- MonkeHacks
- Posts
- MonkeHacks #71
MonkeHacks #71
Privacy, Proton and Pentesting
Monke
July 11, 2025
MonkeHacks #71
Very warm weather this week in Edinburgh, about 23 degrees Celsius or 73 degrees Fahrenheit. By Scottish standards, that’s pretty warm.
Last week, I watched Pewdiepie’s video on de-Googling his life, and it made me wonder; I’ve always seen the proponents of Privacy First advocating it as a way of life, but why? I have enormous respect for Pewdiepie as a human being, so I thought that clearly, if he thought this was something worth doing, I should at least do some research and investigate it.
I read about it a bit, and that made me think more. Why is everything so… free? And yes, I am aware that “I am the product”. But I never really thought about the implications of that. My entire being is the product. I’ve always taken it for granted, and thought “hey, I have nothing to hide”. But I certainly have a right to hide things, even if I have nothing to hide. And right now, I can’t really do that. The surveillance age removes that right from each one of us.
In the modern age, this should be a right, but now it’s unfortunately more like an individual responsibility. In the Resources section, I’ve linked a site that gives you some resources to take back ownership of your data.
If you’re still not convinced, let me frame it this way. Google, Meta, Microsoft, etc all have pretty good security. But they’re all going to hand over your data to a government (not any specific one) if asked.
Now, if you’re reading this, then you’re probably fortunate enough to live in a democracy that gives you a good number of rights as a person. But the world is currently moving in a more… authoritarian, and perhaps dystopian, direction. Do you really want to be caught with your pants down? What if your government turns dictatorial and starts asking for your data? What if you’re in a targeted minority, as seen in history, or a particular religious or ethnic group that the new government does not like?
We take our freedom for granted. It’s better to pay the price of convenience and take back ownership of your data. And this is a sliding scale. You can start with your email, for example, and gradually take back more things. The level of privacy you tolerate is the level of privacy you’ll get.
A forest stream in Hermitage of Braid, Edinburgh. A really nice nature walk.
Weekly Ideas / Notes
I read an interesting line, or rather sentiment, in Solenoid, a book initially recommended to me by the great bendtheory. Whose dream are you living in? Or, whose goals and ambitions are you being consumed in? Your own, or someone else’s? Who are you lighting the way for? Yourself, or someone else?
I’ve started taking steps to take back control of my data!
I’ve been a longtime user of Proton’s offerings - I use Proton Mail as my main email provider. I have a pretty nice discount on the Unlimited Plan from being a paying user back in 2021, so it’s costing me about $60 a year for quite a lot of features now. Without the discount, it’s about $100.
I bought a Pixel 9a and I’m using GrapheneOS with it. Honestly, I don’t really see many usage problems with it. I don’t do very much with my phone anyway except the same few apps, and I’ve been looking for an excuse to trim down on the apps I use to stop wasting time on social media and such. And being more free from Big Tech feels… liberating. It’s a good feeling. Next, I need to organise and centralise my storage into Proton Drive, and I need to find an offline solution for my photos, maybe. Something like that. I’ll continue writing about it. GrapheneOS doesn’t have Google Pay so I’ve been spending less impulsively too.
I tried using a weighted blanket to sleep, and it made my sleep so much worse that I’ve put it away already. Trial and error, sometimes with more error.
In the interest of privacy, I wasn’t satisfied with needing to provide Caido backup files for the Bugcrowd pentesting QA process (I only want to provide in-scope requests! not all of them!), so I wrote a CLI utility to import exported requests back into Caido. It’s still a bit broken but it generally works. Why is this necessary? Because you can set the scope in Caido’s export system when you export CSVs. By importing these back into a fresh project, the QA folks can review the requests more easily without getting all of the other data I’d prefer not to hand over (such as my Gmail session cookies from OOS traffic).
Soon I’ll write a blog post on my travel gear. Stay tuned.
Reading List
Currently:
Fiction: Solenoid by Mircea Cărtărescu (75/600 pages)
Non-Fiction: A Random Walk Down Wall Street by Burton Malkiel (150/300 pages)
Next on the list:
Fiction: TBD
Non-Fiction: Day Zero to Zero Day by Eugene Lim (SpaceRaccoon)
Resources
There was a lot of articles this week.
Privacy Tools: Resources for taking back ownership of your data.
v1 Instance Metadata Service protections bypass: Bypasses for GCP-targeted SSRF.
Exploiting an ORM Injection to Steal Cryptocurrency from an Online Shooter: Sam Curry and xEHLE found a really nice server-side bug here. A simple yet elegant vulnerability.
Finding XSS in Salesforce Aura Components: How XBOW Got Creative: XBOW found an XSS hidden in plain sight - this shows that you can never assume that something is secure.
When the Heat Gets to Your Database: A Refreshing SQL Injection Discovery in Z-Push: Another article from XBOW! They’re on a roll these days.
Abusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke): Assetnote, now Searchlight, share some gems in this finding on DotNetNuke.
Finding Freedom, One Bug at a Time: My Journey from Pentester to Full-Time Hunter: Geluchat, renowned French hacker, has switched to full-time bug bounty. He shares a candid look at his journey from pentesting into bug bounty as a career. I wish him the best - he’s a phenomenal person and hacker.
The 'S' in MCP Stands For Security - Part 2: Security pitfalls in MCP implementations.