American Fuzzy Lop, a remarkably nice guided fuzzing tool.
The Tangled Web, a lovingly-crafted book on web security.
Guerrilla Guide to CNC and its electronics-related counterpart.
Passive OS fingerprinter, better known as p0f.
Doomsday preparedness, a guide for less crazy folk.
My blog and
my Twitter feed, for semi-frequent updates on
American Fuzzy Lop, a fuzzer with an impressive track record of finding bugs.
P0f, a popular tool for passively detecting operating systems on remote machines.
Skipfish, a web security testing tool is now a cog in the Google Cloud Security Scanner.
Ratproxy, a neat but non-maintained passive web vulnerability detection tool.
Memfetch, a simple utility to take non-destructive snapshots of process address space.
Stompy, a fairly sophisticated token randomness evaluation tool.
Assorted purpose-built fuzzers: too many to list, but some of the most successful examples are
Tools of historical interest:
World's best exploit:
ld-expl. It still works - amaze your friends!
The Tangled Web, a holistic treatment of the web security model.
A write-up on web tracking, a pretty thorough and balanced overview of where we are.
Notes from the post-XSS world, on the limitations of anti-XSS mechanisms such as CSP.
Doing algebra with CSS colors to steal your browsing history.
Silence on the Wire, my much earlier, 2005 book on reconnaissance and info leaks.
My 2001 ISN research and a
2002 followup, dealing with weaknesses in TCP/IP.
IP fragmentation flaw, an irreparable glitch affecting fragmented TCP packets.
Delivering signals for fun and profit, an early note about an interesting class of security bugs.
Cracking safes with thermal imaging, a whimsical experiment from 2005.
Lack of fdunlink() and its implications for local privilege escalation bugs.
Mostly of historical interest:
strike that out,
rise of the robots,
My blog is a good way to stay in the loop on my security work and on individual vulns.
Guerrilla guide to CNC, an epic 60,000-word summary of my adventures making stuff.
Perpetual robot works, a behind-the-scenes story of how it all started.
My Make articles on
part design part I,
and part II.
Concise electronics for geeks, a quick primer on basic concepts in circuit design.
omnibot mk II,
tinybot mk III,
Shannon's ultimate machine,
misc woodworking, and
assorted build process pics.
Silicon Valley radiation levels,
snapping droplets of water,
Geiger-Mueller mood lamp,
DHS tribute threat indicator,
LED light surfaces,
figuring out Intel Edison,
My photo gallery. Photography is my long-time hobby, going back to the 90s.
Assorted essays about Poland, Europe, and the United States.
What to do when the zombies come, a guide to level-headed disaster preparedness.
My LinkedIn profile. I work at Google, running a good chunk of product security work.
People you may want to know:
Stefano, and many more.
Ancient or pointless non-security stuff:
and other assorted stuff in this directory.
If you want to contact me,
simply drop a mail to firstname.lastname@example.org.
That's all. You are a visitor number 19302569.