Hey there,

I hope you’ve been doing well!

Hard Truths

We start relationships brimming with anticipation.

We can read novels of meaning from a crinkle of their eye or turn of their lips, or drift away, content, in the fragrance of their hair.

Sometimes things are almost perfect, if we could just change one thing. Sometimes you can.

But other times, there are hard mathematical truths we must face, which this image by Ericstotle reminds us.

I'll Change Him

(Read further in the linked thread for an explanation if you forget your calculus.)

Other Museums

After I mentioned a few virtual museums last week, some readers mentioned some other great options.

  • lcamtuf’s Museum of Broken Packets (H/T Jon Oberheide)
  • Take a 3D tour of The National Museum of Computing. I’ve visited Bletchley Park (where Alan Turing and many others helped break German ciphers in World War 2) before, and it was incredible. I highly recommend checking it out if you have the chance. (H/T James Mckinlay)

Cloud Security Orienteering

I’m incredibly excited to announce the next tl;dr sec guest post, by my friend Rami McCarthy: Cloud Security Orienteering.

Rami kindly agreed to turn his DEF CON Cloud Village talk into a detailed guide on how to rapidly orient yourself in a totally unfamiliar cloud environment, identify and prioritize risks, and create an actionable plan for securing it.

It’s pretty great, highly recommend checking it out.

He also distilled the guide down into an actionable checklist, of specific tasks to do, in order.

If you want the Clint Notes™ version, you can check out my summary tweet thread.

Here’s a quick preview:



📢 Protect Access to Your SaaS Data with AppOmni

SaaS applications have evolved into complex platforms that provide data access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now more categories of users, and more data access points for attackers to exploit. Over 95% of enterprises we’ve analyzed have over-provisioned external users with access to sensitive data. See who has access to your business-critical data with AppOmni’s free risk assessment.

Learn More or Request a Risk Assessment

📜 In this newsletter...

  • AppSec: Malicious PDF generator, ElectronJS hardener
  • Static Analysis: Thread on how to use SAST (in)effectively
  • Web Security: Making a JavaScript payloads that's terrible to reverse, how Figma is securing internal web apps
  • Cloud Security: Thorough threat model of S3
  • Container Security: Threat hunting with Kubernetes audit logs, tool to determine if Kubernetes was deployed securely
  • Blue Team: macOS 11's hidden security improvements, top 15 vulnerabilities used to target Linux systems
  • Red Team: How to escalate privileges when you can use a package manager
  • Politics / Privacy: U.S. vs China discussion, Taliban has seized U.S. military biometrics devices, academics warn of risks of Apple's CSAM scanning approach, OnlyFans is/isn't banning adult content
  • Burnout: Mandatory team fun time, and an honest discussion of burnout and recovering
  • Misc: Parse a number of *nix command output to JSON


By Jonas Lejon: “Generate ten different malicious pdf files with phone-home functionality. Can be used with Burp Collaborator. Used for penetration testing and/or red-teaming.”

A Rust library and command line tool to harden Electron binaries against runtime behavior modifications.

Static Analysis

Some interesting comments in this thread. I’ve taken a few snippets that touch on things I’ve seen successful across a number of companies (bolding mine).

NetSuite’s John Melton:

I … disagree. SAST (like all tools) has limits. Out of the box, sure, it’s got issues. But targeted SAST, custom rules, etc. are really solid. I particularly like using SAST to enforce invariants rather than finding bugs.

Netflix’s Patrick Thomas:

If choosing to invest in either “build SAST that detects bad impl of <thing>” or “build clearly secure component for <thing> & a way to assert usage”, I’m door #2 for sure.

All-around baller Jim Manico:

SAST is horrible when you run it at scale with no customization and just throw raw results back at developers. This is a path to total failure. Maturing a SAST program takes per-app customization.

Marqeta’s Ronnie Flathers:

I think SAST is much better as a scalpel than a shotgun - i.e I know my code bases well and these are very specific issues and anti patterns I want to surgically hunt down and prevent. Then write custom rules and use a fast engine like @semgrep in a pipeline as a guardrail (2/2)

Web Security

Anti-Debug JS/WASM by Hand
“Let’s write the most cursed abomination to ever grace a web browser.” Remy describes making some JavaScript that’s miserable to debug: WebAssembly by hand, WebAssembly bytecode with HTML in it, that HTML has embedded JavaScript in it, …

Inside Figma: securing internal web apps
Figma’s Max Burkhardt describes their system to securely provide access to internal apps using AWS ALBs, Cognito, Okta, and Lambdas. Loved the details on getting fine-grained access control right.

The discerning tl;dr sec reader might recall Hongyi Hu’s AppSec Cali 2019 talk on how Dropbox secures internal apps (my summary), which is still one of my favorite talks on modern security engineering, highly recommend it. In fact, Dev Akhawe and Hongyi were at Dropbox, and are now on Figma’s security team with Max. Small world!

Figma Internal Apps

Cloud Security

The last S3 security document that we’ll ever need, and how to use it
163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:

  1. Best practices (best security/effort ratio)
  2. Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance
  3. Onboarding for large enterprises/agencies
  4. Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan
S3 Best Practices
S3 Compliance Mapping

Container Security

Threat Hunting with Kubernetes Audit Logs - Part 2
Square’s Ramesh Ramani walks through threat hunting using ATT&CK for Containers.

  • Execution: Finding repeated exec failures
  • Persistence: Unusual cronjob creation failures
  • Privilege Escalation: Users being given “cluster-admin” access
  • and more

Tool by Armosec to determine if Kubernetes is deployed securely as defined in the Kubernetes Hardening Guidance by the NSA and CISA.

Blue Team

macOS 11’s hidden security improvements
Malwarebytes discusses some lesser known security changes they found by diffing the macOS 11 and 10.15 SDKs, including CPU security mitigation APIs, endpoint security API improvements, and a new open flag, O_NOFOLLOW_ANY, that can mitigate an entire family of potential vulnerabilities.

Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems
Data by Trend Micro: from “50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a PoC.”

Trend Micro Vuln Trends

Red Team

Linux Privilege Escalation - Package Managers
Michael Ikua describes how to escalate privileges when you can’t sudo but you can use package managers.

Politics / Privacy

Seeing Red
Interesting discussion on the political and economic competition between the U.S. and China, by Prof Galloway.

The Taliban Have Seized U.S. Military Biometrics Devices
The U.S. military spent years gathering biometric data like iris scans and fingerprints of Afghans helping them. That data is now in Taliban hands, and could be used to target them. This is what’s so dangerous about surveillance tech and PII: you don’t know who will be elected or seize power, and how they may abuse it.

Opinion | We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous
Princeton University professor Jonathan Mayer and PhD candidate Anunay Kulshrestha wrote a peer-reviewed paper on building a system for detecting child sexual abuse material in encrypted images, but concluded it was too dangerous, as it could be easily repurposed for surveillance and censorship.

We’re not concerned because we misunderstand how Apple’s system works. The problem is, we understand exactly how it works.

OnlyFans CEO on why it banned adult content: ‘the short answer is banks’
Article by the Verge.

And this thread has some pretty interesting context around various groups’ attempts to attack the sex industry, using sex trafficking and other bad things as a proxy.

Last minute update: OnlyFans has reversed course and will not ban adult content.


Mandatory Team Fun Time
Twitter’s Ronnie Chen describes a practice she created which allowed their distributed team to have a day of fun. Guidelines:

  • You are strictly forbidden from spending your offsite time on catching up on work, chores, or other obligations and commitments.
  • Select an activity or activities that you would not otherwise have time to do that you find delightful, meaningful, serene, challenging, relaxing, amusing, awe-inspiring, satisfying, or intriguing.

Burning out and quitting
A powerfully honest and great post by my friend Maya Kaczorowski (HN discussion). I’m not going to lie, reading this from someone as brilliant and productive as Maya made me feel a little better about my (probably continuing) feelings of burnout during the pandemic.

It’s not a single thing - like a specific work stressor - that caused my burnout. It was the neverending treadmill of yet another day’s worth of useless meetings, with a TODO list that only grows, while you get less and less done on it every day. There isn’t a single moment that causes burnout, but there is a single moment when you realize it - that what you’re doing is impossible, insurmountable, unachievable - and that you don’t care. You can’t do it. And you don’t want to anyways.

End to end, it’s taken 6 months to realize I was burnt out while trying (and failing) to work, 3 months to recover, and then 2 months of vacation to feel excited to work again - which is longer than I ever would have expected. But I’m so happy I gave myself the time I needed.


Bringing the Unix Philosophy to the 21st Century
Kelly Brazil describes his tool jc, which parses the output of a number of *nix commands into nicely consummable JSON. If you like the idea of piping a bunch of security tools together, Unix-style, check out my summary of Daniel Miessler’s Red Team Village talk, Mechanizing the Methodology.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!