A Technical Manager’s View of Imposter Syndrome

A Technical Manager’s View of Imposter Syndrome

“Hey [boss] — am I fired?” This is one of the those “ha ha, only serious” jokes; one of those places that we all use humor to broach a topic that’s hard to just come right out and ask. I remember using this (admittedly hamfisted) line with various managers over ... Read More

Lastpass, Risk, and Security Expectations

Last week was a rough week for LastPass. In his continuing work of scrutinizing security products in general, and recently password managers in particular, Tavis Ormandy has released a series of critical bugs against LastPass (Tweet, Writeups). They’re exactly the sort of nightmare scenario that scares the crap out of ... Read More

Netgear r7000 Command Injection Temporary Workaround

| | Exploits, Uncategorized
On Friday CERT issued a warning about the Netgear r7000 and R6400 lines of routers. They are vulnerable to a trivial, unauthenticated command injection via the internal-facing HTTP administrative interface. There’s plenty of other reporting for confirmation, exploit info, and further details. However, CERT’s official guidance is, well, not all ... Read More

Sort()ing out a Nerdsnipe

First, a disclaimer: this is really stupid stuff, and basically the opposite of work worth doing. But still, I got nerdsniped and the resulting rabbit hole went somewhere interesting, so I figured I’d write it up. Update 10/2: Someone else got bit by the same bug. @swisshttp took a deeper ... Read More
Fight Club Vibrating Luggage

On Pentesting, Professionalism, & “Chill”

After a recent penetration test report-out call with a client, I asked my interns if anything from the call surprised them. One of them noted that he was surprised how “chill” the call was. That was interesting to me because it reminded me that I had thought the exact same ... Read More