Rustproofing Linux (Part 1/4 Leaking Addresses)

Rust is a programming language guaranteeing memory and thread safety while still being able to access raw memory and hardware. This sounds impossible, and it is, that’s why Rust has an unsafe keyword which allows a programmer to dereference a raw pointer and perform some other dangerous operations. The dangerous code is effectively contained to … Continue reading Rustproofing Linux (Part 1/4 Leaking Addresses)

Machine Learning 102: Attacking Facial Authentication with Poisoned Data

This blog post is the second in a series related to machine learning, and demonstrates exactly how a data poisoning attack might work to insert a backdoor into a facial authentication system. The simplified system has similarities to that which the TSA is running a proof of concept trial at the Detroit and Atlanta airports. As background, … Continue reading Machine Learning 102: Attacking Facial Authentication with Poisoned Data

Tool Release – Web3 Decoder Burp Suite Extension

Web3 Decoder is a Burp Suite Extension that allows to decode "web3" JSON-RPC calls that interact with smart contracts in a EVM blockchain. As it is said that a picture is worth a thousand words, the following two screenshots shows a Raw JSON-RPC call, and its decoded function call: Background When auditing a DApp (Decentralized … Continue reading Tool Release – Web3 Decoder Burp Suite Extension

Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link

Vendor: ExpressLRS Vendor URL: https://expresslrs.org Versions affected: 1.x, 2.x Author: Richard Appleby Severity: Medium 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Summary ExpressLRS is a high-performance open source radio control link. It aims to provide a low latency radio control link while also achieving maximum range. It runs on a wide variety of hardware in both 900 Mhz and 2.4 … Continue reading Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link

On the malicious use of large language models like GPT-3

(Or, “Can large language models generate exploits?”) While attacking machine learning systems is a hot topic for which attacks have begun to be demonstrated, I believe that there are a number of entirely novel, yet-unexplored attack-types and security risks that are specific to large language models (LMs), that may be intrinsically dependent upon things like … Continue reading On the malicious use of large language models like GPT-3

The Password is Dead, Long Live the Password!

Overview In 2016, I have read many articles on the topic of authentication where a common proclamation has been that “The Password is Dead!”. No doubt, the vast number of publicised breaches over the past few years where user passwords have been exposed has tainted people’s views on the efficacy of the password. In addition, … Continue reading The Password is Dead, Long Live the Password!