Manfred Paul
@_manfp
Followers
5K
Following
375
Media
2
Statuses
82
Security but not as in "national security". Playing CTFs with @redrocket_ctf (and @Sauercl0ud). Pwn2Own Vancouver 2020..=2024\{2023}. @[email protected]
Joined January 2020
No, I'm not just spending all my time breaking the assumptions of eBPF JIT-compilers. I also have completely different hobbies, like breaking the assumptions of javascript JIT-compilers!
0
16
152
This argument feels deeply unsettling to me. No matter your stance on states exploiting vulnerabilities, shifting the moral obligation to vendors and researchers and demanding they be complicit in it is a dangerous precedent and short-sighted.
New blog post "Google: Stop Burning Counterterrorism Operations". My reflection on an incident where Project Zero and TAG knowingly shut down an active Western counterterrorism cyber operation, and the real-world harm that could have resulted from it.
1
18
130
Happy to have my write-up on @thezdi's blog again - after so many fights with some kind of range analysis, a bug that just directly gives every type confusion you want felt quite fun.
0
9
126
Their job is making software more secure, not being geopolitical judges of which exploit campaign is moral and good. If you're concerned with tech companies inserting themselves into such things, then wouldn't the latter actually give them much *more* power?.
2
1
23
18 months ago I learned that you can’t schedule a Tweet more than 18 months in the future.
0
3
21
This really just feels like the discourse of backdooring encryption all over again. There is no "secure but with exceptions for when the good guys need access". That's called being insecure.
1
1
20
Because of nothing else than boredom, a PostScript file that displays its own SHA-256 hash:
1
0
20
@ghidraninja Me; A large mass of stone forming a cliff, promontory, or peak. I hope I could help you with that, let me know if you have further questions!.
0
0
18
If you feel fine with selling vulns to states with vague hopes that they'll be used "for good", and can sleep soundly knowing your friends and loved ones are using preventably vulnerable products, that’s your choice. But that's not a fair demand to make of others.
0
0
19
@alexjplaskett @ajxchapman @buptdsb It's a bit fiddly indeed, converting a BigInt to Number() and then directly using it as index ends up using an int64 directly. You'll still want to train it with small indices of course, so that the relevant code is generated.
0
3
20
Infosec: The study of which buttons to press on a keyboard in order to receive a free branded T-Shirt.
0
1
16
Finally trying out this "twitter" website all those cyber security people keep talking about.
0
0
13
(Of course, how would you even judge morality when all the information comes from people who pretty much have "lying" in their job description? Also, even they won't necessarily know about other actors exploiting the same vuln. ).
1
0
12
I didn't even know that this was possible, but apparently I just caused CVE-2017-20005 to be issued.
1
1
7
@kmkz_security @alexjplaskett To be fair I did do Renderer-Only for all but Firefox. The Sandbox is definitely part of the "getting more difficult" equation.
0
0
7
@domenuk @ghidraninja Did the test as suggested, results: 1. Dizzy 2. Unfortunately still not a cat.
0
0
7
A fun detail is that this doesn't require a "full" quine: The hash state for most of the program (including the SHA-computation part) is pre-computed; the only thing that needs to be hashed is the final function call containing those same pre-computed values!.
0
0
4
This has been done before in "proper" programming languages: ; doing it in PostScript isn't fundamentally different (except for the "fun" that is implementing SHA-256 in it).
1
0
4
@SchmiegSophie These icebreakers go to show that figuring out social situations can be hard, by reduction to 1-in-3-SAT.
0
1
3
@hacks4pancakes (Freelance) vuln research: Spending weeks just reading code without finding anything sucks. Also, for each exploitable bug there are at least 10 moments of "I think there's a bug here", followed by "oh, I completely misunderstood that/missed a crucial check".
0
0
4
@CryptoHack__ @SchmiegSophie And if we (ideally) choose uniformly from this set, we would have a random variable with 1013.5 bits of entropy.
1
0
4
@CryptoHack__ @SchmiegSophie Not every odd number is prime though - by the prime number theorem, roughly 1/ln(2^1024)≈1/710 of 1024-bit numbers are prime, which means there should be about 2^1023 / 710 ≈ 2^1013.5 primes between 2^1023 and 2^1024.
1
0
4
@seanhn I really don't get how that wouldn't be a "executive decision about a counter terrorism operation" then. If you don't want tech company to play on that stage, then them following a consistent rule of "if we learn about a bug, we fix it" is the only way to have that.
1
0
4
@GelosSnake Not an expert, but I recently reported to a distro that their LTS version of something had a buffer overflow that was reported+fixed upstream 4 years ago but was never treated as a security bug, and apparently they actually issued a CVE-2017-. in 2021 for it.
0
1
3
@bullshitbeware @sallycol Interesting. I was of course aware that getting into the team is a lot easier here than a larger country like the US, but I always thought this was just down to the numbers, not people training that "professionally".
0
0
2
@_bob_parks_ @fermatslibrary It's normally considered to be 1. There are |A|^|B| functions from B to A. For A and B empty, there is the empty function. Also, x^0 should *always* be 1, or you would need to special-case such elementary things as polynomials.
1
0
3
@SchmiegSophie The people who chose R over C are clearly going through some complex issues right now.
0
0
3
@fuzyll @ZeddYu_Lu I think having a binary-only (or -heavy) CTF is completely fine if advertised as such. But seems to be a bit of unhealthy hype around DCCTF as "*the* ctf championship", sometimes bordering on "oh you want web/crypto/. ? then you're just not good enough for DC!".
1
0
3
@seanhn And while we're making accusations about "being unable to contemplate the wider consequences": There should be a red line there for a reason. It's the same line that says intentional backdoors are not OK. Or that some country you don't like shouldn't be allowed to do the same.
0
0
3
@fuzyll @ZeddYu_Lu Not sure why A/D is a set criterion for that. Personally, I think that CTFs are just too diverse a thing to have a "championship". Hyping a good, but single-category-focused one to that title seems like it can create very wrong expectations, especially to newer players.
1
0
2
@d3c10r @_bob_parks_ @fermatslibrary I think the limit argument is pretty much the weakest argument for 0^0=1 (why x^0, not 0^x?), although there are certainly arguments for why x^0 is the more "important" one. The more important ones are the algebraic arguments though, see
1
0
2
@cursedCTF don't worry you'll still manage to make me feel unqualified during the most prestigious cyber-security competition next month.
0
0
2
@count3rmeasure Always happy to hear when people are interested in those bugs :). I've sent you a DM.
0
0
1
I've seen some GIFs/PDFs/PSs that display their MD5 or maybe SHA-1, so I thought it might be fun doing one with an unbroken hash! Of course, no crypto was actually broken here. .
1
0
1
@m40282845 Putting that burden on vendors and researchers is what I most disagree with. They're there to protect the users (and yes, having safe browsers is also protecting human beings!) and I find it wrong to blame them for putting that first.
1
0
1
@fuzyll @ZeddYu_Lu In the end, challenge difficulty is what's most affecting needed skill level. The rest is more of a subjective taste, with some preferring infrastructure&tactics-heavy gameplay, and others liking clear-cut technical challenges. Both are valid preferences.
1
0
1
@fuzyll @ZeddYu_Lu I still don't see how "more complex game state" (a subjective preference) translates to a justification for this "championship" status. And my larger point isn't even related to A/D vs Jeopardy; DC tends to focus on a specific type of mostly-pwn/rev, binary-only challenges.
1
0
1
@fuzyll @ZeddYu_Lu The organizing part is probably true, but I strongly disagree about playing being "more difficult". Sure, A/D requires some specific skills that Jeopardy doesn't. But the converse is also true, as Jeopardy allows for challenge types not possible in A/D.
1
0
1
@bullshitbeware @sallycol Is that a US-specific thing? In Germany we had some training seminars as part of the team selection process, and I don't know of any participants that did much more than that (+practicing for themselves and through other contests).
1
0
1
@fuzyll @ZeddYu_Lu (And again, I don't want to trashtalk DC CTF itself; I had a lot of fun last weekend even though that isn't necessarily my preferred challenge type. I just think of it more as "it's own thing" rather than a fair representation of CTF topics).
1
0
1