• tl;dr sec
  • Posts
  • [tl;dr sec] #111 - This Shouldn't Have Happened, Humble Hacking Bundle, Why NFTs are Bad

[tl;dr sec] #111 - This Shouldn't Have Happened, Humble Hacking Bundle, Why NFTs are Bad

An impactful bug in heavily tested C/C++, great security books for cheap, technical and economic reasons why NFTs are bad and don't work.

Hey there,

I hope you’ve been doing well!

Holiday Tech Support

I hope you had a good time with friends and family last week.

If you’re like me, you probably got roped into one or more of: advising family members on if they should invest in cryptocurrencies, resetting routers, installing software updates, and answering questions like, “When my friend’s sketchy neighbor drives by their house their WiFi goes down and their IoT cameras misbehave. Are they being hacked?”

If that last one sounds too specific to be made up, trust your instincts.

I try to own these responsibilities, and lean into my reputation as a straight talkin’, rhyme spittin’, straight outta the cul-de-sac hacker.

Accepting Sponsors for 2022

tl;dr sec is now accepting sponsors for 2022!

Is it worth it? I’ll let some prior sponsors speak for me:

“We’ll buy as many issues as you’ll sell us.” - multiple companies

So far, three start-ups who sponsored tl;dr sec have been acquired: Sqreen, Bridgecrew, and Accurics.

Did they get acquired because of their excellent products and top talent? Because this newsletter whispered sweet nothings into the right M&eArs? Who can say.

FYI: After quietly notifying a few companies, tl;dr sec is already booked through February 🤯

If you’d like to get your product or content in front of thousands of security professionals, reach out to [email protected].

Hope to hear from you 😀

An Experiment
This year, I had the (very fortunate) problem of more companies reaching out than I could actually fit in, so I had to turn a number of companies away. To help with this, I’m experimenting with adding a secondary sponsor slot.

I’m trying to balance letting more companies doing cool things share their work, while avoiding feeling spammy.

Let me know what you think. As with everything on tl;dr sec, I’m treating it like an experiment and seeing how it goes.


📢 Vanta’s PCI DSS Compliance Checklist

The Payment Card Industry Data Security Standard (PCI DSS) is an industry-mandated set of requirements created by major credit card brands in order to protect customer cardholder data. The compliance process can be long and tricky, but Vanta's automated security platform makes it fast and efficient. Check out our PCI compliance checklist to get up and running in no time.

My company (r2c) has actually been using Vanta for our SOC 2 journey, and we've found it pretty useful and intuitive 👍

📜 In this newsletter...

I'm experimenting with cutting this overview section.

Let me know if you miss it or are glad it's gone.


Humble Book Bundle: Hacking by No Starch Press
Get 18 great books from No Starch Press for $30+. No Starch consistently puts out some of my favorite security books, well worth checking these out.

This shouldn’t have happened: A vulnerability postmortem
Project Zero’s Tavis Ormandy describes a major memory corruption flaw in NSS, Mozilla’s widely used, cross-platform crypto library. What’s especially interesting about this issue is how even extremely diligently tested C/C++ (fuzzing, static analysis, etc.) can still have fatal, trivial mistakes. Tavis walks through why.

Secure deployments with OpenID Connect & GitHub Actions now generally available
You can now use OIDC to connect your GitHub Action to providers such as AWS, Azure, GCP, and Vault. No long-lived cloud secrets necessary!

Web Security

Uniscan Vulnerability Scanner: Installation Guide and Examples
SecurityTrails’s Esteban Borges describes Uniscan, an RFI, LFI, and RCE vulnerability scanner.

Mobile Security

Sharpening your FRIDA scripting skills with Frida Tool
SecureLayer7’s Lavlesh Joshi walks through an Android app specifically constructed to hone your Android Frida scripting skills, with challenges including changing a hard-coded variable, modifying the return value from a function, running a function unused elsewhere, and more.

Android App Hacking Workshop
Google has collaborated with industry partners including HackerOne and PayPal to host a number of Android App Hacking Workshops. These workshops are an effort designed to educate security researchers and cybersecurity students of all skill levels on how to find Android application vulnerabilities through a series of hands-on working sessions.


The Joy of Cryptography
Free textbook by Oregon State University’s Mike Rosulek covering a variety of topics, including: secret sharing, security against chosen plaintext attacks, block cipher modes, chosen ciphertext attacks, authenticated encryption, RSA, Diffie-Hellman, public key encryption, and more.

Why NFTs are bad: the long version
By @antsstyle: “This long article explains technical and economic details to explain both why NFTs are bad, why they don’t work (they don’t do what they claim to do), and explains the hype surrounding them.”

Cloud Security

By Palo Alto Networks’s Yuval Avrahami: A pseudo shell re-invoking the Lambda for each command. For curious fellows who want to hack on AWS Lambda’s infrastructure.

pre:Invent 2021
Chris Farris outlines 27 of the 234 re:Invent announcements he finds most interesting. Leaked from Google’s cache: Lambdas are about to be exposeable on the public Internet.

azure.permissions.cloud | gcp.permissions.cloud
Ian Mckay has extended his great work in creating a permissions reference, now for Azure and GCP.

Container Security

A collection of tools that can be composed to build distroless images. It is intended to be portable for use with any package management tooling, but is primarily focused on apk-based distributions, like Alpine.

Learning Containers From The Bottom Up
Ivan Velichko recommends the following learning order:

  1. Linux Containers - learn low-level implementation details.

  2. Container Images - learn what images are and why you need them.

  3. Container Managers - learn how Docker helps containers coexist on a single host.

  4. Container Orchestrators - learn how Kubernetes coordinates containers in clusters.

  5. Non-Linux Containers - learn about alternative implementations to complete the circle.

Blue Team

CVE Trends - crowdsourced CVE intel
Site by Simon Bell to display trending vulnerability data from Twitter and the NIST NVD APIs. Shows the reach, description, and CVSS v3 or v2.

A community-driven open database of vulnerability exploitation in the wild. Get alerts for new exploited vulns, find exploits, share exploitation info. You can contribute as easily as writing a tweet and tagging @inthewild.io. By Gábor Matuz et al.

How we protect our most sensitive secrets from the most determined attackers
Monzo’s Lucy Sweet takes you through Monzo’s Root Certificates, who can manage them, how they are protected and how these layered controls work together to make sure nobody can access the certificate without permission. Really interesting overview of the high assurance process, involving cameras, multiple people, stripped down hardware, and more.


📢 Live Workshop: API Threats Simulation With Open-Source Tools

Do you still think that WAFs and API gateways are effective in protecting exposed APIs against emerging threats?

Join the Wallarm workshop on December 7th to learn:

  • What is the difference in attacks against REST, graphQL, gRPC APIs today?

  • How to simulate API-specific attacks with open source tools?

  • How to evaluate an existing security toolchain in protecting your APIs?

Red Team

Binary Reversing Methodologies
Justin Taft gives an overview of a number of techniques, including uncovering the structure of the target binary, disassembling, runtime debugging, recording and reviewing execution traces, and static analysis.

Politics / Privacy

  • Marcus Carey: “Securing Blockchain, Crypto and the Metaverse”

  • Daniel Miessler: “Shifts Towards Cyber Insurance, More Cybercrime Marketplaces, AI Supplements SOC Teams”

  • Deb Radcliff: “Increase in Killware and Remote Warfare via Drones”

  • Ira Winkler: “Cyber Wakeup Calls Ignored & The Need for More Cohesive Security Strategies”

Delaying end-to-end encryption at Facebook is not FUD
Twitter thread with great context by David Thiel on what happened, as he was there at the time. In short, rolling out E2EE would likely have significantly negatively impacted Facebook’s ability to monitor and prevent child abuse.

We present LAPD, a novel hidden camera detection and localization system that leverages the time-of-flight (ToF) sensor on commodity smartphones. We implement LAPD as a smartphone app that emits laser signals from the ToF sensor, and use computer vision and machine learning techniques to locate the unique reflections from hidden cameras.

Overview by Graham Cluley and demo video here.


The No Starch Press Foundation: 2021 Grant Recipients
No Starch Press has announced the 2021 winners, including some pretty neat projects, such as: SigInt for the Masses, Freebie 5G, machine learning for carbon zero infrastructure, using ML to automate trash identification, and more.

Movie Accent Expert Breaks Down 32 Actors’ Accents
Dialect coach Erik Singer analyzes the accents of some of Hollywood’s biggest names. How accurate were they really?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!