9 private links
Hi! This is my Shaarli server, a site where I will be adding random links to talks and blog posts I find interesting or inspiring. Maybe if you look around you'll find something inspiring too.
My homepage: ivyfanchiang.ca
If your service needs to trust the clients, hold my Big Mac
After my last blog post about Hurl, someone asked me, and I quote: "... why?" The simple answer is "for the joke." But the longer answer is that useless software is a fantastic way to explore and experience the joy of computing. Play is an important part of exploration and joy.
Rendering text, how hard could it be? As it turns out, incredibly hard! To my knowledge, literally no system renders text “perfectly”. It’s all best-effort, although some efforts are more important than others.
Back in 2017, I was building a rich text editor in the browser. Unsatisfied with existing libraries that used ContentEditable, I thought to myself "hey, I'll just reimplement text selection myself! How difficult could it possibly be?" I was young. Naive. I estimated it would take two weeks. In reality, attempting to solve this problem would consume several years of my life, and even landed me a full time job for a year implementing text editing for a new operating system.
More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for 60 milliseconds?
This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud.
A few years ago, my cat gave me my most memorable middle of the night software engineering incident. I was working at a startup, and we didn’t have a formal on-call rotation yet. That was a deliberate decision, since being on-call is painful, and the team was good about just collectively keeping an eye out for urgent alerts. We eventually set up an on-call rotation, but before that happened, I had a fun night.
Hello friends! Hope your weekend plans did not go to shit because of some open source library you have no clue if it's being used in your environment or not because, well, let's face it: nobody fucking knows these things. Nobody has time for this. YoloOps is alive and well, boys!
Here's the thing that you will absolutely see written everywhere by some dumbass sycophant: "We need to secure the software supply chain!" Sure thing, bro. One problem, though: in order for a supply chain to be a supply chain, the chain must be comprised of suppliers. The masochist hero maintaining that library you just npm install without even thinking about it is not your fucking supplier.
Software provided under open source licenses is widely used, from forming high-profile stand-alone applications (e.g., Mozilla Firefox) to being embedded in commercial offerings (e.g., network routers). Despite the high frequency of use of open source licenses, there has been little work about whether software developers understand the open source licenses they use. To our knowledge, only one survey has been conducted, which focused on which licenses developers choose and when they encounter problems with licensing open source software. To help fill the gap of whether or not developers understand the open source licenses they use, we conducted a survey that posed development scenarios involving three popular open source licenses (GNU GPL 3.0, GNU LGPL 3.0 and MPL 2.0) both alone and in combination. The 375 respondents to the survey, who were largely developers, gave answers consistent with those of a legal expert's opinion in 62% of 42 cases. Although developers clearly understood cases involving one license, they struggled when multiple licenses were involved. An analysis of the quantitative and qualitative results of the study indicate a need for tool support to help guide developers in understanding this critical information attached to software components.
In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.
Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes:
Last week, someone reached out to me with what they claimed was a Spoutible data breach obtained by exploiting an enumerable API. Just your classic case of putting someone else's username in the URL and getting back data about them, which at first glance I assumed was another scraping situation like we recently saw with Trello. They sent me a file with 207k scraped records and a URL that looked like this...
One of the biggest questions right now is, does using copyrighted work to train machine learning models constitute fair use? I think, by the definition set under common law, it does. But it shouldn’t. Let me explain.
Let's take a look at one of Twitter alternatives: Mastodon. Will it scale?
how one little joke can get so, so out of hand
Eric Bailey recently wrote on CSS-Tricks about testing your website on a crappy laptop and it reminded me of this anecdote from my own life.
There is a huge and ever-widening gap between the devices we use to make the web and the devices most people use to consume it. It’s also no secret that the average size of a website is huge, and it’s only going to get larger.
During our monitoring of Earth Lusca, we noticed a new campaign that used Chinese-Taiwanese relations as a social engineering lure to infect selected targets.
The iMessage PQ3 protocol is an end-to-end encrypted messaging protocol designed for exchanging data in long-lived sessions between two devices. It aims to provide classical and post-quantum confidentiality for forward secrecy and post-compromise secrecy, as well as classical authentication. Its initial authenticated key exchange is constructed from digital signatures plus elliptic curve Diffie–Hellman and post-quantum key exchanges; to derive per-message keys on an ongoing basis, it employs an adaptation of the Signal double ratchet that includes a post-quantum key encapsulation mechanism. This paper presents the cryptographic details of the PQ3 protocol and gives a reductionist security analysis by adapting the multi-stage key exchange security analysis of Signal by Cohn-Gordon et al. (J. Cryptology, 2020). The analysis shows that PQ3 provides confidentiality with forward secrecy and post-compromise security against both classical and quantum adversaries, in both the initial key exchange as well as the continuous rekeying phase of the protocol.
On February 8 2024, the Ministry of Public Safety released a statement that, following the National Summit on Combatting Auto Theft, they intend to take various actions to discourage auto theft. This is in response to a large amount of auto theft, and there are various stories about cars being stolen in Canada and shipped overseas to be sold.
As part of these actions, the Government of Canada wishes to ban certain hardware development tools like the Flipper Zero that have been used to steal cars with faulty security design. These tools have many legitimate uses such as security evaluation, understanding interoperability, and learning about wireless communication.
Git has been the de-facto version control system used by nearly every developer in the world for almost a decade now. While most of us know the basics, there are depths and hidden valleys of our Git tooling that even the most experienced of us may have never even heard of. Join Scott Chacon, a GitHub co-founder and the author of Pro Git, to dig into the hidden depths of obscure command line invocations to get more out of the amazing tool you use every day.
For the last 6 years my colleagues and I have been tracking the activities of the cyber-mercenaries we call Dark Caracal. In this time, we have observed them make a number of hilarious mistakes which have allowed us to gain crucial insights into their activities and victims. In this talk, we will discuss the story of Dark Caracal, the mistakes they have made, and how they have managed to remain effective despite quite possibly being the dumbest APT to ever exist.
Every once in a while I took a look at the various services I self-host and think to myself? Is hosting $X service by myself really worth the cost? What is the cost? Would paying someone to host said service be more cost efficient?
That got me thinking about, what are the costs of self hosting? Let’s talk about it.
This post is dedicated to the memory of Niklaus Wirth, a computing pioneer who passed away January 1st. In 1995 he wrote an influential article called “A Plea for Lean Software”, and in what follows, I try to make the same case nearly 30 years later, updated for today’s computing horrors.
The most important lesson to figure out is why it is taking so long to restore services. That will tell us how to prevent such a calamity in other vital national institutions.
I run my own Matrix homeserver that I share with friends and family. Ever since I started working for Element back in February of 2020, I've learned a lot more about the Matrix protocol and what's possible to do with it. During a conversation with a few privacy minded friends that use my HS (HomeServer), I pointed out that the admin of a homeserver has a lot of power over their accounts and that they as users explicitly trust the admin. In this post, I want to explore and document the ways a malicious admin can mess with the privacy of a Matrix account. Note: malicious admin in this case can also mean a hacked admin.
Logs are a vital component for maintaining application reliability, performance, and security. They serve as a source of information for developers, security teams, and other stakeholders to understand what has happened or gone wrong within an application. However, logs can also be used to compromise the security of an application by injecting malicious content.
In this presentation, we will explore how ANSI escape sequences can be used to inject, vandalize, and even weaponize logfiles of modern applications. We will revisit old terminal injection research and log tampering techniques from the 80-90s, and combine them with new features to create chaos and mischief in the modern cloud cli's, mobile, and feature-rich DevOps terminal emulators of today....
Recently I came across a puzzling fact: the International Criminal Court hashes electronic evidence with MD5, even though MD5 is badly broken. So, why are lawyers using broken, outdated technology? The answer involves the common law system, cultural isolation, and a single man named Don L. Lewis.
We conduct the first large-scale user study examining how users interact with an AI Code assistant to solve a variety of security related tasks across different programming languages. Overall, we find that participants who had access to an AI assistant based on OpenAI's codex-davinci-002 model wrote significantly less secure code than those without access. Additionally, participants with access to an AI assistant were more likely to believe they wrote secure code than those without access to the AI assistant. Furthermore, we find that participants who trusted the AI less and engaged more with the language and format of their prompts (e.g. re-phrasing, adjusting temperature) provided code with fewer security vulnerabilities. Finally, in order to better inform the design of future AI-based Code assistants, we provide an in-depth analysis of participants' language and interaction behavior, as well as release our user interface as an instrument to conduct similar studies in the future.
Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello implementation allowed us to remotely steal all credentials from the vault without knowing the password or requiring biometric authentication. When we discovered this during a penetration test it was so unexpected for us that we agreed with our client to publish a blog post about it and tell the story.
Breaking "DRM" in Polish trains - Redford, q3k and MrTick - 37th Chaos Communication Congress (37C3)
We've all been there: the trains you're servicing for a customer suddenly brick themselves and the manufacturer claims that's because you've interfered with a security system.
This talk will tell the story of a series of Polish EMUs (Electric Multiple Unit) that all refused to move a few days after arriving at an “unauthorized” service company. We'll go over how a train control system actually works, how we reverse-engineered one and what sort of magical “security” systems we actually found inside of it.
Reality sometimes is stranger than the wildest CTF task. Reality sometimes is running unlock.py
on a dozen trains.
Imagine discovering a zero-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That’s exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it Operation Triangulation. We've been teasing this story for almost six months, while thoroughly analyzing every stage of the attack. Now, for the first time, we're ready to tell you all about it. This is the story of the most sophisticated attack chain and spyware ever discovered by Kaspersky.
Searching the Internet for information sucks. We live in an age of information surplus. At any point in the internet there are an unimaginable number of things to read, watch, listen to, and play through. The average person's backlog of entertainment stretches for several lifetimes.
It is impossible to consume all of the information on the Internet. It was impossible even when the Internet was much smaller. Much, much smaller.
John Graham-Cumming wrote an article today complaining about how a computer system he was working with described his last name as having invalid characters. It of course does not, because anything someone tells you is their name is — by definition — an appropriate identifier for them. John was understandably vexed about this situation, and he has every right to be, because names are central to our identities, virtually by definition.
So, you’ve been invited to an unconference! Maybe you’re not entirely sure what that means (did the organizers misspell "conference"?), or maybe you’ve been to dozens of these before and you’re looking for some ideas for how to run an awesome session.
WebAuthn and FIDO2 promise a great future. Let's see if we can have it today.
It's possible!
This is a presentation about risk, preparedness, and how to do make your best attempt to build defenses against some of the worst threats and potential problems that might ever arise in your life. Keeping your loved ones as well as your community safe is something to always keep in mind and this presentation walks through some of the most critical steps that it is possible to take... before your world explodes in a disaster.
Between July and October of this year, I did a lot of reading and writing about the role of Meta and Facebook—and the internet more broadly—in the genocide of the Rohingya people in Myanmar. The posts below are what emerged from that work.
The format is a bit idiosyncratic, but what I’ve tried to produce here is ultimately a longform cultural-technical incident report. It’s written for people working on and thinking about (and using and wrestling with) new social networks and systems. I’m a big believer in each person contributing in ways that accord with their own skills. I’m a writer and researcher and community nerd, rather than a developer, so this is my contribution.
More than anything, I hope it helps.
A common question: “Is Python interpreted or compiled?” Usually, the asker has a simple model of the world in mind, and as is typical, the world is more complicated.
Today at 1651 UTC, we opened an internal incident entitled "Facebook DNS lookup returning SERVFAIL" because we were worried that something was wrong with our DNS resolver 1.1.1.1. But as we were about to post on our public status page we realized something else more serious was going on.
The title of this post is pretty specific. It relates to the meme on Twitter where users identify a trait or preference that they see as problematic, and identify it as a red flag. The emoji represents the red flag. For example: A stylized red flag Blaming Screen Readers 🚩🚩🚩🚩🚩…
And here we see the usual pattern repeat itself. An inaccessible meme goes viral. After it is so tired that brands use it, someone relying on assistive technology points out how annoying this can be. Authors and developers jump up to blame assistive technology for being terrible at internetting.
Many companies have been trying to disrupt email by making it proprietary. So far, they have failed. Email keeps being an open protocol. Hurray?
No hurray. Email is not distributed anymore. You just cannot create another first-class node of this network.
Email is now an oligopoly, a service gatekept by a few big companies which does not follow the principles of net neutrality.
The gender-neutral singular they is a safe, better-than-guessing pronoun to use in situations where you can't ask.
When Grace started her job in security and open-source, she didn’t get the joke about honking geese folks in security would throw around and there was never a good time to ask. The same thing is happening for supply chain security. The landscape is evolving rapidly with high adoption but comprehensive documentations and talks, especially for beginners, are still lagging behind. Starting with why we care about supply chain security, the talk will provide an overview of the landscape and how tools like Fulcio, Rekor and cosign come together. Unlike geese, we won’t hiss at you!
In this Discourse, Tom Scott talks about science communication in the age of social media, how to be popular on the internet, and dealing with a world where view counts are often more important than truth.
Okay, we get it, anyone can edit Wikipedia so it's unreliable — have you tried reading the citations though?
We're not quite sure exactly when email was invented. Sometime around 1971. We do know exactly when spam was invented: May 3rd, 1978, when Gary Thuerk emailed 400 people an advertisement for DEC computers. It made a lot of people very angry... but it also sold a few computers, and so junk email was born.
Fast forward half a century, and the relationship between email and commerce has never been more complicated. In one sense, the utopian ideal of free, decentralised, electronic communication has come true. Email is the ultimate cross-network, cross-platform communication protocol. In another sense, it's an arms race: mail providers and ISPs implement ever more stringent checks and policies to prevent junk mail, and if that means the occasional important message gets sent to junk by mistake, then hey, no big deal - until you're sending out event tickets and discover that every company who uses Mimecast has decided your mail relay is sending junk. Marketing teams want beautiful, colourful, responsive emails, but their customers' mail clients are still using a subset of HTML 3.2 that doesn't even support CSS rules. And let's not even get started on how you design an email when half your readers will be using "dark mode" so everything ends up on a black background.
Email is too big to change, too broken to fix... and too important to ignore. So let's look at what we need to know to get it right. We'll learn about DNS, about MX and DKIM and SPF records. We'll learn about how MIME actually works (and what happens when it doesn't). We'll learn about tools like Papercut, Mailtrap, Mailjet, Foundation, and how to incorporate them into your development process. If you're lucky, you'll even learn about UTF-7, the most cursed encoding in the history of information systems. Modern email is hacks top of hacks on top of hacks... but, hey, it's also how you got your ticket to be here today, so why not come along and find out how it actually works?
When we build a website these days, there’s a 110% chance that it’s got some form of JavaScript on it. Whether it’s a full framework, for animations, to trigger a popup or as a tracking script, JavaScript is all around us.
But what if I told you that you didn’t have to use JavaScript at all? Not even as a build process? Thanks to updates in browser technologies, there’s now a plethora of native browser features that allow building modern, functional websites, sans JavaScript.
So together, we’ll build out a completely static website, a collection of HTML and CSS files, no tracking, no scripting, no servers, no third-party resources. Let’s build a website the way we used to (but no marquees).
This presentation will highlight some of the most exciting and shocking methods by which my team and I routinely let ourselves in on physical jobs.
Many organizations are accustomed to being scared at the results of their network scans and digital penetration tests, but seldom do these tests yield outright "surprise" across an entire enterprise. Some servers are unpatched, some software is vulnerable, and networks are often not properly segmented. No huge shocks there. As head of a Physical Penetration team, however, my deliverable day tends to be quite different. With faces agog, executives routinely watch me describe (or show video) of their doors and cabinets popping open in seconds.