All posts in category Blog

Attacking the Keypad

As electronics have become cheaper, and thereby more prolific machinery which use to be strictly mechanical are being replaced with electronic equivalents. Locks are no different. Electronic locks are both simpler to manufacture and offer features which are very hard to achieve with mechanical systems. One of the major benefits to electronic locks is the ability to […]

August Lock Firmware Keys

David Wang, the guy who has done some absolutely amazing research on Apple’s secure enclave technology recently reached out to me on twitter, asking if August had stopped leaking the firmware keys for their locks. Unfortunately this is not a question I can answer in 140 characters. I will provide a more detailed writeup on […]

Microsoft MVC’s Doggy Door

TLDR: Microsoft MVC has a ‘secret’ backdoor which is not very useful for developers or hackers. Recently I was poking around in the Microsoft MVC codebase trying to figure out how to make my own bundler. While there I came across the following rather peculiar looking code:

The August Smart Lock’s not so smart password reset (Part 2)

If you have read my earlier article on the August Smart Lock you know it does not have a two factor authentication system in-spite of the claims of its creators. This article will be about an exploitable vulnerability in August’s authentication system. August was first notified of this weakness on December 19, 2014. As of writing this […]

The August Smart Lock’s not so 2-Factor Authentication (Part 1)

TLDR: August really doesn’t have two-factor authentication, but what they have maybe good enough. I recently got my hands on the new August Smart Lock, but not to put on my door (well at least not yet). Instead I was interested in the security of a product which is claimed to be “completely secure”. No joke […]

The case of Sparkfun ‘security’

Sparkfun is an online store which sell , electronics for hobbyist. They also are my go to store when I need any small electronics (arduino, raspberry pi, etc.). Unfortunately while their store and service is great the security of their site leaves something to be desired. I am writing this article prior to disclosure, but by the […]

Web browser security model

Working in software development I am always surprised by how often developers don’t understand the security model of the platforms they work on. In this article I would like to share with you some of the basics of browser security. The topic has a lot of depth but I believe if one understands several fundamental principle […]

How to remotely crash Lotus Notes

Here is a fun little vulnerability that lets you remotely crash Lotus Notes on demand. Set your Sametime status to a REALLY, REALLY long value without any white space in it (this should work). Message the person whose Lotus Notes instance you would like to crash DONE! Now this does not really crash Lotus Notes, […]

Site Security

One of the major disadvantages to using a popular CMS like Joomla or WordPress is that the popularity of the platform means that it is also a popular target for black hat hackers. Until recently I was using Joomla to manage all the content on my website during this 5+ year time period my site […]

Bruce Schneier Quotes

A couple good quotes from a great article from Bruce Schneier. “Security is a mindset, and looking for vulnerabilities nurtures that mindset. Deny practitioners this vital learning tool, and security suffers accordingly.” … “Anyone can design a security system that he cannot break. So when someone announces, “Here’s my security system, and I can’t break […]