Rockwell

I'll be speaking at Black Hat MEA 2024. Feel free to come up and say hi if you meet me there. I'm going to be around briefing room 3 at day-1 and strolling around at day 2 and 3. P.S. I bring some sticker for your gadget 💻

@8kSec Offensive Mobile Reversing and Exploitation @sahruldotid gacha om

🎄 XMAS GIVEAWAY ALERT! 🎅✨ 🎉🔥 To celebrate the holiday season, we’re giving away TWO 12-month FREE vouchers for any of our premium courses: ▪️ Practical Mobile Application Exploitation ▪️ Offensive Mobile Reversing and Exploitation ▪️ Offensive iOS Internals ▪️ Offensive Android Internals ▪️ Practical AI Security: Attacks, Defenses, and Applications How to participate: ➊ Like 👍 this post ➋ Comment which course you’d like to win and tag one friend. If you win, both of you get FREE access! ➌ Repost 🔁 ➍ Follow @8kSec so we can DM you if you win 🎁 Two random winners will be selected and announced on December 24, 2025, on our socials. Both the winner and their tagged friend will receive FREE access to the selected course. 🔗 Learn more about our courses: academy.8ksec.io

Last week our CISO asked me to present on “zero trust architecture.” I don’t know what that means. I make $340,000 a year. I haven’t touched a firewall since Obama’s first term. But I have a CISSP. I passed by memorizing acronyms. I still don’t know what half of them stand for. I opened my presentation with “assume breach.” Everyone nodded gravely. I said “defense in depth” three times. The board was captivated. Then a junior analyst raised her hand. She asked how we’d implement microsegmentation. I felt a cold sweat. I said, “Great question. Let’s take that offline.” She persisted. I said we should “leverage AI-driven solutions.” She asked which ones. I said, “The cloud-native ones.” She looked confused. I told her confusion was natural. I said, “Security is a journey, not a destination.” The CEO started clapping. I don’t know why. But others joined in. The analyst stopped asking questions. I ended with “security is everyone’s responsibility.” This meant it was no one’s responsibility. Especially not mine. We got breached two weeks later. I blamed the analyst for “creating a culture of doubt.” She got put on a PIP. I got promoted to VP. Resilience isn’t about preventing failure. It’s about surviving it. Preferably while others don’t.

the word pentest has been so tainted by checklist audits and shallow work that it disgusts me to even say it. there are only a handful of firms that still do it right. you can tell if a company actually cares about security by who they hire to audit them. If it’s not one of the few firms that do real work, it’s probably just compliance optics.

@polygonben not ethical. way too skid I have to make sure that our hiring team doesn't reaching him/her out 😅

Some interesting findings at Huntress today after a skid exploited a web server. We initially detected based httpd.exe spawning sus processes The TA created a user account 'DataAdmin' with the password 'AlexGangteng' for persistence and added this user to Administrators group

Nicely done! Billy (@st424204) and Ramdhan (@n0psledbyte) of STAR Labs used a UAF to perform their Docker Desktop escape and execute code on the underlying OS. They earn $60,000 and 6 Master of Pwn Points.

Hi ID-Hackers, #IDSECCONF2025 insyaAllah akan di laksanakan di #Makassar, untuk info lebih lanjut 2025.idsecconf.org

@goosewin can I use that pic for personal tee design? 😂

i mean it's a great therapeutic experience

@0x_hackerfren Good luck for your exam. as htb player myself, my exam set was quite "easy". I believe that you've nailed it at this exact time

OSEP exam is tomorrow. Wish me luck, I look forward to sharing I passed!

I recently helped a company recover their data from the Akira ransomware without paying the ransom. I’m sharing how I did it, along with the full source code. tinyhack.com/2025/03/13/dec…

Official comment from Espressif, Everyone is now agreeing its not a backdoor. The researchers "back door" approach for attention back fired. Shame on you. espressif.com/en/news/Respon…

@saw_your_packet I think it is, as written in the clarification note part

I'm spending half of the CFP submission time on this question haha Can someone clarify, please? So, they essentially want to make sure that you will not withdrew the CFP from DEF CON if you are rejected at Black Hat?

@ZetaTwo I'd love to

Anyone want to provide some feedback on a reverse engineering article I wrote?

very pleased to announce the release of my new article based on my research that led to CVE-2024-46982 titled: Next.js, cache, and chains: the stale elixir zhero-web-sec.github.io/research-and-t… note: does not cover the latest findings shared in my recent posts enjoy reading;

pen test report readout client: wow. We've had so many pen tests and nobody's found this stuff. me: aw shucks C: nah, we're kinda mad tbh at other firms m: can I see their reports? We have NDAs w/ ya C: sure Hands over Nessus_scan_with_nice_cover_sheet.pdf

These thing applies to cyber security job and non engineering job. Unless you are an independent hacker without any interaction to community, I think this is a good thread to read

also, petition to move the root user's home folder to /home/root instead of /root

Detailed analysis from om tintin

🧵 How to build a small and portable RF lab with USB-based instruments? In the previous thread, my main goal was to show you how to build a budget RF lab. What if budget is not the main concern, but rather space and portability? I have this problem myself: I can spend a bit above the hobbyist budget, but I don't have space for 30KG test & measurement devices which require large workshop space (and then can't be moved easily for field operations) This problem used to be solved by having portable field devices that are relatively small and light and battery operated, but still have built-in display and can work standalone (I showed an example in the previous thread, of a GenComm) However, in the past decade we saw the rise of many great USB-based devices, both from the giants (like Tektronix and Keysight) and also smaller companies. I will divide the serious test and measurement tools to 3 size categories: 1. Classic benchtop: heaviest and biggest, best performance, usually very expensive unless you buy old used devices. 2. Field devices: portable, built-in display, still could be expensive. 3. USB based devices: need a laptop to work, powered by USB, relatively more affordable. Fourth category would be small hobbyist grade tools , some of which I covered in the previous thread (like tinySA and NanoVNA) Let's look at 4 devices in this thread: spectrum analyzer, RF signal generator, VNA, and RF power meter. P.S I don't have a big benchtop device to show, so the 2nd picture is from Keysight, comparing field to traditional devices. 1/6

@0x_rood nope, you only need to get used to it from hacking platform like goad,htb, or certification program

Is AD PT hard to learn it?