Koto
LightNews LightNews
kkotowicz.bsky.social
Koto
@kkotowicz.bsky.social
1.5K followers 430 following 18 posts
Security ninja wannabe / board game geek / photon catcher
Posts Media Videos Starter Packs
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Jan 25
Just when you think CVEs cannot get more ridiculous... 🤣
socket.dev Socket @socket.dev · Jan 24
📌 Node.js EOL versions just got their own CVE and critics are calling it “the worst CVE of the year.” Is this CVE a helpful PSA or an abuse of the system?

Dive into the debate: socket.dev/blog/node-js... #NodeJS #cybersecurity #JavaScript
Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" ...
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
socket.dev
1 2
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Jan 23
Interesting. I wonder what's the motivation for projects to opt-in to this, and how many did already. Sounds like it would incur prohibitive costs on the company and the bug hunter (explaining technical security bugs to lawyers is orders of magnitude more involved than to security engineers).
1
Reposted by Koto
faitherinhicks.bsky.social
Faith Erin Hicks @faitherinhicks.bsky.social · Jan 14
I would like this comic I drew in 2017 to stop being relevant pleeeaaaaase
I wake up in the morning. I sit at my computer. The internet screams at me that the world is on fire. I am overwhelmed by the deluge of bad news and faceplant in front of the computer.
66 6.5K 31K
Reposted by Koto
matthewdgreen.bsky.social
Matthew Green @matthewdgreen.bsky.social · Jan 7
Telegram: not an encrypted messaging app ;) blog.cryptographyengineering.com/2024/08/25/t...
Is Telegram really an encrypted messaging app?
This blog is reserved for more serious things, and ordinarily I wouldn’t spend time on questions like the above. But much as I’d like to spend my time writing about exciting topics, som…
blog.cryptographyengineering.com
2 7 6
Reposted by Koto
gynvael.bsky.social
Gynvael Coldwind @gynvael.bsky.social · Dec 28
Want to support security researchers from Dragon Sector in covering legal costs piling up after they went public with logic bombs in train firmware?
IBAN for donations is available here:
www.ccc.de/en/updates/2...

Talks for context
media.ccc.de/v/37c3-12142...
streaming.media.ccc.de/38c3/relive/...
18 36
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Dec 10
Do I hear CSP? :)
1
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Dec 10
TIL about Chersterton's Fence fs.blog/chestertons-... - it puts a nice label to an intuition that I find very useful to apply in practice - from refactoring code, through process engineering. Understand first why the mess exists, in that form, before attempting to clean it up and revolutionize.
Chesterton’s Fence: A Lesson in Thinking
A core component of making great decisions is understanding previous decisions. If we don’t understand how we got “here,” we run the risk of making things much worse.
fs.blog
1 1 2
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Dec 4
To this day I think my demise will be through some npm shenanigans. And it's fair, I deserve it. It should Javascript->RCE.
3
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Dec 4
I don't often post about my work but bughunters.google.com/blog/6355265... is actually super cool thing my team is doing. These short term redteams focused on just stealing our passwords were always amazing to highlight how severely broken complex systems are. The internal writeups are so, so fun!
Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...
bughunters.google.com
9 17
Reposted by Koto
renniepak.nl
renniepak @renniepak.nl · Dec 4
Pro tip for if you have XSS but you can only use upper case:

aem1k.com/transliterat...

transliterate.js by @aemkei.bsky.social works great!
transliterate.js
Translate any JavaScript code to foreign writing systems. Created by Martin Kleppe aka @aemkei.
aem1k.com
6 21
Reposted by Koto
sockpuppet.org
Thomas Ptacek @sockpuppet.org · Nov 27
There's no such thing as a "9.2" or "9.8" vulnerability. There's more science in Pitchfork's 0.0-10.0 album rating scale than in CVSS. I am completely serious. Pitchfork reviewers actually put their reviews in context with previous reviews by the artist. That's how bad CVSS is: worse than Pitchfork.
4 10 46
Reposted by Koto
freddyb.bsky.social
Freddy @freddyb.bsky.social · Nov 27
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Modern solutions against cross-site attacks
Modern solutions against cross-site attacks
frederikbraun.de
19 34
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 27
Not sure how I missed that, but we now actually have Ken Thompson's C compiler backdoor code from the classic "Reflections on Trusting Trust". An excellent writeup by @swtch.com - research.swtch.com/nih.
research!rsc: Running the “Reflections on Trusting Trust” Compiler
research.swtch.com
3 9
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 25
Interesting choice! Most, myself included, prefer Blindsight. Both are really good though, still waiting for the grand finale that will likely never come :)
1 3
Reposted by Koto
jameskettle.com
James Kettle @jameskettle.com · Nov 25
Custom lists are super cool! I enjoy reading social posts, but want to make sure I never miss a quality writeup or technique. To achieve this, I'm building a 'high signal web security' list of topic-focused accounts, which you can pin next to 'Following' if you want :)
bsky.app/profile/jame...
2 16 57
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 21
For posterity - nope, it does not :/
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 21
1..2..3 testing testing. Does BlueSky support UltraHDR images?
a photo of a building at break of dawn, high contract, with bright windows.
1 2
Reposted by Koto
gynvael.bsky.social
Gynvael Coldwind @gynvael.bsky.social · Nov 20
We're doing a cool online talk tomorrow btw – hexarcana.ch/workshops/cv...
CVEs of SSH
A talk about recent high-profile issues related to the SSH ecosystem.
hexarcana.ch
2 8 21
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 21
You totally should rename it to Cevisshe :)
1
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 21
@webappsec.dev has go.bsky.app/Uf8dZhz, it's a good one.
1 1 3
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 20
This hit close to home.
amuse.bsky.social Matt Linton @amuse.bsky.social · Nov 19
As we incident responders creep into the holidays and wait for our annual December surprise, I can't help thinking about burnout - always a relevant topic! Like most ops topics, I have a lot of thoughts on the matter.

osdfir.blogspot.com/...
About Burnout in Cybersecurity
Earlier this year, Johan Berggren and I presented at Black Hat EU on the topic of responder burnout. I had a wonderful time presenting and ...
osdfir.blogspot.com
1 3
Reposted by Koto
joaxcar.bsky.social
Johan Carlsson @joaxcar.bsky.social · Nov 15
Read this! Beautiful blog post, and so much to learn from it

mizu.re/post/explori...
Exploring the DOMPurify library: Bypasses and Fixes. Tags:Article - Article - Web - mXSS
Exploring the DOMPurify library: Bypasses and Fixes
mizu.re
8 19
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 18
Maybe, but that metric is not likely even correlated to 'most commonly exploited'.
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 17
Time to make some smart introductory websec post here, no? I guess all I have is:

Hello world, good bye XSS?
6
kkotowicz.bsky.social
Koto @kkotowicz.bsky.social · Nov 17
not yet, no.
1 1