You’re thinking about scale all wrong

Scale isn’t about large numbers To hear modern architects, system designers, consultants and inexperienced (but forgivable) developers talk about scale, you’d think every product and service was built to be the next Twitter or Facebook. Ironically, almost everything they create to be scalable would crash and burn if that actually happened. Even Google and Amazon aren’tContinue reading “You’re thinking about scale all wrong”

Threat Models Suck

They’re everything that’s wrong with cybersecurity The coffee I’m sipping right now could kill me. You think I jest; but I assure you, if you work backwards from “death”, there is a possible precondition for some very deadly coffee. I just brewed another pot. I survived it to the end of this post. I loveContinue reading “Threat Models Suck”

ASLR simplified!

ASLR explained in one simple picture ASLR increases difficulty without adding complexity. In Part 1 and Part 2 of this series I demonstrated that crafting attacks can be a pleasant experience without a lot of furious typing. I’ve even shown you how defeating exploits is easy when we really understand how the attack works. LetsContinue reading “ASLR simplified!”

Fun with binaries!

ASLR and DEP defeated with three instructions and one offset! This is Part 2 of my previous post that demonstrated how you craft undetectable attacks against binaries, using our colorful Open Source Entropy Visualization tool. I left you with a cliffhanger… so let’s begin there! Recap of the cliffhanger The cliffhanger I left you withContinue reading “Fun with binaries!”

Let’s craft some real attacks!

If you read security briefings, you wake up every morning to “buffer overflow” vulnerabilities, “control flow” exploits, crafted attacks against specific versions of code, and whatnot. Most of those descriptions are bland and dry. Moreover, much of it makes no intuitive sense, everyone has their fad of the week, and it is easy to feelContinue reading “Let’s craft some real attacks!”