a Spoutible data breach obtained by exploiting an enumerable API. Just your classic case of putting someone else's username in the URL and getting back data about them, which at first glance I assumed was another scraping situation like we recently saw with Trello. They sent me a file with 207k scraped records and a URL that looked like this...

One of the biggest questions right now is, does using copyrighted work to train machine learning models constitute fair use? I think, by the definition set under common law, it does. But it shouldn’t. Let me explain.

Let's take a look at one of Twitter alternatives: Mastodon. Will it scale?

how one little joke can get so, so out of hand

Eric Bailey recently wrote on CSS-Tricks about testing your website on a crappy laptop and it reminded me of this anecdote from my own life.

There is a huge and ever-widening gap between the devices we use to make the web and the devices most people use to consume it. It’s also no secret that the average size of a website is huge, and it’s only going to get larger.