Security Is Not an Absolute

If there’s one thing I wish people from outside the security industry knew when dealing with information security, it’s that Security is not an absolute. Most of the time, it’s not even quantifiable. Even in the case of particular threat models, it’s often impossible to make statements about the security of a system with certainty.

Read More...

Playing with the Gigastone Media Streamer Plus

A few months ago, I was shopping on woot.com and discovered the Gigastone Media Streamer Plus for about $25. I figured this might be something occassionally useful, or at least fun to look at for security vulnerabilities. When it arrived, I didn't get around to it for quite a while, and then when I finally did, I was terribly disappointed in it as a security research target -- it was just too easy.

Read More...

Psychological Issues in the Security Industry

I've unfortunately had the experience of dealing with a number of psychological issues (either personally or through personal connections) during my tenure in the security fold. I hope to shed some light on them and encourage others to take them seriously.

Read More...

socat as a handler for multiple reverse shells

I needed a way to handle multiple reverse shells calling back to the same C2 host. It's a little convoluted, but I found a way to receive multiple incoming sessions and multiplex them into tmux windows.

Read More...

TP-Link Kasa App: SSL Verification Disabled (Fixed)

For an unknown period of time prior to December 2017, the Kasa "Smart Home" control application for Android failed to validate any TLS certificates when communicating to TP-Link's servers. This app is used for control of the company's line of smart plugs, light bulbs, and home hub, and affected all phases of the use of the app, including user registration, authentication, and device control.

Read More...