I found my first Linux kernel vulnerability in 2006, but it wasn't a particularly good one. At the time I was just copying everything that my colleague Ilja van Sprundel was doing, and that was good enough to find something. If you watch Ilja's video from| Isosceles Blog
Fuzzing for security vulnerabilities is a strange thing. Throwing randomly generated or mutated data at an application until it crashes sounds like an extremely primitive way to find vulnerabilities, and yet the last decade is full of fuzzing success stories. In many respects, it's still poorly understood why| Isosceles Blog
Earlier this year I was invited to give a talk at University of California San Diego (UCSD) for Nadia Heninger's CSE 127 ("Intro to Computer Security"). I chose to talk about modern exploit development, stepping through the process of finding and exploiting some of the memory| Isosceles Blog
Introduction Every so often a piece of security research will generate a level of excitement and buzz that's palpable. Dan Kaminsky's DNS bug, Barnaby Jack's ATM Jackpotting, Chris Valasek and Charlie Miller's Jeep hacking escapades. There's something special about the| Isosceles Blog
Today I'm very excited to announce the launch of my new security consulting company, Isosceles. I created Isosceles to help companies build secure products, and to share my insights about hacking, security research, and application security. Isosceles will focus on high-end technical services including security reviews, automation, and research for| Isosceles Blog
Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss| Isosceles Blog
It's been an incredible year for AI. Back in the early 2000s, there were AI posters up all over my local computer science department, and it was all genetic algorithms, genetic programming, and particle swarm optimization as far as you could see. They could figure out if a circle was| Isosceles Blog
Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: "Google| Isosceles Blog
It's said that a good magician never reveals their secrets. Computer hacking is a particularly good type of magic trick, and for the most part, hackers don't reveal their secrets either. It's sometimes hard to reconcile this, because we read about hacking all the time -- in newspapers, at conferences,| Isosceles Blog
A long time ago I went to a small university in New Zealand to get a math degree. It was one of those things that happened mostly through inertia -- like most kids I knew, I wasn't super interested in studying. I signed up for a bunch of classes, but| Isosceles Blog