Chris Evans
@scarybeasts
Followers
26,112
Following
205
Media
45
Statuses
3,541
CISO and Chief Hacking Officer at HackerOne. Past: Founded {vsftpd, Chrome security, Google Project Zero}; Tesla; Dropbox. Hacker / Researcher. beebjit.
San Francisco Bay Area
Joined May 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Apple
• 642071 Tweets
TLP Finished Shooting
• 530044 Tweets
#ปิ่นภักดิ์ปิดกล้องแล้วจ้า
• 517464 Tweets
seokjin
• 255601 Tweets
LINGORM TSOU WORSHIP
• 200406 Tweets
iPhone
• 178939 Tweets
OpenAI
• 109473 Tweets
#WWERaw
• 90451 Tweets
Nodal
• 72111 Tweets
Cazzu
• 55937 Tweets
水分補給
• 52104 Tweets
Ángela Aguilar
• 44398 Tweets
Oilers
• 36830 Tweets
Panthers
• 35230 Tweets
Grant Bail
• 28180 Tweets
HAPPY 3RD BINIVERSARY
• 27774 Tweets
Ricochet
• 26798 Tweets
Kevin Hart
• 26686 Tweets
Druski
• 26203 Tweets
Edmonton
• 23335 Tweets
FAMILIA FURIOSA UNIDA
• 23148 Tweets
Finn
• 21261 Tweets
Marisol
• 13202 Tweets
山添さん
• 12194 Tweets
Pinned Tweet
I'm now CISO and Chief Hacking Officer at HackerOne. "The most rewarding parts of my career have been the times when I’ve hired hackers, rewarded independent hackers, defended hackers, and celebrated the achievements of hackers."
61
52
693
Overheard today: "the least plausible technology in Star Trek is instant video conferencing that just works".
10
558
2K
So my CPU has a webserver in it and my SYSTEM account has a JavaScript engine in it. I think we've lost the complexity battle.
31
806
1K
Uhhhuh this Google Project Zero bug has a working remote exploit into the WiFi chip of the iPhone 7!
14
455
513
Hardest exploit I ever wrote: [0day][exploit] Advancing exploitation: scriptless 0day exploit against Linux desktops
17
407
497
Remember, Google Chrome is very well sandboxed. So when you see a Chrome 0-day fixed by the team in isolation, you have to suspect another company (Microsoft?) is sitting on an unfixed sandbox escape. Usually (but not always) a Windows kernel bug. Often Win 7 only.
5
105
475
Red alert? "tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve.":
9
336
450
[blog] Recovering "lost" treasure-filled floppy discs with an oscilloscope: , a project with Phil Pemberton. A fun project with a lot of nuance and experimentation.
9
111
417
[blog] [1day] Ode to the use-after-free: one vulnerable function, a thousand possibilities:
5
232
378
[blog] "Reverse engineering a forgotten 1970s Intel dual core beast: 8271, a new ISA": A small team decapped / reversed an 8271; beautiful but shockingly large. Dual core! Larger than the 6502 CPU (right). Fascinating Intel history and a new Intel ISA!
7
116
346
[blog] Employed again! I’m now Head of Security at Dropbox, and enjoying it. Details:
33
30
342
I've just published the technical post mortem for an incident I've been working on. I hope it's useful to defenders:
20
69
318
On behalf of the HackerOne team, I’d like to apologize to the Ukrainian hacker community for the frustration and confusion that our poor communication has caused. We have not (and will not) block lawful payments to Ukraine.
9
56
307
Just got a $14,000 bounty for an 18 byte file. $778 per byte. Not bad :) I'll celebrate that file's density by sending it along to charity.
9
51
296
I'm restoring a 35 year old floppy drive. In case you were wondering what the magnetic signal on a floppy disc looks like, wonder no further. This is a clean, strong (DFM encoded) signal from a 35 (!!) year old disc.
9
48
271
OMG. Does Intel have broken speculative execution? "AMD ...
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault."
9
158
242
[blog] The cleverest floppy disc protection ever? Western Security Ltd. , this one really impressed me.
5
71
243
Your other Halloween scare, looks like a Chrome 0-day: "CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29
Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild."
3
81
235
[blog] *bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images
6
144
235
iPhone 7 full exploit. Wow, we don't have details yet, but
@laginimaineb
hops from WiFi chip to full host AP control:
4
159
225
Ok I'm in awe of
@tehjh
. Not 100% sure I've got it but did he speculatively execute (x64) a speculative program (BPF) by colliding the branch target buffer in order to leak via a cache side effect? Words cannot describe skullduggery of this magnitude.
1
38
213
Well that sucks. Sometimes, 35 year old floppies have failed glue so the magnetic particles fly off when you try and read them. Pretty picture to tell a thousand words:
13
44
196
[0day] [exploit] Compromising a Linux desktop using... 6502 processor opcodes on the NES?!:
8
190
197
"We can't repel firepower of that magnitude" said the strong iPhones as they fell to a full remote over-the-air WiFi compromise by
@laginimaineb
. Best research I've seen this year:
2
95
189
HackerOne supports its customers. We’re in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
4
1K
4K
4
21
186
There's something hauntingly beautiful watching all these iPhones die at slightly different times, as they get a WiFi broadcast packet of death. (from )
3
58
181
Very nice little blog post if you want to get in to exactly what a modern Intel CPU can execute in parallel and why:
0
81
183
This is excellent by Apple. A ~6 year old phone still getting patches. It's great for security and great for those of us who see an upgrade as wasteful if the old device is functional. Still annoyed about loss of patches for my Pixel 2 after ~3 years.
*Apple announces that iPhone 6s is also compatible for iOS15 update*
iPhone 6 users right now :
#WWDC21
0
395
1K
5
37
186
I don't tweet a lot.... but when I do, it's a "must read" by
@fugueish
, "Prioritizing Memory Safety Migrations": , can't decide if the best bit is "mean-spirited packets" or "attacker is able to get at C/C++ attack surface, we must assume they can win."
3
49
184
As a technical community we've had to work _really_ hard to increase input latency despite continuing exponential improvement in computing power. No one would have thought it possible, but we've sucked so hard we did it. BTW, complexity also kills security. :(
5
85
183
[blog] Proving missing ASLR on and over the web for a $343 bounty :D
3
133
174
If you're in Enterprise / Corporate security, I recommend reading and implementing this fresh take from Dropbox on 3rd party vendor security: TL;DR vendor questionnaires are a shit show and here's a better way. [forgot to amplify this when first posted]
2
52
166
Let me be clear: Chrome has consistently been a more secure browser than Safari for too many reasons to list in a tweet. Disgraceful from Apple, particularly answer
#4
:
6
37
162
Back in the UK for the first time in 8 years. Me: what's new? Cabbie (very serious): well, there's the Brexit thing but the big one was KFC running out of chicken.
3
12
163
@__apf__
@googlechrome
To be honest, I was really hoping for a summary of the best conspiracy theories.
2
0
159
Best bug bounty report ever?
"With great pleasure we would like to report that we have discovered a GraqhQL endpoint that discloses internal beer consumption at your offices."
2
55
160
iOS security can be summarized as two extremes. On one hand, Apple have invested significantly in security mitigations and many security layers. On the other hand, code quality is poor. Which factor dominates? Poor code quality. Attacker just cranks through the layers.
But having such a large and privileged attack surface reachable by anyone means the security of that code is paramount, and unfortunately the quality of the AWDL code was at times fairly poor and seemingly untested.
3
12
147
4
23
156
[blog] Dropbox: Protecting Security Researchers. More to do but I think this is a strong start. Please join us:
6
69
150
Am I the only one who's a fan of branded vulnerabilities? KRACK, ok got it, conversation started. CVE-2017-blablahonkhonk -- remind me, which one is that?
14
36
146
Hackers, HackerOne's Bug Bounty Program just cleared the $1,000,000 rewards milestone! Thanks so much for helping secure the platform. The creativity in your reports is spectacular, representing novel, elusive (and sometimes severe!) findings that no other security tool can find.
2
14
138
In maths, they have the Erdos number. In Infosec, I think we now have the Horn number. This is the number of times you have to read Spectre variant
#2
before you get it.
3
30
134
We tsk-tsked at Windows for putting font parsing in ring 0, but Linux is determined to try and catch up.
Linux 4.13 is out with in-kernel TLS support
Graph: 99th centile latency - kTLS(green), OpenSSL (blue)
Source:
12
353
419
10
92
132
[blog] Turning a £400 BBC Micro (1981) into a $40,000 disc writer (1987) I enjoyed doing this one 😃
13
31
129
I don't think site isolation is a "mitigation" for Spectre. I think failure to align web security boundaries (sites) with OS security boundary primitives (processes) is a browser design error that only Chromium has an answer for (thanks to years of investment). /cc:
@nasko
7
42
123
Project Zero blog: beautiful ESET AV exploit by
@taviso
-- "unpacker" opcodes execute on virtual then _real_ CPU!
http://t.co/bkpF3dYi8S
1
171
119
OMG! The Google Chrome team is avenging Google Reader!
Starting today, we're experimenting on Chrome stable with a Following feature. You can choose websites to follow, and their RSS updates will appear on Chrome's new tab page. We've been working on this for a while & I'm super excited to hear what people think 👇
98
248
1K
7
34
114
Most fun exploit I ever wrote: [0day] [exploit] Redux: compromising Linux using SNES Ricoh 5A22 processor opcodes?!
4
93
113
Interesting new attacks against TLS, targeting the underlying protocols: A quick, practical tip: don't re-use the same hostname for different TLS-protected protocols, and don't use a wildcard cert covering different hostnames with different protocols.
3
43
114
So while everyone was whining about disclosure on Twitter, Microsoft shut up and engineered a very fast fix. That's how it's done. Nice.
1
24
110
[blog] *bleed, more powerful: dumping Yahoo! authentication secrets with an out-of-bounds read
1
58
109
[blog] Dropbox: MacOS monitoring the open source way:
5
53
101
Google is often much stronger than Apple at security.... but this is one area where Apple spanks Google. I have a Pixel 2 and it's still a very fast and capable phone. This is disappointing not just for the security, but also for the waste.
7
18
106
Hackers, an important one. e.g.: we heard that CVSS "PR" is handled inconsistently (should be PR:None for self-sign-up). We're transparently listing a set of Detailed Platform Standards for consistency across programs. Need your help -- what to cover next?
10
28
105
Ok. Read this, an article I loved earlier this year, "reading kernel memory from user mode", via "Abusing speculative execution". It was a negative result. Did someone flip it positive?
1
50
103
Project Zero blog: interesting high entropy ASLR bypass via MemoryProtector & Mitigation Bypass win by Ivan Fratric:
http://t.co/fR7ZuGXxaT
5
117
99
Dropbox is hiring for security, all roles. This includes hiring in Seattle! We're hosting an evening of talks, snacks and drinks at the (awesome!) Dropbox Seattle office on Feb 15th. RSVP:
5
92
97
A huge thank you to
@HarshDRanjan1
for patience relating to report . Severity went Medium -> High; bounty raised. Good programs will re-evaluate reports with rational arguments. Hackers, thanks for the CVSS "Privileges Required" feedback. Action underway.
10
6
96
Dropbox will be publishing a lot more about security initiatives and technology in 2018. Some interesting posts in the works; for now here's a high-level opener:
3
25
94
Interesting Google Project Zero bug from
@tehjh
in the Linux core memory subsystem (mincore()):
0
51
92
Project Zero blog: the best type confusion exploit I've seen! 100%[*] reliable. By
@natashenka
:
http://t.co/NyxiWOBPyW
0
91
89
Hackers, we're listening to feedback around the platform retesting feature. As a step to improvement, customers can now tag more than $50 when approving a retest. To respect your time, $50 remains a strict minimum.
4
5
89
[blog] Further hardening glibc malloc() against single byte overflows
2
60
88
Actually it's a cunning buffer overflow attack on the sequencer. Airgap, what airgap?:
3
24
87
Project Zero blog: full story on the recent ntpd bugs. Interesting exploitation tricks! For a remote vector on OS X:
http://t.co/KcpcKhuW10
1
101
84
Project Zero blog: a fascinating exploit for the Linux Nvidia driver from Lee Campbell, with two race conditions:
http://t.co/qXyRsl8TCo
2
127
83
Great post by the V8 team on their Spectre journey:
Some thought provokers, "offensive research advanced much faster than our defensive research" and particularly "engineering effort diverted to combating Spectre was disproportionate to its threat level"
0
37
82
This is magnificent. What's your aging hacker handle? Should I change mine to become "beasts of mild concern"?
Now that I'm approaching 40, I need to change my hacker alias to something age-appropriate, like ACiD ReFLuX.
55
98
1K
12
7
81
My last day at
@google
and a Project Zero post for you on bypassing and improving a Flash mitigation, enjoy, adios!
http://t.co/p1QVgLsEog
6
67
81
Project Zero's first technical blog post! If you're very technical and into low level exploitation, it's a must-read:
http://t.co/RJsw476CGM
4
90
80
[blog] Weak bits floppy disc protection: an alternate origins story on 8-bit: I found an unusually sophisticated 1980s protection and the author had a great story how it came about.
9
26
77
The 4th law of thermodynamics: all video conferencing software will expand its energy requirements to precisely match 100% utilization of the host machine, no matter how powerful.
3
12
76
Qualys Project Zero strikes again, this time with excellent research into heap<->stack collisions including 64-bit!
1
57
76
Hackers, we changed the expiration time on private program invites from 7 days to 14. Thanks for the feedback and suggestion!
9
4
77
It must be an easy life to have the job title "Offensive Security Engineer". Roll into the office late, flip off a few developers who introduced XSS, and then your work is done for the day?
5
7
75
[blog] Dropbox support for WebAuthentication launched. Immediate love for U2F keys in Firefox and excited for upcoming Edge support!
3
29
74
[1day] [PoC with $rip] Deterministic Linux heap grooming with huge allocations:
0
54
73
What horror is this?? In 1951, one type of computer main memory was a huge tube of mercury with bits encoded in sound waves inside it:
11
23
71
Huge mobile result by Gal
@P0
: "full device takeover by Wi-Fi proximity alone, requiring no user interaction":
2
64
72
British English is best English. "At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers."
3
29
71
.
@doctorow
See . In my experience, the most common form of anti-disclosure bullying is abusing business relationships. i.e. some SVP or CEO calls up some SVP or CEO (of the company where the researcher works), rants and makes threats, etc.
3
25
70
Project Zero blog: ROWHAMMER EXPLOITED! Twice, in fact.
http://t.co/Yph9PYwS4o
-- needs broad dissemination / discussion.
6
151
71
Project Zero Blog: "Taming the wild copy", a new way to exploit memcpy(..., ..., -1):
http://t.co/sAjFizageL
3
91
71
Hackers, important! Share if you can. We request more data on programs. Got a valid report? The "Give feedback" button is active. Rant if necessary, but please take time for the great programs too. We will help programs improve, and highlight programs that respect norms and you.
12
8
72
Thanks LinkedIn. I must decline to press the "unlock insights" button based on these samples.
"Chris, over 20,000 people in San Francisco Bay Area share your first name"
"Thinking about a raise? $60,000 is the median salary for the title Chief Of Security in United States."
2
2
71
Google Project Zero is really kicking ass. Read a full Android privesc exploit from new team member
@laginimaineb
:
1
36
68
Hackers, I think this one's important. You deserve transparency as a matter of fairness and platform integrity. It is now mandatory for programs to always show time-to-bounty related statistics. (Example is from a leading program.)
7
3
69
If North Korea nails our power grid, it'll be because we were all busy waging the disclosure holy wars (episode: 17) on Twitter.
2
9
68
Project Zero blog: part 1 of 4 on 100% reliable exploitation. Many interesting bugs referenced.
http://t.co/FQk7ddyqMm
(part 2 gets real)
3
65
67
Project Zero blog: _tons_ of details on the recent iOS / OS X sandbox escapes / kernel bugs:
http://t.co/hBS9AQXgah
-- enjoy!
3
77
66
[blog] [release] Clocking a 6502 to 15GHz (!):
2
24
64
Good grief. We're all n00bs. This is worth watching to the end where it changes gear:
5
41
61
Every Bug Bounty Program has areas for improvement. IMHO, the mark of a Gold Standard BBP is accepting feedback with humility and making updates. In this instance, we had a bounty table inconsistency. I approved $60,000 in retroactive payouts and we straightened out the table.
HackerOne just gave me $5,000 out of the blue on a report I had forgotten
Today is a good day
6
1
224
3
4
64
[0day] [PoC] Risky design decisions in Google Chrome and Fedora desktop enable drive-by downloads:
2
73
61
0
27
59