Matt Jones

/part

@riskybusiness 🔥🔥🔥

@Caiwrote That slide is pretty win

@dave_au @ChangeAus "... and if they don't, we'll do it for them!" 🚔🚔🚔

Alfred's owners: Alfred's Pizzeria should be open for lunch on Fridays - Sign the Petition! chng.it/7SwFCLHp via @ChangeAUS

New blog release "Accessing Access Token for UIAccess" on restoring some small part of the older token stealing attack which was killed in Windows 10 RS5. Contains an example PS script to script an admin command prompt 😄 tyranidslair.blogspot.com/2019/02/access…

Here's the video recording for my presentation at #bluehatil last week on "Trends, Challenges, and Strategic Shifts in the Software Vulnerability Mitigation Landscape" youtube.com/watch?v=PjbGoj…

Check out our blog post about research @adam_iwaniuk and I did that lead to CVE-2019-5736! blog.dragonsector.pl/2019/02/cve-20…

Android: binder use-after-free via fdget() optimization bugs.chromium.org/p/project-zero…

@k8em0 @S9k A leaderboard for orgs who've blown a fortune on bb lhf and neglected internal processes would be a neat spin. Yahoo/Oath and Shopify would be top 10 fo sure.

@S9k His work is incredibly valuable, let's not lose that fact. It's common for orgs to underinvest on internal staff & prevention, missing common bug classes in implementation. I'm certain adding to their internal staff would help them more efficiently than him doing it at his $ rate

Incredibly great ROI for one top #bugbounty hunter. Incredibly terrible ROI for the org paying this much for 4 hours of his professional time. For those paying attention, he's one of about 100/350,000 on the platform who has made over $100k, 1 of 2 who cleared over $1M last year

For those interested in coverage-guided fuzzing, I've just released CmpCov - an instrumentation module for clang/SanitizerCoverage, which breaks down CMP/strcmp()/etc. into bytes and writes the extra coverage data to standard .sancov files. Get it here: github.com/googleprojectz…

The always erudite @timoreilly on why the SV “blitzscaling” mantra causes more harm than good. I feel that part of the reason so many security products are so user-hostile (& mostly suck) is because currently, VCs pick winners instead of customers. qz.com/1540608/the-pr…

8 years and 27K bugs later, ClusterFuzz is now available for anyone to use - opensource.googleblog.com/2019/02/open-s…

Posted the slides from my #bluehatil talk covering trends, challenges, and strategic shifts in the software vulnerability landscape. Questions, comments, and alternative perspectives welcome 🙂 github.com/Microsoft/MSRC…

I'm all for people being paid for their work. I'm all for there being better channels for vuln disclosure making it easy for people to help protect the public. I even totally get the need for an offense market. The defense market would do well not to normalize extortion further.

@0xCC_sh @lady_nerd Amazing 🔥

Also we have to say, while @lady_nerd has spoken at many conferences such as #Kiwicon+#Blackhat, co-authored Agile Application Security and is paid to facilitate training. Laura has genorously decided to volunteer her time as well as pay her own way to Australia to teach! 😍💕

We promised a 4th course and we're excited to announce that we're balancing out our offensive heavy theme of courses with @lady_nerd 's Secure development course complete with threat assessment and code review! To find out more about the course: 0xcc.sh/secure-develop…

@Infoschmeck @joshcorman @adamshostack @elttam Thx 😉

pls RT: who are the 3-5 best, most natural Threat Modeling minds? Esp for NonSecurity people. @adamshostack is a given

Project Zero blog: "The Curious Case of Convexity Confusion" by Ivan Fratric (@ifsecure) - googleprojectzero.blogspot.com/2019/02/the-cu…

To go with a release of NtObjectManager v1.1.19 I've written a brief history of BaseNamedObjects and the "new" BNO isolation feature sneaked into Windows 10. tyranidslair.blogspot.com/2019/02/a-brie…

Project Zero blog: "Examining Pointer Authentication on the iPhone XS" by Brandon Azad (@_bazad) - googleprojectzero.blogspot.com/2019/02/examin…

@damienmiller @mdowd Yeah in high school for me it was quite heavy, esp. with stolen generation