Dustin Webber

Open Source, Security & Design.

Read this first

Web Security Negligence and the JetButt Vulnerability

jetbutt.png

A few weeks ago my internet service provider decided to take a vacation for the day; left me up a creek without a paddle (Who? take a wild guess). I had a lot of work to complete and decided to just go buy a 4g hotspot (Verizon Ellipsis jetpack - latest firmware as of this post). I liked the idea of having a backup for future fails and it’s for the most part quick and easy to setup.

ellipsis-4043-800x450.jpg

What should have been a somewhat productive day of work turned into an investigation of the device and its firmware. It didn’t take long to find some pretty hilarious problems. I decided to report the vulnerabilities to Verizon and left a very respectful time period of silence (1 month) before writing this post. Anyway, the takeaways from this post are as follows:

  • Javascript developers should understand web security.
  • Always audit a device before going to market.

There are a lot of companies and

Continue reading →


Envdb: Ask your environment questions.

I recently released a open source project called EnvDB. Envdb allows you to deploy osquery to your assets and ask them questions in an ad-hoc fashion. Think of each osquery install as a node in a database cluster. Envdb adds the glue to make this happen with next-to-no effort.

 osquery

Osquery is an open source project by Facebook. They describe their project as follows:

osquery allows you to easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and ?inform a broad set of organizations within your company.

Using osquery box-by-box wasn’t working for me, but I was impressed by the amount of information I could gather from it. What was even cooler was the ability to join on other relevant information it collects just like I’m used to in sql. The idea

Continue reading →


Vimstack

 Why?

I want a good quality vim setup that does not depend on ruby, perl or python. Just pure old vimscript for
easy deployment to whatever box I am currently using. (i.e it will fallback gracefully)

VimStack by default is mostly setup for work in ruby, javascript, html, css, go and c. However, adding plugins to extend
it for whatever tools you need is trivial.

Vimstack comes with two color schemas: epix (gvim) and threatstack (terminal vim). Both color schemas were created by me modified from
ir_black (https://github.com/wesgibbs/vim-irblack). The default color schema is threatstack.

 The stuff I use with vim

  • ctrl + p - fuzzy file finder via ctrlp (https://github.com/kien/ctrlp.vim)
  • <Leader>b - ctrlp buffer search
  • <Leader>f - ctrlp function search
  • <Leader>r - ctrlp register search
  • <c-f> - search via Ack (https://github.com/mileszs/ack.vim - brew install ack or sudo

Continue reading →


Let’s Take Back The Certificate Authority

 A free browser-driven Certificate Authority playing by our rules.

 TL;DR

Let’s get Mozilla and Google to team up on an automated Certificate Authority (CA) process and include the root certs in both browsers. Keep the process 100% free and transparent with a public listing of certs generated daily forcing regular renewal and accepting feedback and reports from the community.

 In The Beginning there was ignorance.

Recently there has been a lot of nonsense about removing self-signed certificate (cert) warnings from the world’s popular browsers. Now, this is a horrible idea for many reasons and this ill-thought out solution is completely gliding over the root problem. People tend to jump on bandwagons without exploring the repercussions of such actions. There is a lot to lose and not much to gain from this. This will never fix the failures that CA’s have continued to fall into year after

Continue reading →

no