• tl;dr sec
  • Posts
  • [tl;dr sec] #99 - Grow Employees or Lose Them, Advantage: Defense, Ghidra <> Frida

[tl;dr sec] #99 - Grow Employees or Lose Them, Advantage: Defense, Ghidra <> Frida

How to mentor and grow employees, Mark Dowd on how and why defense is gaining the advantage, and a plugin to bridge Ghidra and Frida.

Hey there,

I hope you’ve been doing well!

Dreamy Editor Operating System

During the pandemic, I’ve felt incredibly fortunate to be able to work from home. That said, I’ve found it too easy to let the lines between work and home life blur.

So to relax, I’ve been spending some time learning and writing Emacs Lisp. As one does.

I used to hear people gush about how powerful and flexible Emacs was, but I didn’t get it / shrugged it off.

But I’ve grown to realize:

  • All config, settings, and editor state can be programmatically queried and updated at runtime.

  • Any built-in or package functionality can be arbitrarily inspected, hooked, or modified.

  • Any hotkey is really just calling a Lisp function under the hood, so you can easily use that functionality in Lisp code you write.

Using Emacs and then learning Emacs Lisp is like all of the sudden realizing you’re Neo in the Matrix - you have the same full power and access to everything that built-in functionality has.

I haven’t done anything crazy so far, just writing small helper functions to make writing tl;dr sec faster and easier.

Also, I’m currently in discussions to have a major motion picture be made about my Emacs Lisp journey. (Sidenote: “The Beard Baron” is an awesome title.)

To be fair, vim has excellent default text navigation hotkeys, and VS Code is great and Just Works™ out of the box.

And Emacs is old and sometimes the cruft shows. As my grad school friend Ben Davis once said (actual quote):

Emacs Lisp isn’t even in my top 5 favorite Lisps.

If you use Emacs and have any favorite packages, pro-tips, or a neat .emacs.d config, please share!


📢 Take control of your security career

Advance your career and demonstrate your skills, by becoming a Burp Suite Certified Practitioner. Prove your ability to detect and exploit common vulnerabilities like XSS, SQLi, and HTTP request smuggling using Burp Suite Professional - the leading toolkit for web security testing.

Editor's note: It's pretty neat seeing Portswigger offer certs for such an affordable price, especially given that they've created, in my opinion, some of the best web security training exercises on the Internet, and they're free.

📜 In this newsletter...

  • Hack in the Box 2021 Singapore: Slides, keynote on offense vs defense having the advantage, fuzzing macOS

  • Web Security: Attacking GraphQL, finding subdomain takeover opportunities, test lab for HTTP/2 request smuggling

  • Cloud Security: The danger of managed AWS policies, scanning AWS security groups for dangerous settings, automating IAM Access Analyzer with a Lambda

  • Container Security: Docker Official Images that are deprecated and vulnerable, top open source Kubernetes security tools in 2021, securely integrating Lambdas and Kubernetes

  • Red Team: Bridging Ghidra and Frida

  • Politics / Privacy: Data brokers selling data on U.S. military personnel, California's recall has big implications

  • OSINT: Attack surface management is more than IPs and ports

  • Career: Tech interview handbook, grow your employees or lose them, seniority rollercoaster and down-leveling in tech

  • Misc: Return of ThinkstScapes, profile everything, Google failing at messaging apps, Boston Dynamics robot doing parkour, buy a house in Japan for $500, the Ransomware Song

Hack in the Box 2021 Singapore

Hack in the Box 2021 Singapore Slides
A bunch of good talks, mostly offense focused.

Security Technology Arms Race 2021: Medal Event
Awesome HITB keynote by Mark Dowd (video) on why offensive security has had the advantage in the past, how defense is turning the tables, and what the future looks like. Highly, highly recommend.

Summer of Fuzz
Jeremy Brown deep dive on fuzzing macOS.

Web Security

Exploiting GraphQL
Assetnote’s Shubham Shah discusses several ways to attack GraphQL implementations, including batch attacks, CSRF, leveraging introspection and suggestions, and they’ve released the BatchQL tool to assist with a number of these attacks.

A fast tool to check missing hosted DNS zones that can lead to subdomain takeover, by Dwi Siswanto.

How to set up Docker for Varnish HTTP/2 request smuggling
Detectify’s Alfred Berg shares a GitHub repo for easy local testing of HTTP/2 request smuggling on Varnish cache.

Cloud Security

AWS ReadOnlyAccess: Not Even Once
SpecterOps’ Daniel Heinsen discusses the danger of managed AWS policies: they tend to be broad, containing a number of unnecessary permissions, and they can change under you in security-relevant ways.

By Gold Fig Lab’s Vikrum Nijjar and Greg Soltis: a tool to scan your AWS Security Groups for open ports and attached Network Interfaces to find anything listening on a port that you wouldn’t consider safe. sgCheckup can also run nmap to get specifics.

AWS’ Mostefa Brougui shows how to run periodic validations by building a Lambda that uses IAM Access Analyzer to validate IAM policies, and visualize the results using Amazon Quicksight.

Container Security

A Security Review of Docker Official Images: Which Do You Trust?
Aqua’s Rory McCune found that a number of Docker Official Images are actually deprecated and/or full of unpatched vulnerabilities. The post lists official images with >50 unpatched vulnerabilities and ~14 deprecated images, including java, Django, and more.

Spice up Your Kubernetes Environment with AWS Lambda
Liav Yona describes a simple and secure way one can integrate Lambda with an existing Kubernetes environment without any code changes. This approach enables incorporating many cloud products with one’s Kubernetes environment easily.

Red Team

ghidra2frida - The new bridge between Ghidra and Frida
Federico Dotta announces a new Ghidra extension that bridges Ghidra and Frida, enabling you to create powerful scripts that take advantage of Frida’s dynamic analysis engine to improve Ghidra’s static analysis features.

Politics / Privacy

Data Brokers Are Advertising Data on U.S. Military Personnel
Post by Justin Sherman. I’ll take “Things that are dangerous for national security for $800, Alex.”

Three major U.S. data brokers—Acxiom, LexisNexis and Nielsen—openly and explicitly advertise data on current or former U.S. military personnel; LexisNexis advertises a capability to search an individual and identify whether the individual is active-duty military… make it possible for anyone to search for senior military personnel—uncovering home addresses, phone numbers and other information, as well as the names of known family members and relatives.

Will Gavin Newsom Lose California’s Recall Election?
If you live in California, vote in the recall. It is important. To be honest, I was feeling pretty lazy about it until I read this article.

The recall has two separate questions: yes/no on the recall, and then if the majority votes to recall, whoever has the highest vote becomes governor.

So Newsom could have 49.9% of the vote, lose the recall, and be replaced by a governor with 14% of the vote.

If Dianne Feinstein passes away, then whoever wins the recall will appoint her replacement. The Senate is currently split 50-50, meaning the result of this recall could fundamentally shift voting in the Senate and what Congress does until the next election.

OSINT / Recon

Attack Surface Management. You’re (probably) doing it wrong
Spiderfoot creator Steve Micallef argues that attack surface is much more than just IPs and ports, it’s also OSINT info like email addresses, leaked credentials, public code repos, and other things that could give an attacker an opening or hint at what your org’s internal environment contains.


Tech Interview Handbook
Curated interview preparation materials for busy engineers.

Excellent thread by Travis McPeak on being a great manager.

The Seniority Roller Coaster and Down-Leveling in Tech
Gergely Orosz describes how when switching companies, depending on the type or tier of company, you may get a pay cut but better title, or vice versa. Also, how to navigate when you don’t think you’re being evaluated at the right “level.”


Q3 2021 ThinkstScapes Quarterly
Once upon a time, Thinkst produced an awesome, non vendor-y publication outlining major new interesting security research called ThinkstScapes. I’m super excited to see they’re back! Make yourself some coffee or pour yourself a glass of wine, sit back, and enjoy.

Introducing Prodfiler
New tool announced by Halvar Flake: “Prodfiler, a continuous profiler that “just works” – for C/C++/Rust/Go/JVM/Python/Perl/PHP – no code change required, no symbols on the machine required, no service restart required.”

A decade and a half of instability: The history of Google messaging apps
I’ve noticed many of these over the years, but interesting to see like 15+ of these laid out chronologically.

Boston Dynamics Robot Doing Parkour
A playful demo, in which they’re not yet hunting humans down and killing them for sport.

Buy an Empty House in Japan for Less Than a Month’s Rent!
A number of unoccupied homes in small villages are being offered quite cheap due to vacancy rates caused by an ageing population.

The Ransomware Song (Just Blame Math)
Winner of the Best Song at the 2021 Pwnie Awards, by Forrest Brazeal. I also enjoyed him spitting hard truths in Big Tech (It’s Probably Fine.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!