[tl;dr sec] #49 - Web Cache Entanglement, Finding a Mentor, Build Tools Around Workflows
New cache research by James Kettle, how to effectively reach out and build mentor relationships, tools should support workflows, not vice versa.
I hope you’ve been doing well!
Definitely a real article title
I wanted to share a simple trick I’ve been using recently to watch more conference talks.
Ensure you have a backlog of talks you’re interested in ready to watch.
Turn on one of the talks when you’re exercising, washing dishes, cleaning, doing laundry, or other normal tasks.
Ensure you’re wearing Bluetooth earbuds so your partner isn’t annoyed.
Nothing fancy, but I’ve been watching ~2-4 talks/week the past few weeks doing this.
Keeping the Summary Section
Thank you to everyone who voted last week! Votes to keep the summary section won by roughly 3:1, so it shall be kept.
Zapier with Moar Power
I’ve been using Zapier to automate a few things in my tl;dr sec workflow.
If you’re not familiar, Zapier is a site that makes it easy to set up automations that connect various services together; for example, every time you get a new email that matches a pattern, download its contents to Dropbox and send you a Slack message.
Zapier’s value prop is that it has a million connectors to various services, so you don’t need to write integrations, and it has a workflow for creating custom workflows via a GUI that is actually quite intuitive. I’d recommend checking it out as an example of an intuitive UX and enabling coding-esque capabilities to people who don’t know how to code.
However, some specific tasks I want to perform aren’t supported by default integrations and I’ve been a bit frustrated. But! I just discovered two features that seem pretty baller:
I’ll write up more about my workflow at some point if you’d find that interesting.
Why not right your own custom code?I have for some purposes, but it takes more time and I’d prefer not to maintain custom code.
📢 Datadog Security Monitoring
Enhance your DevSecOps initiatives with Datadog's cloud-native security monitoring tool. Break down silos between developers, security, and operations team by correlating your threats, metrics, traces, and logs all in one, unified platform. Sign up for a live demo with one of Datadog's security engineers and receive a free Datadog T-shirt.
📜 In this newsletter...
AppSec: Tools for generating a Software Bill of Materials and scanning for vulnerabilities in container images and file systems
Web Security: Headless browser automation guides for Puppeteer and Playwright
Web Cache Entanglement: Novel Pathways to Poisoning: New cache research by James Kettle with a nice, grokkable structure
Container Security: A static analysis tool to scan your Kubernetes role-based access control
Career: A guide a professor gives his PhD students, Daniel Miessler and Eric Barker on building mentor relationships
Politics / Privacy: Readings for an Internet Law course, company whose business model is basically doing deep fakes, listing of privacy-focused services and tools, alternatives to cut Google out of your life, deep dive on NSO
OSINT: How to use Amass more effectively
Misc: InfoSec Bob Ross, when having a math background as a developer is useful, a book for programmers to learn math
Build tools around workflows, not workflows around tools: Thoughts on the value of having tools that tightly model your workflows and mental processes
syft - CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems.
Linux distribution identification (supports Alpine, BusyBox, CentOS/RedHat, Debian/Ubuntu flavored distributions)
grype - A vulnerability scanner for container images and filesystems.
Find vulnerabilities for major operating system packages across Alpine, BusyBox, CentOS / Red Hat, and Debian / Ubuntu flavored distributions
theheadless.dev - Learn Puppeteer & Playwright
Tips, tricks and in-depth guides on headless browser automation: clicking and typing, navigating and waiting, etc.
Portswigger’s Director of Research James Kettle presented at Black Hat USA, furthering his cache-related research. As always, his work is quite neat and well worth checking out if you’re interested in web security.
But there are a couple of structural things I think James did quite well that make this a solid talk to examine from a “how to give a good security talk” point of view, so I’d encourage you to watch at least the first ~10 minutes for that alone.
First, right off the bat, he does a great job teasing the talk’s content and building your anticipation.
After a brief outline of the talk and recap on cache poisoning, James spends awhile discussing the overall methodology for his research.
This is important, because the rest of the talk is quite technical and in the weeds discussing case studies of different exploit scenarios, so spending a fair amount of time upfront helps the audience construct some mental scaffolding for how to understand the later examples.
Also, a number of subsequent slides have these helpful breadcrumbs in the top right so it’s always clear where in the methodology the slide lies.
These small things aren’t rocket science, but I do think they make a big difference in helping the audience get your research; which, after all, is the point.
A static analysis tool to scan your Kubernetes role-based access control (RBAC). Identifies potential security risks in K8s RBAC design, makes suggestions on how to mitigate them, and has a dashboard that shows your current RBAC security posture.
Perspective on the PhD
Thoughtful ~20 page guide that University of Michigan professor Eric Gilbert gives his PhD students, covering topics including doing research, finding ideas, writing papers, avoiding burnout, and more. Worth reading if you’re considering grad school.
How to Initiate Contact With a Mentor
💯 post by Daniel Miessler that includes some great principles and example scripts. I’ve definitely done this poorly before, and some people who reach out to me make these same mistakes. This post is spot on with things I’ve learned and found successful personally. Key points:
Behave like a peer.
Indicate that you put the work in.
Show them something you’ve built.
Provide some kind of value to their craft.
If you seek respect, produce something they respect.
8 Steps To Getting The Perfect Mentor For You
Great article by Eric Barker that discusses: what mentors actually do, how to pick a mentor, how to contact one, example email templates, how to handle the first meeting, and how to maintain the relationship.
Politics / Privacy
Internet Law - Fall 2020
Texas A&M University School of Law professor Hannah Bloch-Wehba has kindly shared the reading list for her upcoming course on Internet Law, which appears to cover a large number of interesting areas, including but not exclusive to: the First Amendment & Platforms as Forums, Net Neutrality, Elections, Disinformation, and political ads, Cryptography, Anonymity, Privacy, Law Enforcement & Surveillance, Trademark, Copyright, Fair Use, and more.
Hour One raises $5M Seed to generate AI-driven synthetic characters from real humans
The company can onboard “basically any human being and turn them into a synthetic character that’s a lifelike replica of that person. So it’s not an avatar or a version of that person. It really does look and behave like that person. You can then basically generate new content by uploading new texts.” They also have a guessing game site where you can try to guess which videos are real and which are deep fakes. And it’s pretty hard 😅 And we continue hurtling towards a Brave New World of deepfakes…
Provides services, tools and knowledge to protect your privacy against global mass surveillance. Covered info includes privacy-centric online services (email providers, VPN operators, etc.), web browsers, software, operating systems, and more. You can also follow them on Twitter.
Inside NSO, Israel’s billion-dollar spyware giant
NSO claims that its Pegasus tool does not allow American numbers to be infected, and that it self-destructs if it finds itself within American borders.
Hakluke’s Guide to Amass — How to Use Amass More Effectively for Bug Bounties
Guide by Luke Stephens on how to get the most out of Amass: set up your API keys, use amass intel (reverse whois, grab SSL certs and ASNs, and run it recursively), use amass enum to grab more subdomains by passing in CIDRs and ASNs, and more.
A Programmer’s Introduction to Mathematics
Interesting sounding book by Jeremy Kun that uses your familiarity with ideas from programming and software to teach math. It covers the central objects and theorems of mathematics, including graphs, calculus, linear algebra, eigenvalues, optimization, and more.
What seems especially interesting to me about this book is its content on some meta aspects about math, like the culture of the people in it, how to gain the right intuition, and how to learn on your own. I feel like too often resources are “How to do X” without this very helpful, contextual view.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
Thanks for reading!