Ronnie Flathers
@ropnop
Followers
6K
Following
4K
Media
176
Statuses
2K
security engr, pentester, researcher. i sometimes blog and code based on motivation/caffeine levels. Principal Security Engineer @Marqeta
Chicago
Joined October 2013
Huge shoutout to @ropnop on this article https://t.co/0P0vaY5QYd of SOP, CORS and CSRF. I don't know how many times I have referred to this blog to make sure I understand these concepts properly. Looking forward to more of these.š
blog.ropnop.com
1
3
12
š§ AWS Perimeter Mod for @steampipeio An AWS perimeter checking tool that can be used to look for resources that are: * Publicly accessible * Shared with untrusted accounts * Have insecure network configurations + more https://t.co/pzcdtxU0YN
github.com
Is your AWS perimeter secure? Use Powerpipe and Steampipe to check your AWS accounts for public resources, resources shared with untrusted accounts, insecure network configurations and more. - tur...
0
17
34
100% best group of attendees and conversations Iāve ever had at a con. So many great people it was awesome meeting you all!
1
0
4
Yes great talk!! Tons to unpack and think about how to āproductiveā security more
0
1
2
When it literally rains on your parade at @LocoMocoSec with @ropnop @SammyHep @ndm @h4ck3rky13 and @coffeetocode #stillHavingFun
0
4
15
Aloha @LocoMocoSec š so excited to be here - have wanted to attend this con for a long time! Really looking forward to learning a lot, talking prodsec and meeting new friends. Anyone else gonna be here? And canāt wait to catch up @coffeetocode been too long!
0
1
8
So this is a bad/crazy idea right? Maybe? I hacked together a valid OpenPGP entity that uses AWS KMS backed signing and encryption keys. Idea was to use PGP without actually needing to handle key data or mess with gpgagent/pkcs11
0
0
3
Finally decided to post 10+ years worth of notes on using ldapsearch - it references great work from @ropnop @agsolino @harmj0y and @YuG0rd
https://t.co/VTqrGTUHe2
malicious.link
ldapsearch is a extremely powerful tool, especially for Windows Active Directory enumeration. Itās one of my primary tools when performing pentesting or red teaming against an environment with Active...
10
218
557
š„³š We are happy to announce that sigstore is now an @theopenssf project! šš„³
3
40
153
What's the current take on format preserving encryption (FPE)? I'm not super familiar with it, but the more I research it seems like it's probably not the best idea unless you *really really* have to?
2
0
0
Oh this neat! Seems like this will also lead to better experience developing in a multi-module monorepo with needing something like Bazel
0
0
1
Welp that wasn't too hard. Minisign's spec is pretty easy to implement. Can now minisign things with ed25519 keys stored in Vault (and eventually other kms's). Might opensource it if i can clean it up and generalize
Before I go coding something new, has anyone used @hashicorp Vaults transit engine with ed25519 keys to output minisign compatible signatures? Seems like a great plug-in or feature to have, but Iām pretty sure it wouldnāt be too difficult to wrap the vault api if I have tooā¦
0
0
1
Let's try something different. The Infosec Industry is a hammer. https://t.co/qF3kl365nO
12
24
58
Before I go coding something new, has anyone used @hashicorp Vaults transit engine with ed25519 keys to output minisign compatible signatures? Seems like a great plug-in or feature to have, but Iām pretty sure it wouldnāt be too difficult to wrap the vault api if I have tooā¦
0
1
2
Is there a term for something like āsecurity through obscurityā but for just āredundant securityā, or controls that look good at first glance but ultimately donāt solve anything? E.g. hashing passwords client side in a web app before sending over HTTPS to a server
14
1
4
It's great to see GCP include code examples for app-layer, client-side encryption for data stored in MySQL, including how to use the AAD in AEAD to prevent malicious replacement of ciphertexts: https://t.co/GeZPr0fBXN
docs.cloud.google.com
1
12
48
My company is hiring for several security roles (appsec, privacy, cloudsec) if youāre looking for a change! Awesome team and culture, and remote friendly. Come help me solve some really cool and interesting problems! Lmk if you wanna chat DMs open
marqeta.com
Join Marqeta and empower innovation in fintech! Enjoy flexible work, top benefits, and a diverse, award-winning culture. Explore our career opportunities!
1
1
6
This type of cross-tenant attack against Azure's Cosmos DB is a great example of why you should want client-side, app-layer encryption in your services so that your datastores primarily store ciphertext of any sensitive data: https://t.co/QEEJDmc2dC
wiz.io
As part of building a market-leading CNAPP, Wiz Research is constantly looking for new attack surfaces in the cloud. Two weeks ago we discovered an unprecedented breach that affects Azureās flagship...
6
32
85