• tl;dr sec
  • Posts
  • [tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees, ThinkstScapes

[tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees, ThinkstScapes

Twitter internals and Mastodon benefits/challenges, blue and red team attack trees for attacking GitHub, ThinkstScapes Quarterly covering AI/ML, clever cryptography, and software analysis at scale.

Hey there,

I hope you’ve been doing well!

The Real MVPs

I’m busy this week with Global AppSec SF and other stuff, so imagine a really clever intro and build up that logically progresses to this:


📢 Forget everything you know about SSH

Say hello to Tailscale SSH — and say goodbye to managing SSH keys, setting up bastion jump boxes, and unnecessarily exposing your private production devices to the open internet. Never deploy an infrastructure bastion again.

SSH from mobile devices, and across OSes. Tailscale SSH works where Tailscale works. Code from an iPad to your Linux workstation, without having to figure out how to get your private SSH key onto it. Answer an on-call emergency from anywhere, which means you can leave your desk now.

📜 In this newsletter...

  • Web Security: HTTP/3 connection contamination explainer, exploiting static site generators, Firebase exploiter, Burp extension that hijacks Burp's HTTP/TLS stack

  • Supply Chain: OpenSSL as example of supply chain security challenges, finding malicious PyPi packages with static analysis, attack trees for attacking GitHub

  • Cloud Security: Tool to find secrets in S3 buckets, AWS SSO reporter, AWS IAM roles are unnecessarily complex, have an AWS account just for getting into other AWS accounts

  • Politics / Privacy: What happens when everything becomes TikTok

  • Misc: Spreadsheet escape room, see the inside of the CIA museum virtually, Clippy Christmas sweater, edible rescue drone, USENIX Security '22 program, Q3 2022 ThinkstScapes, don't give your kids an allowance

  • Twitter and Mastodon: Mastodon intro and overview, why scaling Mastodon is hard, some details on the inside of Twitter, stealing passwords from infosec Mastodon with HTML injection

Web Security

HTTP/3 Connection Contamination Made Simple
Portswigger’s James Kettle describes this new attack in a 5 minute video and one slide. See the blog for more.

Exploiting Static Site Generators: When Static Is Not Actually Static
Assetnote’s Shubham Shah describes a persistent XSS issue they discovered on Next.js websites on Netlify and an SSRF on GatsbyJS.

By SecureBinary: A vulnerability discovery tool that discovers Firebase databases that are open and can be exploited. Primarily built for mass hunting bug bounties and penetration testing.

By @Sleeyax: A Burp Suite extension that hijacks Burp’s HTTP/TLS stack and allows you to spoof any browser fingerprint in order to make it more powerful and less prone to fingerprinting by all kinds of WAFs.

Supply Chain

Challenges with the Supply Chain Security Ecosystem - An OpenSSL Story
Sherif Mansour describes the current challenges in understanding: newly published vulnerabilities, your company’s exposure, remediation, monitoring and preventative controls, as well as promising developments and what he’d like to see in the future.

Finding malicious PyPI packages through static code analysis: Meet GuardDog
Datadog’s Ellen Wang and Christophe Tafani-Dereeper announce GuardDog, a new tool that can identify malicious PyPi packages with Semgrep and package metadata analysis. They also released a corpus of 140+ actual malicious packages they found in the wild here.

See also Ellen’s Global AppSec SF talk this Friday at 4:30pm in Bayview A.

SLSA dip — At the Source of the problem!
François Proulx discusses different strategies for attacking GitHub, from a red team and blue team perspective. Then he combines all of the attacks and mitigations into an attack tree built using Deciduous, an open-source security decision tree tool. The attacks focus on three malicious end goals:

  • Submit malicious source code

  • Delete source code

  • Push a release tag pointing to vulnerable commit

Cloud Security

A tool to find secrets in public S3 buckets. Lists public buckets in an account, lists textual or sensitive files (e.g. .p12, .pgp, etc.) and downloads and scans files using truffleHog3.

A tool that uses the AWS SSO API to list all users, accounts, permission sets etc. and dumps it into a CSV file for additional parsing or viewing, by Miguel Pereira.

AWS IAM Roles, a tale of unnecessary complexity
Latacora’s Xavier Garceau-Aranda describes the unnecessary complexity around AWS IAM, compares it to GCP’s model, and proposes changes he’d like to see.

An AWS account just for getting into other AWS accounts
Some great perspective on AWS account architecture.

Odd though it may sound, it takes lots of AWS accounts to have lots of AWS accounts. Your first account is the one you use to configure AWS Organizations, which consolidates billing and gives you access to the APIs for opening and closing additional accounts — that’s your management account. Most folks suggest opening a second account to store audit logs from CloudTrail et al. You might choose to open a third account to host VPCs to share into your service accounts.

And the supporting cast of accounts needs one more player — your administrative access account. The purpose of this account is to help you and your coworkers access all the rest of your accounts. That’s it! This is the AWS account that makes having lots of AWS accounts efficient and safe.

Politics / Privacy

The shape of our politics, our ideology, and even our fundamental grasp of how the world works is, in some substantial way, up to the algorithms. According to a recent survey from the Pew Research Center, a quarter of people under 30 in the U.S. regularly get their news from TikTok clips. That number is growing. People are even turning to social-media video as a replacement for Google search.

Whether the results of such swipes and searches lead us to enlightenment or drag our worldviews further down toward their least reconciliatory, most conspiratorial depths depend in part on AI. In an experiment from September, the fact-checking company NewsGuard found that the top results on TikTok for a range of terms often included misleading, hateful, and in some cases extremely dangerous videos.

The issue is that an AI optimized for engagement can’t tell the difference between a clip that you enjoyed watching and one that you hate-watched, or watched passively. If you watched a clip multiple times, the AI won’t be able to discern whether it was because it gave you joy or because it boiled your blood. (Even if it could, a company might end up promoting infuriating content anyway because it’s so compelling—Facebook supposedly did exactly that after introducing emoji-based reactions a few years ago.)


📢 Two new tools from Trail of Bits

Trail of Bits has two new tools that allow developers to generate zero-knowledge proofs, which can ensure your program is executing correctly. Amarna is a static analyzer and linter for the Cairo programming language, allowing for analysis of any security-sensitive operations that need to be reviewed. Circomspect is a static analyzer for zero-knowledge proofs developed using Circom, which gives developers the chance to identify a wide range of issues. Both of these tools are open source and available for download on our GitHub page.

Trail of Bits does seriously cool work. I highly recommend checking out their GitHub for all of the neat tools they’ve released over the years, and their blog is 🔥 too.


Spreadsheet Escape Room
An escape room built in… Google Sheets.

See Inside the Rarely Seen and Newly Reimagined CIA Museum
Off-limits to all but a few in-person visitors, the museum is starting to welcome the public, online at least.

Windows Ugly Sweater: Clippy Edition
The Christmas gift guaranteed to go over well.

You can eat this rescue drone’s rice cake wings
But couldn’t you just… rescue them instead?

In order to make the round rice cakes fit together, they were cut into hexagons with a laser cutter. The glue that holds them together also needs to be edible. The scientific team tested different adhesives made out of gelatin, chocolate, or cornstarch.

The scientific team shared the research paper at a recent robotics conference. The design is part of the RoboFood project, a European initiative aiming to make edible robots.


USENIX Security ‘22 Technical Sessions
Papers, slides, and talk recordings from one of the top academic security conferences.

Q3 2022 ThinkstScapes Quarterly
Another great round-up from Thinkst Canary, this time highlighting the following three budding trends: using AI/ML to amplify side-channel attacks, clever cryptography that goes beyond simple data protection, and software analysis at scale.

The latter covers some particularly interesting work:

  • TLS-Anvil: Adapting Combinatorial Testing for TLS Libraries

  • Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs

  • In Need of ‘Pair’ Review: Vulnerable Code Contributions by GitHub Copilot

  • Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing

Twitter vs Mastodon

A Twitter User’s Guide to Mastodon
Marcus Hutchins provides a nice quick-start guide on using Mastodon.

Scaling Mastodon is Impossible
Some reflections on the technical challenges of scaling Mastodon instances to many users, as well as fundamental questions around what we’re solving for, content moderation, federation, and more.

Several people who were let go on Friday, then asked to come back were given less than an hour as a deadline.

Software engineers who got this call I know of all said “no” and the only ones who could eventually say “yes” are on visas.

Inside Twitter, managers I hear are getting desperate, trying to call back more people. People are saying “no” + more sr engineers are quitting.

Twitter has a complex architecture for a reason. And it needs some level of institutional knowledge to maintain.

This institutional knowledge both got fired + is walking out the door.


Stealing passwords from infosec Mastodon - without bypassing CSP
Portswigger’s Gareth Heyes describes how he could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. The attack could easily be wormable, by collecting credentials and re-posting the vector for each user.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!