Koto
@kkotowicz.bsky.social
Security ninja wannabe / board game geek / photon catcher
Just when you think CVEs cannot get more ridiculous... 🤣
📌 Node.js EOL versions just got their own CVE and critics are calling it “the worst CVE of the year.” Is this CVE a helpful PSA or an abuse of the system?
Dive into the debate: socket.dev/blog/node-js... #NodeJS #cybersecurity #JavaScript
Dive into the debate: socket.dev/blog/node-js... #NodeJS #cybersecurity #JavaScript
Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" ...
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
socket.dev
January 25, 2025 at 7:35 PM
Just when you think CVEs cannot get more ridiculous... 🤣
Reposted by Koto
I would like this comic I drew in 2017 to stop being relevant pleeeaaaaase
January 14, 2025 at 5:21 PM
I would like this comic I drew in 2017 to stop being relevant pleeeaaaaase
Reposted by Koto
Telegram: not an encrypted messaging app ;) blog.cryptographyengineering.com/2024/08/25/t...
Is Telegram really an encrypted messaging app?
This blog is reserved for more serious things, and ordinarily I wouldn’t spend time on questions like the above. But much as I’d like to spend my time writing about exciting topics, som…
blog.cryptographyengineering.com
January 7, 2025 at 5:41 PM
Telegram: not an encrypted messaging app ;) blog.cryptographyengineering.com/2024/08/25/t...
Reposted by Koto
Want to support security researchers from Dragon Sector in covering legal costs piling up after they went public with logic bombs in train firmware?
IBAN for donations is available here:
www.ccc.de/en/updates/2...
Talks for context
media.ccc.de/v/37c3-12142...
streaming.media.ccc.de/38c3/relive/...
IBAN for donations is available here:
www.ccc.de/en/updates/2...
Talks for context
media.ccc.de/v/37c3-12142...
streaming.media.ccc.de/38c3/relive/...
December 28, 2024 at 9:29 AM
Want to support security researchers from Dragon Sector in covering legal costs piling up after they went public with logic bombs in train firmware?
IBAN for donations is available here:
www.ccc.de/en/updates/2...
Talks for context
media.ccc.de/v/37c3-12142...
streaming.media.ccc.de/38c3/relive/...
IBAN for donations is available here:
www.ccc.de/en/updates/2...
Talks for context
media.ccc.de/v/37c3-12142...
streaming.media.ccc.de/38c3/relive/...
TIL about Chersterton's Fence fs.blog/chestertons-... - it puts a nice label to an intuition that I find very useful to apply in practice - from refactoring code, through process engineering. Understand first why the mess exists, in that form, before attempting to clean it up and revolutionize.
Chesterton’s Fence: A Lesson in Thinking
A core component of making great decisions is understanding previous decisions. If we don’t understand how we got “here,” we run the risk of making things much worse.
fs.blog
December 10, 2024 at 8:45 AM
TIL about Chersterton's Fence fs.blog/chestertons-... - it puts a nice label to an intuition that I find very useful to apply in practice - from refactoring code, through process engineering. Understand first why the mess exists, in that form, before attempting to clean it up and revolutionize.
I don't often post about my work but bughunters.google.com/blog/6355265... is actually super cool thing my team is doing. These short term redteams focused on just stealing our passwords were always amazing to highlight how severely broken complex systems are. The internal writeups are so, so fun!
Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...
bughunters.google.com
December 4, 2024 at 7:00 PM
I don't often post about my work but bughunters.google.com/blog/6355265... is actually super cool thing my team is doing. These short term redteams focused on just stealing our passwords were always amazing to highlight how severely broken complex systems are. The internal writeups are so, so fun!
Reposted by Koto
Pro tip for if you have XSS but you can only use upper case:
aem1k.com/transliterat...
transliterate.js by @aemkei.bsky.social works great!
aem1k.com/transliterat...
transliterate.js by @aemkei.bsky.social works great!
transliterate.js
Translate any JavaScript code to foreign writing systems. Created by Martin Kleppe aka @aemkei.
aem1k.com
December 4, 2024 at 10:06 AM
Pro tip for if you have XSS but you can only use upper case:
aem1k.com/transliterat...
transliterate.js by @aemkei.bsky.social works great!
aem1k.com/transliterat...
transliterate.js by @aemkei.bsky.social works great!
Reposted by Koto
There's no such thing as a "9.2" or "9.8" vulnerability. There's more science in Pitchfork's 0.0-10.0 album rating scale than in CVSS. I am completely serious. Pitchfork reviewers actually put their reviews in context with previous reviews by the artist. That's how bad CVSS is: worse than Pitchfork.
November 27, 2024 at 12:57 AM
There's no such thing as a "9.2" or "9.8" vulnerability. There's more science in Pitchfork's 0.0-10.0 album rating scale than in CVSS. I am completely serious. Pitchfork reviewers actually put their reviews in context with previous reviews by the artist. That's how bad CVSS is: worse than Pitchfork.
Reposted by Koto
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Modern solutions against cross-site attacks
Modern solutions against cross-site attacks
frederikbraun.de
November 27, 2024 at 7:50 AM
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Not sure how I missed that, but we now actually have Ken Thompson's C compiler backdoor code from the classic "Reflections on Trusting Trust". An excellent writeup by @swtch.com - research.swtch.com/nih.
research!rsc: Running the “Reflections on Trusting Trust” Compiler
research.swtch.com
November 27, 2024 at 9:17 AM
Not sure how I missed that, but we now actually have Ken Thompson's C compiler backdoor code from the classic "Reflections on Trusting Trust". An excellent writeup by @swtch.com - research.swtch.com/nih.
Reposted by Koto
Custom lists are super cool! I enjoy reading social posts, but want to make sure I never miss a quality writeup or technique. To achieve this, I'm building a 'high signal web security' list of topic-focused accounts, which you can pin next to 'Following' if you want :)
bsky.app/profile/jame...
bsky.app/profile/jame...
November 25, 2024 at 1:09 PM
Custom lists are super cool! I enjoy reading social posts, but want to make sure I never miss a quality writeup or technique. To achieve this, I'm building a 'high signal web security' list of topic-focused accounts, which you can pin next to 'Following' if you want :)
bsky.app/profile/jame...
bsky.app/profile/jame...
1..2..3 testing testing. Does BlueSky support UltraHDR images?
November 21, 2024 at 10:53 PM
1..2..3 testing testing. Does BlueSky support UltraHDR images?
Reposted by Koto
We're doing a cool online talk tomorrow btw – hexarcana.ch/workshops/cv...
CVEs of SSH
A talk about recent high-profile issues related to the SSH ecosystem.
hexarcana.ch
November 20, 2024 at 7:19 PM
We're doing a cool online talk tomorrow btw – hexarcana.ch/workshops/cv...
This hit close to home.
As we incident responders creep into the holidays and wait for our annual December surprise, I can't help thinking about burnout - always a relevant topic! Like most ops topics, I have a lot of thoughts on the matter.
osdfir.blogspot.com/...
osdfir.blogspot.com/...
About Burnout in Cybersecurity
Earlier this year, Johan Berggren and I presented at Black Hat EU on the topic of responder burnout. I had a wonderful time presenting and ...
osdfir.blogspot.com
November 20, 2024 at 4:29 AM
This hit close to home.
Reposted by Koto
Time to make some smart introductory websec post here, no? I guess all I have is:
Hello world, good bye XSS?
Hello world, good bye XSS?
November 17, 2024 at 12:38 PM
Time to make some smart introductory websec post here, no? I guess all I have is:
Hello world, good bye XSS?
Hello world, good bye XSS?
Reposted by Koto
I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
go.bsky.app/Uf8dZhz
November 17, 2024 at 10:12 AM
I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
go.bsky.app/Uf8dZhz
Photos from a stroll through Atarazanas Food Market in #malaga - it turned out to be an extremely vibrant, colorful, lively place.
#photography
#photography
November 17, 2024 at 10:45 AM
Photos from a stroll through Atarazanas Food Market in #malaga - it turned out to be an extremely vibrant, colorful, lively place.
#photography
#photography
Reposted by Koto
If you're into web security take a look at my LocoMocoSec keynote slides from this summer about "Google's Recipe for Scaling (Web) Security": speakerdeck.com/lweichselbau...
November 16, 2024 at 10:29 PM
If you're into web security take a look at my LocoMocoSec keynote slides from this summer about "Google's Recipe for Scaling (Web) Security": speakerdeck.com/lweichselbau...