John Dunlap

3.5K posts

John Dunlap

John Dunlap

@JohnDunlap2

Security Researcher, demoscene fan, hardcore Tetris enthusiast former GDS / former ToB / Leviathan Security / Trellix these days. Opinions are entirely my own.

New York, NY 가입일 Ocak 2012
1.3K 팔로잉348 팔로워
John Dunlap 리트윗함
Brad Spengler
Brad Spengler@spendergrsec·
FreeBSD, the kernel nobody thinks about until it's time to demonstrate what it looks like to attack something that skipped out on the last 20 years of modern defenses.
English
16
38
698
102.4K
John Dunlap
John Dunlap@JohnDunlap2·
Yes please god take css out and shoot it
Cheng Lou@_chenglou

My dear front-end developers (and anyone who’s interested in the future of interfaces): I have crawled through depths of hell to bring you, for the foreseeable years, one of the more important foundational pieces of UI engineering (if not in implementation then certainly at least in concept): Fast, accurate and comprehensive userland text measurement algorithm in pure TypeScript, usable for laying out entire web pages without CSS, bypassing DOM measurements and reflow

English
0
0
0
27
John Dunlap 리트윗함
thaidn
thaidn@XorNinja·
Someone fed our Linux kernel exploitation blog post into Claude, and it casually coughed up another vulnerability. On one hand, this is the beauty of open research and sharing. On the other hand, Claude scares me. Send help! linkedin.com/posts/yochai-e… git.kernel.org/pub/scm/linux/…
English
2
60
323
25.5K
John Dunlap 리트윗함
vx-underground
vx-underground@vxunderground·
The past couple of months I've personally witnessed a few changes in malware that are so significant that it blatantly sticks out. 1. Malware written in more esoteric languages. I've witnessed a shift away from languages like C/C++ to languages that are heavily abstracted, most notably NodeJS with Electron. 2. A MASSIVE shift toward targeting open source solutions. While this isn't new, the past couple of months its been every single day someone is targeting a supply chain via masquerading or directly targeting the open source provider. 3. AI has assisted with the shift in the malware landscape ... toward higher level languages. I've witnessed a spike in multi staged malware using a lot of LOLBIN-like methods. Again, this isn't anything new, but I've witnessed such a dramatic spike I believe it is the result of AI making it much easier to create and use high level languages 4. The introduction of new threat landscapes: Clawdbot (or whatever it's called now). This has resulted in a shift toward MacOS malware which is referencing bulletin point 3. Heavy usage of ClickFix with high level multi staged languages (bash script to Js) 5. AI being used for social engineering. Historically I've seen really crappy malware lures and phishing pages. I suspect AI is helping polish pages and making them look more realistic, possess no typos, use good grammar, etc.
English
33
154
1.4K
80.8K
John Dunlap
John Dunlap@JohnDunlap2·
Sometimes I keep a fuzzer running locally on my MacBook in the winter to keep my hands warm.
English
0
0
2
32
John Dunlap 리트윗함
NYSEC
NYSEC@nysecsec·
NYSEC is tomorrow! Tuesday, March 17th @ 6PM. d.b.a. 41 1st Ave. New York, NY 10003
English
0
1
2
274
John Dunlap 리트윗함
Jonny Johnson
Jonny Johnson@JonnyJohnson_·
I recently came across the need to obtain logging into WSL2 and was forced to look into function hooking. However, this was my first time dealing with a COM server that didn't symbols, so I had to learn about a C++ feature - RTTI. I decided to write a blog on this in case anyone else runs into or has run into this: jonny-johnson.medium.com/wsl-com-hookin… POC: github.com/jonny-jhnson/R…
English
1
23
108
10.5K
John Dunlap 리트윗함
Calif
Calif@calif_io·
A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets. A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic. open.substack.com/pub/calif/p/a-…
English
3
60
208
24.2K
John Dunlap
John Dunlap@JohnDunlap2·
I feel you can get the exact flavor of dude who uses paste bin to the extant that it’s integrated into their c2. It’s not a great flavor either.
Feross@feross

You don’t see this every day: attackers hiding C2 infrastructure inside computer science essays on Pastebin using character-level steganography, then wiring it into 26 typosquatted npm packages impersonating some of the ecosystem’s most widely-used libraries. Socket detected the cluster within minutes of publication, uncovering a disciplined, multi-stage operation linked to the Contagious Interview campaign that delivers a full infostealer and RAT stack built to harvest developer credentials. socket.dev/blog/stegabin-…

English
0
0
0
87
John Dunlap 리트윗함
ali
ali@endingwithali·
You don’t need a big closet filled with clothes to look put together and have good taste. With the right set of basics, you can be ready for any situation. Software engineering / start ups / working in tech is super casual. This allows for a great deal of flexibility in what you can wear, which is great for building a basic capsule wardrobe. But sometimes that flexibility means there are gaps in your wardrobe. When I work with my styling clients, I always like to ask what they would wear to certain events or social situations. This helps me understand where the most work needs to be done.
ali tweet media
English
4
3
57
4.1K
John Dunlap 리트윗함
Gynvael Coldwind
Gynvael Coldwind@gynvael·
One more trend I've noticed: Task creators getting burned out. "Why should I create CTF competitions/tasks just so people can test their AI setups?" From a task creator perspective it was always fun & exciting to see how players approach your task. Is future VeryHard||AI meta?
LiveOverflow 🔴@LiveOverflow

What I’ve always found amazing about CTFs is that "flag is flag". Whether you found an unintentional solve or pwned the browser with n-day for a XSS challenge, it didn't matter. I totally get the frustration of AI, but there is no solution other than accepting the change.

English
4
7
147
12.1K
John Dunlap 리트윗함
Myrtus
Myrtus@Myrtus0x0·
All this “AI is replacing reverse engineering” is absolutely ridiculous. Get head out of ass please
English
8
9
64
36.4K
John Dunlap 리트윗함
kqx
kqx@kqx_io·
Exploiting latest v8ctf instance with a 0day? ✅ Beating try-hards who stalk commits and exploit it as an N-day? ❌ In any case keep an eye out for the CVE release and stay tuned for a crazy post on kqx.io once the issue goes public
kqx tweet media
English
0
7
91
6K
John Dunlap
John Dunlap@JohnDunlap2·
Most cybercrime is of the smash and grab variety - people being loud and dumb from positions they are unlikely to be caught.
vx-underground@vxunderground

First, the term "Blackhat" is some old school shit. Every time I see someone use that word I check the calendar, I make sure I haven't been transported back in time to 1996. I can't tell if it's because they're unfamiliar with modern nomenclature (Threat Actor) or if they're glamorizing the past and trying to look cool and badass (no disrespect intended, it just catches me off guard). Second, Threat Actors do not learn differently, they are financially motivated and (historically) are unironically less technically savvy than defenders or "whitehats". Threat Actors often aim for low-hanging fruit, they don't really care about being sophisticated as long as they achieve their objective. The exception to this is Threat Actors who sell something (malware-as-a-service, for example) or state-sponsored Threat Actors who are assigned high-profile targets where low-hanging fruit isn't really accessible or ideal. I recommend people review some malware analysis write-ups or DFIR reports. A vast majority of "Blackhats" rarely demonstrate high technical skill (they're below average, or mediocre). This is usually eclipsed however when a seriously talented Threat Actor does something profoundly impressive and people say, "OMGZ DA BLACKHAT!!11". They're looking at the top 1% of "Blackhats" and missing the giant dumpster of shit to the left. I could also make an argument on the psychological make-up of Threat Actors (disliking authority, indifferent to others emotions, indifferent to how their behavior impacts others, glamorization of crime or money, etc), but that's a different story for a different time. I also could make an argument about how the giant dumpster of shit to left is so successful, despite being less tech savvy and aiming for low-hanging fruit, but as is tradition, different story for a different day.

English
0
0
1
62

탐색

@roddux @codeneverdies @elonmusk @BarackObama @taylorswift13 @cristiano @BillGates @NASA