MonkeHacks #94
Finally, I’ve returned to Scotland - 14.5 hours from Tokyo to Paris, and then 2 hours to Edinburgh. I had a fantastic (albeit exhausting) trip. The LHE venue was out in Chiba near Tokyo Disneyland, which was isolated from the rest of Tokyo so there wasn’t actually a whole pile of stuff to do there if you don’t care about Disney. The event itself was fantastic. I caught up with some hacker bros, made some new friends, and had a great time.
I’m back in Scotland for about 10 days before I fly off to Japan again, this time with my best friend from Ireland, for 3 weeks. My cats are also going on holidays; to a luxury cat hotel in Edinburgh. I hope they’ll be comfortable there while I’m away.
36 Monke Views of Mt. Fuji. But seriously, this was a photo I took from Haneda airport the day before I left Japan. You need a windy day to blow the haze away to see the volcano.
Weekly Ideas / Notes
The LHE went well - I had a few good findings with my team, so I’m satisfied with how it went overall. The onsite days were intense; we’d wake up, have breakfast in the hotel cafeteria, then settle in for a day of hacking in the ballroom that was the main venue on both days. The coffee they served was weaker than usual, so we went back to the machine for multiple helpings throughout the day. That was nice, too, in that it provided some breaks to walk around a bit and think about the scope. The scope was great, really enjoyable and had quite a bit of depth to it.
It’s hard to describe what being in a LHE is actually like. I’m a bit desensitised to it (this was LHE number… 11 for me? I think?) but it’s no less fun every time. Sometimes bug bounty comes across as a bit of a soulless endeavour, but at LHEs, you meet the staff and the program managers and such that are behind the scenes, and they add a level of depth to everything that’s hard to describe. The stakes are different for both you and them when you submit a bug. The staff (usually) do appreciate elegant bugs. Which, considering the spam they usually receive, I can hardly blame them for.
I got tickets for Bsides Dublin (which is happening in May). Last year I gave a workshop there; this year I didn’t feel like giving a talk, so I’m going as a simple attendee. I know the folks at Bsides Dublin by now, so it’s a nice annual ritual of mine to go and chat with them.
These days I’ve been thinking more about bug bounty, and which parts of it actually have an impact on a company’s security posture. The reality is that it’s highs and crits. Things that can affect the company’s stock price, or customers. Being more involved on the business side has forced me to think more businesslike about other things too, including bug bounty.
I published VolumeLeak on the Starstrike blog. It’s a really interesting vulnerability that I found with Busfactor, where I created a classifier system to exfiltrate data out of a limited set of circumstances. I think we’ll see more usage of classifier systems in data exfiltration in the future. There are often tool calls with limited write capabilities, after all.
I’m optimistic about AI security in general. I really do think that guardrails will be a good enough deterrent to prevent prompt injections, if they’re developed in the right way.
Reading List
Title | Pages | Author |
|---|---|---|
The Night Circus | 130/512 | Erin Morgenstern |
Solenoid | 130/600 | Mircea Cărtărescu |
A Random Walk Down Wall Street | 150/300 | Burton Malkiel |
How The World Made The West | 265/400 | Josephine Crawley Quinn |
Founders At Work | 221/472 | Jessica Livingston |
Resources
VolumeLeak: Classifier-based Data Exfiltration via Volume Settings: Another self shoutout. This one is also interesting, I promise.
Almost Impossible: Java Deserialization Through Broken Crypto in OpenText Directory Services: This research is SERIOUSLY impressive. Just… wow. Not the type of bug that you can oneshot with AI.