-
Tweets170
-
Followers3K
-
Following243
-
Likes1K
Very excited to present this with @amlweems! See you in Berlin! (@epereiralopez and @thatjiaozi) were also working on that project and will also be there :)
Very excited to present this with @amlweems! See you in Berlin! (@epereiralopez and @thatjiaozi) were also working on that project and will also be there :)
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) github.com/amlweems/xzbot
github.com/google/securit… Our research on the deep mines of the JPX standard is now public. I had the pleasure and the privilege to work with @scannell_simon , @amlweems and @epereiralopez on this one. Pretty interesting client side info leak vector :)
It’s finally time. H4CK1NG.GOOGLE
containerd: Insecure handling of image volumes bugs.chromium.org/p/project-zero…
I'm really excited for this video! I got a chance to collab with @LiveOverflow and share the process for discovering the localhost bypass for CVE-2021-45046 with code review and differential fuzzing. :)
I'm really excited for this video! I got a chance to collab with @LiveOverflow and share the process for discovering the localhost bypass for CVE-2021-45046 with code review and differential fuzzing. :)
Just finished Portswigger's new Burp Suite Certification. I've always been a huge fan of the @WebSecAcademy and this is an excellent capstone on the labs. Thanks @PortSwigger for all the educational content! #burpsuitecertified
Thanks for the seamless contribution process! Cheers to @BouncyHat and @dallasl1200 😄
Thanks for the seamless contribution process! Cheers to @BouncyHat and @dallasl1200 😄
My team @praetorianlabs just published our work in reverse engineering the Proxylogon patches for CVE-2021-26857, CVE-2021-26855, and CVE-2021-27065. I learned a lot more about Exchange than I thought I'd ever need, but had a blast. praetorian.com/blog/reproduci…
Crypto specification for contact tracing from Apple & Google: covid19-static.cdn-apple.com/applications/c…
Thanks, this was a lot of fun! *honk honk*
We've published new HTTP desync techniques, tooling and patches in HTTP Desync Attacks: what happened next, by @albinowax portswigger.net/research/http-…
Know the strengths and weaknesses of your #security stack. Counteract weaknesses with defense in depth. praee.com/2IGY8IW
Forget Spectre/Meltdown. New side-channel vulns discovered in Intel CPUs allow speculative execution attacks that leak arbitrary in-flight data from CPU-internal buffers (Line Fill Buffers, Load Ports, Store Buffers), including data never stored in caches. cs.vu.nl/~herbertb/down…
#ZombieLoad: a new #Meltdown attack on #Intel CPUs leaking data which is currently loaded from memory - across programs, hyperthreads, SGX, and VMs. #MDS #cpufail #Intelbug zombieloadattack.com /cc @mlqxyz @danielmgmi @jovanbulck @blitzclone @gonzodaruler @lavados
Exciting! Looking forward to the public beta. 🙂
We systematically analyzed #Meltdown, #Spectre and #Foreshadow and came across interesting new transient execution attacks: arxiv.org/abs/1811.05441 Great collaboration with @cc0x1f @jovanbulck @misc0110 @mlqxyz @dimonoid, Frank Piessens :)
Ian Coldwater 📦�.. @IanColdwater
106K Followers 1K Following Kubernetes SIG Security co-chair, container escape artist, goose in the mainframe. They/them. Legacy verified. Stay punk 🏴Justin Elze @HackingLZ
52K Followers 5K Following Hacker/CTO @TrustedSec | Former Optiv/SecureWorks/Accuvant Labs/Redspin | Race cars(っ◔◡◔)っ ♥.. @HolmConnor
546 Followers 550 Following aluminum enthusiast // bass in @ParkwayColumbia // cloud, k8s, and webapp security at {company}Random Robbie @Random_Robbie
15K Followers 5K Following Scanner of the internet and owner of your k8s. All opinions here are mine and do not represent my employer's views. @[email protected]Dan Lorenc @lorenc_dan
9K Followers 2K Following OSS Supply Chain Security. Founder/CEO/Primary Ariba Admin at https://t.co/sGmuUU9JbG Sigstore: https://t.co/dWKlyYu6kvLiveOverflow 🔴 @LiveOverflow
142K Followers 1K Following wannabe hacker... he/him 🌱 grow your hacking skills @hextreeiocharliebrown @charlie45022566
0 Followers 31 Following0utc4st @0utc4st___
2 Followers 118 Followingcscfufo @cscfufo
27 Followers 2K Followingpedro @pedro0532990478
2 Followers 164 Following✌️Z4Z4✌️ @z4z4_h1
35 Followers 291 Following Full-time Bug Bounty Hunter since 2020 🐞💻 | Exploring the digital wilderness for glitches & vulnerabilities. Passionate about cybersecurity, ethical hackinglimazuluhotel @limazuluhotel
6 Followers 196 FollowingShaya Feedman שיי�.. @ShayaFeedman
314 Followers 898 Following Head of InfoSec @ Porsche Digital I'm where cyber becomes dangerous Since Oct 7th, living in - war life balance. My own opinion Cynicism as a way of lifeChungus Bungus @Syedjunaid6119
2 Followers 183 FollowingChakri YVS @st0rm4z
1 Followers 10 FollowingMehdi @mehdio69403742
60 Followers 2K FollowingMarco Martinho @MarcoMartinho17
20 Followers 306 Followingnoi zapanta @MasterEsmond
10 Followers 19 FollowingOsama Elmansori @ElmansoriOsama
4 Followers 165 Followingsink0Rswim @laceandload
105 Followers 2K Followinglima @augustintech
3 Followers 1K FollowingAli Abdullah @A208_
73 Followers 391 Followingastartes @astarte57626822
0 Followers 533 FollowingThomas Anderson @mrthomasanders
19 Followers 636 Following Programmer/ graduated in Mathematics, Researcher/ Hacking/ Pentester 🧑💻T-Rex @0xt_r3x
10 Followers 268 Following- @Eduardo_Reta_Ed
112 Followers 2K FollowingMaxime Crampon @MaximeCrp
64 Followers 342 Following Web security & Cryptography TS dev for Medical Devices he/himBAALI Mohammed @_EDBAALI
3 Followers 188 FollowingKate Jennifer @KateJennif34859
2 Followers 12 Followingmohamed ali @mhmmd_aliiii
16 Followers 1K Followinghegz @hegzploit
1K Followers 2K Following electrical engineer turned hacker. views are my own, I tweet in EN/AR.Jamari @jamari_oneal
137 Followers 478 Following Physics student. Organizer. Occasional writer. I tweet about politics and pop culture. Retweets aren't endorsements. He/his. #DCstatehood. Stand with Ukraine.polict @polict_
1K Followers 287 Following The opinions stated here are my own, not those of my company.parsa @_Parsa_kv_
9 Followers 2K FollowingReyes Amelia @reyes_amelia28
28 Followers 414 Following Trader | Investor | Entrepreneur 📈 Bitcoin Mining ,📊 NFT / Market Analysis📉 Crypto Currencies Investment 🪙 DM for more info. +18605101558Zulfazli Ahmad @zulfazliAhmad
824 Followers 5K Following #CyberSecurity Finisher: Bentang Jawa 2022 | H1 Hardcore 100miles 2017 | Rinjani100 2018| GP100 2018| UTMB 100miles 2019 | Tor Des Geants (TDG) 330km 20197dr @aosihsjsvsv458
0 Followers 1K FollowingAhmed Ali @king1330wolf
0 Followers 22 FollowingTech Group Kenya @JacobChrispinus
51 Followers 467 Following Tech Group Kenya 🇰🇪 Connecting tech lovers across Kenya. We host events, workshops, and projects to inspire, educate, and empower. #TGKKonrad Ravenstone @_cr0n_
12 Followers 148 Following Security Analyst and Researcher, OSINTer, Penetration Tester蝼蚁也有星空梦 @DWNCD5DWrM38479
3 Followers 141 FollowingFelipe Contreras @felipec
653 Followers 755 Following Freedom of speech maximalist, anti-censorship, anti-woke, anti-globalism, anti-centralization, anti-orthodoxy.Felicitas Pojtinger �.. @pojntfx
1K Followers 567 Following Code sorceress @loopholelabs #virtualization #containers #wasm #kubernetes #linux #gnome Mastodon: @[email protected]豁达 @H0jSIdMLxJ7p3sc
9 Followers 36 Followinghood @pong_s
195 Followers 245 FollowingMuhammad Hendro @hendro_jun
349 Followers 2K FollowingMP @Peppermefunky
18 Followers 167 Followingcat @VALENTI44048662
26 Followers 72 FollowingShimi Segal @shimisegal8
27 Followers 162 Following Reverse Engineer || Vulnerability Research Student @SelfLearningShiddy @ShiddySec
10 Followers 35 Followinglin FAT @linFAT4
40 Followers 822 FollowingIan Coldwater 📦�.. @IanColdwater
106K Followers 1K Following Kubernetes SIG Security co-chair, container escape artist, goose in the mainframe. They/them. Legacy verified. Stay punk 🏴John Hammond @_JohnHammond
240K Followers 2K Following Hacker. Cybersecurity Researcher @HuntressLabs || https://t.co/qUeDM3lSCl(っ◔◡◔)っ ♥.. @HolmConnor
546 Followers 550 Following aluminum enthusiast // bass in @ParkwayColumbia // cloud, k8s, and webapp security at {company}lcamtuf (@lcamtuf@inf.. @lcamtuf
35K Followers 494 Following Homepage: https://t.co/iFAXZxCO5H Substack: https://t.co/yFvmNisGW3Dan Lorenc @lorenc_dan
9K Followers 2K Following OSS Supply Chain Security. Founder/CEO/Primary Ariba Admin at https://t.co/sGmuUU9JbG Sigstore: https://t.co/dWKlyYu6kvLiveOverflow 🔴 @LiveOverflow
142K Followers 1K Following wannabe hacker... he/him 🌱 grow your hacking skills @hextreeioFelicitas Pojtinger �.. @pojntfx
1K Followers 567 Following Code sorceress @loopholelabs #virtualization #containers #wasm #kubernetes #linux #gnome Mastodon: @[email protected]Andres Freund (Tech) @AndresFreundTec
9K Followers 105 Following FWD: @[email protected] Postgres developer, working at Microsoft. For politics: @AndresFreundPol丂卄ㄖᗪ卂几 - .. @therealshodan
3K Followers 444 Following Microsoft Threat Intelligence Centre, deaf, BSLBrian in Pittsburgh @arekfurt
6K Followers 774 Following Former attorney, current IT & infosec consultant in the 'Burgh. Happy to talk about password spraying one minute and constitutional law the next. Son of #wvu.CISA Cyber @CISACyber
258K Followers 71 Following Part of @CISAgov, we respond to major incidents, analyze threats, and exchange critical cybersecurity information with partners around the world.Item105 @item105
368 Followers 17 Following I tweet when companies file 8-Ks with an Item 1.05. My icon is by Vectorstall from the noun project. Last update: 2024-05-01T03:27:13.749988633+00:00Oriol Vinyals @OriolVinyalsML
167K Followers 82 Following VP of Research & Deep Learning Lead, Google DeepMind. Gemini co-lead. Past: AlphaStar, AlphaFold, AlphaCode, WaveNet, seq2seq, distillation, TF.Elie Bursztein @elie
63K Followers 127 Following AI Cybersecurity @Google & @DeepMind. Help advance AI cybersecurity capabilities and make AI safe & secure for all. @EtteillaOrg Art Foundation founder.Tracked Out @trackedoutmc
98 Followers 9 Following The Tracked Out MC server, playing Decked Out 2 and other Hermitcraft minigames from Season 9!Classical Studies Mem.. @CSMFHT
498K Followers 1K Following We post memes from a variety of sources, related to Classics and the ancient world. Stick around and you might learn a thing or two! We ❤️ 🏳️🌈🏳️⚧️🤜🤛🏿🌍Mike Acton @mike_acton
29K Followers 10K Following Previously: VP@Unity3d Previously: Engine Director@Insomniac Games Leadership. Family. Video game engine development. Data-oriented programming.Steve Weis @sweis
11K Followers 3K Following Security Engineer at Databricks. Interested in cryptography, information security, & privacy engineering.robyn @reallyrobynart
44 Followers 663 Following she/her 🖤🩶🤍💜 trying me best https://t.co/jodRbJtZZYLarian Studios @larianstudios
461K Followers 329 Following The independent studio behind award-winning RPGs in the Divinity universe. Baldur's Gate 3 is out now on PC, PS5 and Xbox Series X|S! BG 3 Rated M.Ashley Shen @ashl3y_shen
3K Followers 939 Following Security researcher @TalosSecurity / Ex-Googler / Black Hat & HITCON Review Board / Organizer of @rhacklette41. These tweets are my own not my employer's.Baldur's Gate 3 @baldursgate3
312K Followers 20 Following Developed by @larianstudios. Gather your party, let's play some Dungeons & Dragons. Baldur's Gate 3 is out now on PC, PS5 and Xbox Series X|S!Corey Quinn @QuinnyPig
99K Followers 977 Following Chief Cloud Economist at @DuckbillGroup. Father to @QuinnyPiglet & @theMunchQuinn. he/him Get my snarky take on AWS news: https://t.co/aGVMZnGzSVkat traxler @NightmareJS
2K Followers 3K Following proficient at drawing the rest of the 🦉| Day 2 proponent | Mastodon: https://t.co/mX7E9xjM6JMI Public Service Com.. @MichiganPSC
3K Followers 596 Following We serve the public by ensuring safe, reliable, accessible energy and telecommunications at reasonable rates. Need utility help? Call 1-800-292-9555.hextree.io @hextreeio
5K Followers 2 Following 🌱 Grow your cybersecurity skills with concise and well-edited video courses - coming soon! Created by @LiveOverflow and @ghidraninja.那个饺子🥟(JJ) @thatjiaozi
564 Followers 414 Following 🇲🇽🇨🇦. Cloud Vulnerability Research @ Google. Opinions are my own. Not those of my companydaniel:// stenberg:// @bagder
60K Followers 572 Following I do network code and protocols. I write curl. On team @wolfSSL. I don't know anything. @[email protected]Aidan W Steele @__steele
8K Followers 2K Following I try to tweet novel things about AWS.“Shit-poster extraordinaire” according to @LastWeekInAWS. He/him. AWS Serverless HeroPatrick McKenzie @patio11
164K Followers 796 Following I work for the Internet and am an advisor to @stripe. These are my personal opinions unless otherwise noted.François Chollet @fchollet
470K Followers 769 Following Deep learning @google. Creator of Keras. Author of 'Deep Learning with Python'. Opinions are my own.Andrej Karpathy @karpathy
980K Followers 905 Following 🧑🍳. Previously Director of AI @ Tesla, founding team @ OpenAI, CS231n/PhD @ Stanford. I like to train large deep neural nets 🧠🤖💥Simon Scannell @scannell_simon
3K Followers 481 Following Cloud Vulnerability Research @ google. Opinions are my ownFelix Gröbert @fel1x
4K Followers 629 Following Director, Product Security Engineering at Google Cloud. Opinions own. Tweets deleted periodically.Sreeram KL @kl_sree
2K Followers 800 Following Infosec enthusiast! | @googlevrp fan boy 😍 | CTF @thehackerscrew1 | CS student | Web SecurityGoogle DeepMind @GoogleDeepMind
944K Followers 275 Following We’re a team of scientists, engineers, ethicists and more, committed to solving intelligence, to advance science and benefit humanity.Ulraf @_Ulraf_
50K Followers 492 Following Gameplay Designer of @Minecraft at @Mojang, co-founder of @MoraleDevStudio, master of games, the universe, and everything!slicedlime 💙💛 @slicedlime
74K Followers 523 Following Tech Lead for @Minecraft Java Core at @Mojang. Twitch Partner. YouTuber with 100k subs. Previously: Dev on Battlefields, Mirror's Edge Catalyst, Budget Cutskingbdogz @kingbdogz
187K Followers 1K Following He/Him. Minecraft Gameplay Developer at @Mojang. Driven by gameplay that creates stories. Prev: Creator of @DevAether and @OrbisMod. Organizer @WeLoveTropicsBrandon Van Grack @BVanGrack
40K Followers 452 Following Co-Chair, National Security practice @MoFoLLP | fmr. DOJ natsec official incl. #FARA Unit Chief, Leak Czar, prosecutor | #sanctions #CFIUS #cyber | views my ownilmango @ilmango1
40K Followers 155 FollowingMicah Hausler @micahhausler
3K Followers 662 Following Principal Engineer working on EKS and Kubernetes Security at AWS. Opinions are my own. Bluesky: @micahhausler.comthe life of nick moon.. @wellhydrated
490 Followers 710 Following making friends with the space around me // he/himNathan Jones @njcve_
1K Followers 2K Following Bishop Fox || GoogleVRP (UK): 5th || HackerOne UK AmbassadorHayden Blauzvern from Google's open source security team discusses how Sigstore is prioritizing package managers as the main avenue for Sigstore adoption. Learn more about Sigstore: openssf.org/projects/sigst… #SOSSCommunity
bugSWAT live hacking 📣: We are planning two events this year, one in the US and one in Europe. Invites based on recent submissions and past bugSWAT performance. More details soon - keep those bug reports coming! Here's a peek into our last bugSWAT: youtube.com/watch?v=y2mcyi…
The Mines of Kakadûm: Blindly Exploiting Load-Balanced Services by @scannell_simon and Anthony Weems offensivecon.org/speakers/2024/…
Very excited to present this with @amlweems! See you in Berlin! (@epereiralopez and @thatjiaozi) were also working on that project and will also be there :)
The Mines of Kakadûm: Blindly Exploiting Load-Balanced Services by @scannell_simon and Anthony Weems offensivecon.org/speakers/2024/…
some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out. github.com/blasty/JiaTans…
A lot of tradecraft being burned here. Generally, good backdoor OpSec means shipping the least code possible. Later on, deploy additional stages to the desired targets. Not only bc you risk burning less, but because more code samples means more “DNA” left behind for attribution
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
auth bypass confirmed! > INFO:paramiko.transport:Authentication (password) successful! mm_keyallowed_backdoor cmd 1 allows to override the response for mm_answer_authpassword with a custom one. if you set it to { u32(9), u8(13), u32(1), u32(0) } you can login with any pass 🤓
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
Tailscale SSH is not affected by the recent xz backdoor. We use a pure Go implementation of SSH that does not depend on liblzma or xz. Our infrastructure is also not affected; we didn't run the affected xz versions, and most of our sshd servers are not exposed to the internet.
We have been reverse engineering the XZ Utils backdoor and are sharing some initial findings: we've identified multiple hooking options to adapt to different environments, and a hardcoded fake public key that can appear in verbose SSH logs depending on attacker-controlled flags.
Proud @Google will be collaborating w/ @DARPA & industry peers for its AI Cyber Challenge, broadening AI's use for security at a time when there's so much excitement around the technology. Learn how participating teams can tap into @Google resources here: aicyberchallenge.com/google/
I have low confidence in approaches to improving open-source security that put a lot of the burden and tedious toil onto often unpaid, solo, and spare-time volunteer maintainers of individual packages. Think community garden vs. construction site.
@amlweems yes we had a twitter conversation about that with @bl4sty x.com/julianor/statu…
@maciekkotowicz @bl4sty @amlweems are you saying that the 5 bytes are flag and you can set them to bypass second signature verification?
Some great posts on the xz/lzma thing from @_rsc: Timeline: research.swtch.com/xz-timeline Walkthrough of attack shell script: research.swtch.com/xz-script
We responsibly reported the issues to PlayStation. Bugs are fixed on 2.06.
After more than a month of hard work, PPSSPP is running natively on PlayStation Portal. Yes, we hacked it. With help from xyz and @ZetaTwo
Of all the effort going into this backdoor, Anthony’s has to be the finest effort. Just brilliant
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) github.com/amlweems/xzbot
👏👏👏👏👏
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) github.com/amlweems/xzbot
Just @amlweems doing @amlweems things.
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) github.com/amlweems/xzbot