Jonathan Lalou's Blog

Archive for the ‘en-US’ Category

Cory Doctorow, a renowned author and digital rights advocate, delivered a passionate keynote at DEF CON 32, dissecting the decline of the internet and rallying hackers to reclaim its potential. Introducing the concept of “enshittification”—the degradation of online platforms due to unchecked corporate greed—Cory argued that restoring competition, regulation, interoperability, and tech worker power is essential for a new, user-centric internet. His call to action, rooted in decades of activism, inspired attendees to fight for technological self-determination.

Understanding Enshittification’s Roots

Cory began by lamenting the loss of the “old, good internet,” where Google delivered reliable search results, and platforms like Facebook prioritized user preferences. He attributed the rise of the “enshitternet” to corporate decisions prioritizing growth over security, such as data sharing with agencies like the NSA. Drawing on his work with the Electronic Frontier Foundation, Cory explained how the absence of competitive pressures, regulatory oversight, and worker advocacy allowed executives to degrade services, locking users into walled gardens that prioritize profits over functionality.

The Mechanics of Platform Decay

Delving deeper, Cory outlined the enshittification process: platforms initially attract users with quality services, then exploit them through data harvesting and degraded experiences, as seen in Amazon’s proliferation of low-quality drop-shipped products or Uber’s shift to higher fares and lower driver pay. He highlighted how tech giants leverage monopolistic control to stifle innovation, citing Apple’s pivot from privacy advocacy to surveillance-friendly practices. Cory’s analysis underscored the systemic nature of these changes, driven by executives exploiting unchecked power within corporate structures.

Empowering Hackers for Change

Cory urged the DEF CON community to lead the charge against enshittification by leveraging their technical expertise. He advocated for interoperability—enabling users to move seamlessly between platforms—and supported regulatory measures to curb monopolistic practices. Referencing his blog, Cory encouraged hackers to develop open-source alternatives and challenge proprietary systems. He emphasized the role of tech workers, citing the Tech Workers Coalition as a model for organizing to restore user-focused innovation.

Building a New Digital Future

Concluding, Cory envisioned a revitalized internet combining the simplicity of Web 2.0 with the decentralized ethos of the early web. He called for a “digital nervous system” to address global challenges like fascism, climate change, and inequality, urging hackers to reject the narrative that user experience and enshittification are inseparable. His post-talk book signing at the vendor area invited attendees to engage directly, fostering a collaborative push for a freer, more equitable digital landscape.

Links:

• Cory Doctorow’s blog
• Electronic Frontier Foundation website
• Tech Workers Coalition website

The DEF CON 32 Hacker Jeopardy Night 2, hosted by the spirited duo Lint and Miss Kitty, delivered an electrifying conclusion to the iconic contest, blending technical prowess with raucous entertainment. With a dedicated crew and enthusiastic audience, the event showcased cybersecurity-themed challenges, culminating in a dramatic finale where team Stepmoms clinched victory. Lint’s dynamic hosting and Kitty’s birthday celebration added a personal touch, reinforcing the community spirit that defines DEF CON’s beloved game show.

Crafting a Cybersecurity Spectacle

Lint kicked off the evening with gratitude for the 14-person crew’s tireless efforts, emphasizing the complexity behind the seamless show. The introduction of the “Lentil Lookalikes,” replacing past crew roles, brought fresh energy to the stage. The contest featured teams like Pandemonium and OnlyFans, competing in categories testing hacking knowledge, from network protocols to historical exploits. Lint’s humor and Kitty’s candid revelation of her “30 [expletive] years” birthday infused the event with camaraderie, making it a memorable celebration of hacker culture.

The Thrill of the Final Jeopardy

The competition intensified in the final round, where a question about OSI model layers—application, presentation, session, transport, network, data link, physical—tested the teams’ precision. Pandemonium’s correct answer, marred by failing to phrase it as a question, led to a catastrophic point loss, while OnlyFans’ alphabetical misordering cost them their lead. Stepmoms’ strategic zero wager secured their win, earning them a coveted Black Badge. Lint’s animated commentary amplified the drama, cementing Hacker Jeopardy’s reputation as a high-stakes, community-driven spectacle.

Fostering Community and Legacy

Reflecting on Hacker Jeopardy’s evolution, Lint highlighted its role in uniting the DEF CON community, encouraging attendees to “be [expletive] excellent to each other.” The event’s blend of technical rigor and playful chaos, supported by the crew’s dedication, showcased the hacker ethos of collaboration and creativity. Kitty’s personal touch, sharing her birthday with the audience, deepened the sense of connection, ensuring Hacker Jeopardy remains a cornerstone of DEF CON’s cultural legacy.

Links:

• None available

Adnan Khan and John Stawinski, security researchers, delivered a riveting presentation at DEF CON 32, exposing systemic vulnerabilities in GitHub Actions’ self-hosted runners. Their research revealed how misconfigurations enable attackers to compromise major open-source projects like PyTorch, leading to supply chain attacks. Earning over $250,000 in bug bounties, Adnan and John shared tactics, techniques, and procedures (TTPs) to elevate trivial compromises into critical breaches, urging organizations to bolster CI/CD security.

Exploiting Self-Hosted Runner Misconfigurations

Adnan and John opened by explaining GitHub Actions’ role as a leading CI/CD platform and its reliance on self-hosted runners—machines executing workflow jobs. They detailed how insecure defaults allow attackers to compromise runners, gaining access to sensitive repositories. Their attack on PyTorch demonstrated how a runner compromise enabled code contributions to the main branch, malicious release uploads, and backdooring related projects, highlighting the catastrophic potential of such flaws.

Escalating Privileges in GitHub Actions

Delving deeper, the duo showcased techniques to escalate privileges within GitHub Actions workflows, leveraging GitHub’s permissive features. Their research campaign uncovered vulnerabilities in organizations like Microsoft, TensorFlow, and ByteDance, exploiting misconfigured runners to achieve critical impacts. Adnan’s live demo illustrated how attackers could manipulate workflows to gain unauthorized access, emphasizing the need for robust access controls and monitoring in CI/CD pipelines.

Real-World Impact and Bug Bounty Success

Adnan and John shared war stories from their extensive bug bounty submissions, noting that internal CI/CD systems are often more vulnerable than public ones. Their work, yielding significant bounties, exposed a lack of awareness around CI/CD security. They highlighted successful mitigations by triage teams, urging organizations to learn from their findings. The duo’s research on platforms like HackerOne provides a blueprint for identifying similar vulnerabilities in other systems.

Strengthening CI/CD Security

Concluding, Adnan and John emphasized the need for heightened awareness among developers, architects, and executives to prevent supply chain attacks. They recommended isolating privileged runners, auditing configurations, and educating teams on CI/CD risks. Their call to action inspired attendees to explore these attacks and implement controls, ensuring organizations are better equipped to thwart the next critical breach in their CI/CD pipelines.

Links:

• HackerOne website
• Adnan Khan on LinkedIn
• John Stawinski on LinkedIn

In an engaging and humorous presentation at NDC Melbourne 2025, Lee Dunkley explores how Domain-Driven Design (DDD) can prevent software projects from spiraling into chaotic, unmaintainable codebases—likening such failures to Australia’s infamous Emu War. By drawing parallels between historical missteps and common software development pitfalls, Lee illustrates how DDD practices, such as event storming and ubiquitous language, can steer teams toward solving the right problems, thereby enhancing maintainability and extensibility.

The Emu War: A Cautionary Tale for Coders

Lee begins with a whimsical analogy, recounting Australia’s 1930s Emu War, where soldiers armed with machine guns failed to curb an overwhelming emu population devastating crops. The emus’ agility and sheer numbers outmatched the military’s efforts, leading to a humbling defeat. Lee cleverly translates this to software development, where throwing endless code at a problem—akin to deploying infinite soldiers—often results in a complex, bug-ridden system. This sets the stage for his argument: without proper problem definition, developers risk creating their own unmanageable “emu wars.”

He illustrates this with a hypothetical coding scenario where a client demands a solution to “kill all the pesky emus.” Developers might churn out classes and methods, only to face mounting complexity and bugs, such as emus “upgrading to T-Rexes.” The lesson? Simply writing more code doesn’t address the root issue, much like the Emu War’s flawed strategy failed to protect farmers’ crops.

Modeling Smells in E-Commerce

Transitioning to a more practical domain, Lee applies the Emu War analogy to an e-commerce platform tasked with implementing an “update order” feature. Initially, the solution seems straightforward: create an endpoint to modify orders. However, as Lee demonstrates, this leads to bugs like customers receiving too many items, being undercharged, or getting empty boxes. These issues arise because the vague “update order” requirement invites a cascade of edge cases and race conditions.

By examining the system’s event timeline, Lee highlights how an “order updated” event disrupts critical processes like payment capture and stock reservation. This modeling smell—where a generic action undermines system integrity—mirrors the Emu War’s misaligned objectives. The real problem, Lee argues, lies in failing to define the business’s true needs, resulting in a codebase that’s hard to test and extend.

Refining with Domain-Driven Design

Here, Lee introduces DDD as a remedy, emphasizing techniques like event storming and the five whys to uncover the true problem space. Revisiting the Emu War, he applies the five whys to reveal that the goal wasn’t to kill emus but to secure employment for returning soldiers. Similarly, in the e-commerce case, the “update order” request masks specific needs: ensuring shoppers receive only desired items, adding forgotten items, and canceling orders.

By reframing these needs, Lee proposes targeted solutions, such as a “supplementary order” endpoint for adding items and a time-bound “order received” event to allow cancellations without disrupting the system. These solutions, rooted in DDD’s ubiquitous language, reduce complexity by aligning the code with business intent, avoiding the pitfalls of generic actions like “update.”

Simplicity Through Abstraction

Lee challenges the notion that complex problems demand complex solutions. Through DDD, he shows how elevating the level of abstraction—by focusing on precise business goals—eliminates unnecessary complexity. In the e-commerce example, replacing the problematic “update order” endpoint with simpler, purpose-specific endpoints demonstrates how DDD fosters maintainable, extensible code.

He acknowledges the challenges of implementing such changes in live systems, where breaking changes can be daunting. However, Lee argues that aligning solutions with the problem space is worth the effort, as it prevents the codebase from becoming a “Frankenstein’s monster” burdened by accidental complexity.

Conclusion: Avoiding Your Own Emu War

Lee wraps up by urging developers to wield their coding “superpower” wisely. Instead of burying problems under an avalanche of code, he advocates for DDD practices to ensure solutions reflect the business’s true needs. By employing event storming, refining ubiquitous language, and questioning requirements with the five whys, developers can avoid fighting futile, unmaintainable battles.

This talk serves as a compelling reminder that thoughtful problem definition is the cornerstone of effective software development. Lee’s blend of humor and practical insights makes a strong case for embracing DDD to create robust, adaptable systems.

Dawn a horizon where authentication dissolves into biometric whispers and cryptographic confidences, banishing the tyranny of forgotten passphrases. Maud Nalpas, a fervent advocate for web security at Google, charted this trajectory at dotJS 2024, escorting audiences through passkeys’ ascent—a paradigm supplanting passwords with phishing-proof, breach-resistant elegance. With a lens honed on Chrome’s privacy vanguard, Maud dissected the relic’s frailties, from 81% breach culpability to mnemonic mayhem, before unveiling passkeys as the seamless salve.

Maud’s reverie evoked 1999’s innocence: Solitaire sessions interrupted by innocuous files, now echoed in 2024’s tax-season tedium—yet passwords persist, unyielding. Their design flaws—reusability, server-side secrets—fuel epidemics, mitigated marginally by managers yet unsolved at root. Enter passkeys: cryptographic duos, private halves cradled in device enclaves, publics enshrined server-side. Creation’s choreography: a GitHub prompt summons Google’s credential vault, fingerprint affirms, yielding a named token. Login? A tap unlocks biometrics, end-to-end encryption syncing across ecosystems—iCloud, 1Password—sans exposure.

This ballet boasts trifecta virtues. Usability gleams: no rote recall, mere device nudge. Economics entice: dual-role as MFA slashes SMS tolls. Security soars: no server secrets—biometrics localize, publics inert—phishing foiled by domain-binding; faux sites summon voids. Adoption surges—Amazon, PayPal vanguard—spanning web and native, browsers from Chrome to Safari, platforms Android to macOS. Caveats linger: Linux/Firefox lags, cross-ecosystem QR fallbacks bridge. Maud heralded 2024’s synchrony strides, Google’s Password Manager poised for ubiquity.

Implementation beckons via passkeys.directory: libraries like @simplewebauthn streamline, UX paramount—progressive prompts easing novices. Maud’s missive: trial as user, embed as architect; this future, phishing-free and frictionless, awaits invocation.

Passkeys’ Cryptographic Core

Maud illuminated the duo: private keys, hardware-harbored, sign challenges; publics verify, metadata minimal. Sync veils in E2EE—Google’s vault, Apple’s chain—device recovery via QR or recreation. Phishing’s nemesis: origin-tied, spoofed realms elicit absences, thwarting lures.

Adoption Accelerants and Horizons

Cross-platform chorus—Windows Edge, iOS Safari—minus Linux/Firefox snags, soon salved. Costs dwindle via MFA fusion; UX evolves prompts contextually. Maud’s clarion: libraries scaffold, inspiration abounds—forge passwordless realms resilient and radiant.

Links:

• Maud Nalpas on LinkedIn
• Google

Jim Rush and Tomais Williamson, security researchers from Wellington, New Zealand, electrified DEF CON 32 with a deep dive into exploiting NTLM authentication before its planned phase-out in Windows 11 and beyond. Representing CyberCX, they unveiled new vulnerabilities, bypassed existing fixes, and exposed insecure defaults in Microsoft’s NTLM-related controls. Their fast-paced presentation, infused with humor and technical depth, offered a final hurrah for NTLM hacking, urging attendees to turn off NTLM where possible.

Revisiting NTLM’s Persistent Flaws

Jim and Tomais began by contextualizing NTLM, a 25-year-old authentication protocol still prevalent despite its known weaknesses. They highlighted Microsoft’s plan to deprecate NTLM, yet emphasized its lingering presence in legacy systems. Their research uncovered new bugs, including a bypass of a previously patched CVE, allowing attackers to coerce NTLM hashes from various applications. By exposing these flaws, Jim and Tomais underscored the urgency of transitioning to more secure protocols like Kerberos.

Novel Exploitation Techniques

The duo detailed their innovative approaches, combining multiple bug classes to extract NTLM hashes from unexpected sources, such as document processors and build servers. Their live demonstrations showcased “cooked” bugs—exploits leveraging URL inputs to trigger hash leaks. Jim’s anecdotes about their discoveries, including a nod to their CyberCX colleague’s assistance, highlighted the collaborative nature of their work. These techniques revealed NTLM’s fragility, especially in environments with permissive defaults.

Insecure Defaults and Systemic Gaps

Focusing on Microsoft’s NTLM security controls, Jim and Tomais exposed glaring gaps, such as libraries allowing unauthenticated hash extraction. They demonstrated how attackers could exploit these defaults in applications like Microsoft Teams or PDF generators, turning innocuous features into attack vectors. Their findings, supported by CyberCX’s research efforts, emphasized the need for organizations to audit NTLM usage and disable it wherever feasible to prevent hash coercion.

Community Collaboration and Future Steps

Concluding, Jim and Tomais called for community engagement, inviting attendees to share ideas for extracting hashes from novel sources like video games. They praised Microsoft’s MSRC team for their responsiveness and urged continued disclosure to advance research. Their advice to “turn off NTLM, then turn it back on when someone screams” humorously captured the challenge of legacy system dependencies, encouraging proactive steps toward more secure authentication frameworks.

Links:

• CyberCX company website

At Riviera DEV 2025, Stanley Servical and Louis Fredice Njako Molom presented an immersive workshop titled “Really Inaccessible,” designed as an escape game to spotlight the challenges of digital accessibility. Through a hands-on, interactive experience, Stanley and Louis guided participants into the perspectives of users with visual, auditory, motor, and cognitive disabilities. Their session not only highlighted the barriers faced by these users but also provided practical strategies for building inclusive digital solutions. This engaging format, combined with a focus on actionable improvements, underscores the critical role of accessibility in modern software development.

Immersive Learning Through an Escape Game

Stanley and Louis kicked off their workshop with an innovative escape game, inviting participants to navigate a digital environment deliberately designed with accessibility flaws. The game, accessible via a provided URL, immersed attendees in scenarios mimicking real-world challenges faced by individuals with disabilities. Participants were encouraged to use headphones for a fully immersive experience, engaging with tasks that highlighted issues like poor color contrast, missing link styles, and inaccessible form elements. The open-source nature of the game, as Stanley emphasized, allows developers to adapt and reuse it, fostering broader awareness within teams and organizations.

The escape game served as a powerful tool to simulate the frustrations of inaccessible interfaces, such as navigating without a mouse or interpreting low-contrast text. Feedback from participants underscored the game’s impact, with one developer noting how it deepened their understanding of motor and auditory challenges, reinforcing the need for inclusive design. Louis highlighted that the game’s public availability enables it to be shared with colleagues or even non-technical audiences, amplifying its educational reach.

The State of Digital Accessibility

Following the escape game, Stanley and Louis transitioned to a debrief, offering a comprehensive overview of digital accessibility’s current landscape. They emphasized that accessibility extends beyond screen readers, encompassing motor, cognitive, and visual impairments. The European Accessibility Act, effective since June 28, 2025, was cited as a pivotal legal driver, mandating inclusive digital services across public and private sectors. However, they framed this not as a mere compliance obligation but as an opportunity to enhance user experience and reach broader audiences.

The speakers identified common accessibility pitfalls, such as unstyled links or insufficient color contrast, which disrupt user navigation. They stressed that accessibility challenges are highly individualized, requiring flexible solutions that adapt to diverse needs. Tools like screen readers and keyboard navigation aids were discussed, with Stanley noting their limitations when applications lack proper semantic structure. This segment underscored the necessity of integrating accessibility from the earliest stages of design and development to avoid retrofitting costs.

User-Centric Testing for Inclusive Design

A core theme of the workshop was the adoption of a user-centric testing approach to ensure accessibility. Louis introduced tools like Playwright and Cypress, which integrate accessibility checks into end-to-end testing workflows. By simulating user interactions—such as keyboard navigation or form completion—these tools help developers identify and address issues like focus traps in pop-ups or inaccessible form inputs. For instance, Louis demonstrated a test scenario where a form’s number input required specific accessibility roles to ensure compatibility with assistive technologies.

The speakers emphasized that user-centric testing aligns accessibility with functional requirements, enhancing overall application quality. They showcased how tools like Axe-core can be embedded in testing pipelines to scan single-page applications (SPAs) for accessibility violations on a per-use-case basis, rather than just page-level checks. This approach, as Stanley noted, ensures that tests remain relevant to real-world user interactions, making accessibility a seamless part of the development process.

Practical Strategies for Improvement

Stanley and Louis concluded with actionable strategies for improving accessibility, drawing from real-world case studies. They advocated for simple yet impactful practices, such as ensuring proper focus management in pop-ups, using semantic HTML, and maintaining high contrast ratios. For example, they highlighted the importance of updating page titles dynamically in SPAs to aid screen reader users, a practice often overlooked in dynamic web applications.

They also addressed the integration of accessibility into existing workflows, recommending manual testing for critical user journeys and automated checks for scalability. The open-source ecosystem around their escape game, including plugins and VS Code extensions, was presented as a resource for developers to streamline accessibility testing. Louis emphasized collaboration between developers and manual testers to avoid redundant efforts, ensuring that accessibility enhancements align with business goals.

Leveraging Open-Source and Community Feedback

The workshop’s open-source ethos was a recurring theme, with Stanley and Louis encouraging participants to contribute to the escape game’s evolution. They highlighted its flexibility, noting that developers can tailor scenarios to specific accessibility challenges, such as color blindness or motor impairments. The inclusion of a “glitch code” to bypass bugs in the game demonstrated their commitment to practical usability, even in an educational tool.

Participant feedback was actively solicited, with suggestions like adding a menu to navigate specific game sections directly. Stanley acknowledged this as a valuable enhancement, noting that relative URLs for individual challenges are already available in the game’s repository. This collaborative approach, paired with the workshop’s emphasis on community-driven improvement, positions the escape game as a living project that evolves with user input.

Legal and Ethical Imperatives

Beyond technical solutions, Stanley and Louis underscored the ethical and legal imperatives of accessibility. The European Accessibility Act, alongside frameworks like the RGAA (Référentiel Général d’Amélioration de l’Accessibilité), provides a structured guide for compliance. However, they framed accessibility as more than a regulatory checkbox—it’s a commitment to inclusivity that enhances user trust and broadens market reach. By designing for the most marginalized users, developers can create applications that are more robust and user-friendly for all.

The speakers also addressed emerging trends, such as voice-activated navigation, referencing tools like Dragon NaturallySpeaking. While not yet fully integrated into their framework, they expressed openness to exploring such technologies, inviting community contributions to tackle these challenges. This forward-looking perspective ensures that accessibility remains dynamic, adapting to new user needs and technological advancements.

Empowering Developers for Change

The workshop closed with a call to action, urging developers to apply their learnings immediately. Stanley and Louis encouraged attendees to share the escape game, integrate accessibility testing into their workflows, and advocate for inclusive design within their organizations. They emphasized that small, consistent efforts—such as verifying keyboard navigation or ensuring proper ARIA roles—can yield significant improvements. By fostering a culture of accessibility, developers can drive meaningful change, aligning technical innovation with social responsibility.

Links:

• None available

At DevoxxUK2025, Daniel Garnier-Moiroux, a Spring Security team member at VMware, delivered an engaging talk on implementing passwordless authentication using passkeys and the WebAuthn specification. Highlighting the security risks of traditional passwords, Daniel demonstrated how passkeys leverage cryptographic keys stored on devices like YubiKeys, Macs, or smartphones to provide secure, user-friendly login flows. Using Spring Boot 3.4’s new WebAuthn support, he showcased practical steps to integrate passkeys into an existing application, emphasizing phishing resistance and simplified user experiences. His live coding demo and insights into Spring Security’s configuration made this a compelling session for developers seeking modern authentication solutions.

The Problem with Passwords

Daniel opened by underscoring the vulnerabilities of passwords, often reused or poorly secured, leading to frequent breaches. He introduced passwordless alternatives, starting with one-time tokens (OTTs), which Spring Security supports for temporary login links sent via email. While effective, OTTs require cumbersome steps like copying tokens across devices. Passkeys, based on the WebAuthn standard, offer a superior solution by using cryptographic keys tied to specific domains, eliminating password-related risks. Supported by major browsers and platforms like Apple, Google, and Microsoft, passkeys enable seamless authentication via biometrics, PINs, or physical devices, combining convenience with robust security.

Understanding WebAuthn and Passkeys

Passkeys utilize asymmetric cryptography, where a private key remains on the user’s device (e.g., a YubiKey or iPhone) and a public key is shared with the server. Daniel explained the two-phase process: registration, where a key pair is generated and the public key is stored on the server, and authentication, where the server sends a challenge, the device signs it with the private key, and the server verifies it. This ensures phishing resistance, as keys are domain-specific and cannot be used on fraudulent sites. WebAuthn, a W3C standard backed by the FIDO Alliance, simplifies this process for developers by abstracting complex cryptography through browser APIs like navigator.credentials.create() and navigator.credentials.get().

Integrating Passkeys with Spring Security

Using a live demo, Daniel showed how to integrate passkeys into a Spring Boot 3.4 application. He added the spring-security-webauthn dependency and configured a security setup with the application name, relying party (RP) ID (e.g., localhost), and allowed origins. This minimal configuration enables a default passkey login page. For persistence, Spring Security 6.5 (releasing soon after the talk) offers JDBC support, requiring two tables: one for user credentials (storing public keys and metadata) and another linking passkeys to users. Daniel emphasized that Spring Security handles cryptographic validation, sparing developers from implementing complex WebAuthn logic manually.

Customizing the Passkey Experience

To enhance user experience, Daniel demonstrated creating a custom login page with a branded “Sign in with Passkey” button, styled with CSS (featuring a comic sans font for humor). He highlighted the need for JavaScript to interact with WebAuthn APIs, copying Spring Security’s Apache-licensed sample code for authentication flows. This involves handling CSRF tokens and redirecting users post-authentication. While minimal Java code is needed, developers must write some JavaScript to trigger browser APIs. Daniel advised using Spring Security’s defaults for simplicity but encouraged customization for production apps, ensuring alignment with brand aesthetics.

Practical Considerations and Feedback

Daniel stressed that passkeys are not biometric data but cryptographic credentials, synced across devices via password managers or iCloud Keychain without server involvement. For organizations using identity providers like Keycloak or Azure Entra ID, passkey support is often a checkbox configuration, reducing implementation effort. He encouraged developers to provide feedback on Spring Security’s passkey support via GitHub issues, emphasizing community contributions to refine features. For those interested in deeper WebAuthn mechanics, he recommended Ubico’s developer guide over the dense W3C specification, offering practical insights for implementation.

Links:

• Spring Security website
• WebAuthn website
• FIDO Alliance website
• Ubico Passkeys Guide

J. Hoffman and Colby Morgan, offensive security engineers at Robinhood, delivered a compelling presentation at DEF CON 32, exploring vulnerabilities in the 1Password macOS desktop application. Focusing on the risks posed by compromised endpoints, they unveiled multiple attack vectors to dump local vaults, exposing weaknesses in 1Password’s software architecture and IPC mechanisms. Their research, blending technical rigor with practical demonstrations, offered critical insights into securing password managers against local threats.

Probing 1Password’s Security Assumptions

J. and Colby opened by highlighting the immense trust users place in password managers like 1Password, which safeguard sensitive credentials. They posed a critical question: how secure are these credentials if a device is compromised? Their research targeted the macOS application, uncovering vulnerabilities that could allow attackers to access vaults. By examining 1Password’s reliance on inter-process communication (IPC) and open-source components, they revealed how seemingly robust encryption fails under local attacks, setting the stage for their detailed findings.

Exploiting Application Vulnerabilities

The duo detailed several vulnerabilities, including an XPC validation bypass that enabled unauthorized access to 1Password’s processes. Their live demonstrations showcased how attackers could exploit these flaws to extract vault data, even on locked systems. They also identified novel bugs in Google Chrome’s interaction with 1Password’s browser extension, amplifying the attack surface. J. and Colby’s meticulous approach, including proof-of-concept scripts released at Morgan’s GitHub, underscored the need for robust validation in password manager software.

Mitigating Local Threats

Addressing mitigation, J. and Colby recommended upgrading to the latest 1Password versions, noting fixes in versions 8.10.18 and 8.10.36 for their disclosed issues. They urged organizations to enhance endpoint security, emphasizing that password managers are prime targets for red teamers seeking cloud credentials or API keys. Their findings, developed over a month of intensive research, highlighted the importance of proactive patching and monitoring to safeguard sensitive data on compromised devices.

Engaging the Security Community

Concluding, J. and Colby encouraged the DEF CON community to extend their research to other password managers, noting that similar vulnerabilities likely exist. They shared their code to inspire further exploration and emphasized responsible disclosure, having worked with 1Password to address the issues. Their call to action invited attendees to collaborate on improving password manager security, reinforcing the collective effort needed to protect critical credentials in an era of sophisticated local attacks.

Links:

• Colby Morgan’s GitHub
• Robinhood company website

Overcoming Barriers to Adoption

The promise of memory-safe programming has positioned Rust as a leading candidate for industrial applications, yet its adoption in traditional sectors faces significant hurdles. At OxidizeConf2024, a panel moderated by Florian Gilcher from Ferrous Systems, featuring Michał Fita, James Munns from OneVariable UG, and Steve Klabnik from Oxide Computer Company, explored strategies to enhance Rust’s uptake in industrial companies. The discussion, enriched by audience questions, addressed cultural, technical, and managerial barriers, offering actionable insights for developers and organizations.

Michał highlighted the managerial perspective, noting that industrial companies often prioritize stability and cost over innovation. The challenge lies in convincing decision-makers of Rust’s benefits, particularly when hiring skilled Rust developers is difficult. James added that industrial users, rooted in mechanical and electrical engineering, are less likely to share challenges publicly, complicating efforts to gauge their needs. Florian emphasized the role of initiatives like Ferrocene, a safety-compliant Rust compiler, in opening doors to regulated industries like automotive.

Technical and Cultural Shifts

Steve underscored Rust’s technical advantages, such as memory safety and concurrency guarantees, which align with regulatory pressures from organizations like the NSA advocating for memory-safe languages. However, he cautioned against framing Rust as a direct replacement for C++, which risks alienating skilled C++ developers. Instead, the panel advocated for a collaborative approach, highlighting Rust’s total cost of ownership benefits—fewer bugs, faster debugging, and improved maintainability. James noted that tools like cargo-deny and cargo-tree enhance security and dependency management, addressing industrial concerns about reliability.

Cultural resistance also plays a role, particularly in companies reliant on trade secrets. Michał pointed out that Rust’s open-source ethos can clash with proprietary mindsets, requiring tailored strategies to demonstrate value. The panel suggested focusing on high-impact areas, such as safety-critical components, where Rust’s guarantees provide immediate benefits. By integrating Rust incrementally, companies can leverage existing C++ codebases while transitioning to safer, more modern practices.

Engaging Stakeholders and Building Community

Convincing stakeholders requires a nuanced approach, avoiding dismissive rhetoric about legacy languages. Florian stressed the importance of meeting developers where they are, respecting the expertise of C++ practitioners while showcasing Rust’s practical advantages. Steve highlighted successful adoptions, such as Oxide’s server stack, as case studies to inspire confidence. The panel also discussed the role of community efforts, such as the Rust Foundation, in providing resources and certifications to ease adoption.

Audience input reinforced the need for positive messaging. A C++ developer cautioned against framing Rust as a mandate driven by external pressures, advocating for dialogue that emphasizes mutual benefits. The panel agreed, suggesting that events like OxidizeConf and open-source contributions can bridge gaps between communities, fostering collaboration. By addressing technical, cultural, and managerial challenges, Rust can gain traction in industrial settings, driving innovation without discarding legacy expertise.

Links:

• Ferrous Systems company website
• Oxide Computer Company website
• OneVariable UG company website