Lessons from password policy science

Password expiration and complexity rules are dead. We have proper password policy guidelines for over three years now. Stop trying to fix users and start fixing your infrastructure.

- password policy, science, research, essay


A widespread piece of .NET code allowing code execution

ViewState deserialization has been 'fixed' in .NET since 2012, but a vulnerable code snippet for creating a custom compressed ViewState is being passed around on the internet to this day.

- .NET ViewState, ViewState compression, Widespread vulnerability


Spot The Bug - An Open End

A new Spot The Bug challenge based on a vulnerability I found during an assignment.

- STB, code, hacking


Temporary intercom hack

The lock of the front door was broken, so I hacked together a way for housemates to open the door via their phones.

- Lego Mindstorm, Hacks, Fun, Free time


OSCP - Fun and challenging but overrated

An article about my experiences with the OSCP course.

- OSCP, exam, culture


Viewing mssql backups files and extracting hashes

How to extract the sa password hash and view the content of the master database from an MSSQL database backup (.bak).

- MSSQL, bak, mdf, master, hash


Owning Building Management Systems

When working for Applied Risk I got to contribute to research for hacking Building Mangement Systems. We'd found bugs and created exploits for owning buildings over the internet.

- BMS, hacking, exploits, reverse engineering


To set currents in motion

Some blog article I wanted to write on information security.

- information security, writing, ideas


Secure Diffie-Hellman parameters for Lighttpd with SNI

A proper SNI configuration for lighttpd DH parameters.

- DH, lighttpd, configuration, SNI


Staying Positive About False Negatives

How and why I failed a couple of times during a code review / pentest.

- failing, pentest, code review, work


Fixing this "couldn't get 'max filedescriptors'" error

How I fixed the "couldn't get 'max filedescriptors'" error from Lighttpd.

- lighttpd, error, code fix


Spot The Bug challenge 2018 warm-up

Warm-up for the Spot The Bug challenge 2018 from Securify.

- challenge, code review


Hoe begin je 2018 veilig op internet?

After reporting some vulnerabilities I found during SOP to a newspaper, they ask me to give some general internet safety tips for 2017-2018. The article contains a few of my practical tips. Here is the complete (Dutch) text I sent in regarding internet safety for the public.

- volkskrant, security advice


Compiling a Monero miner on OSX

Tutorial on compiling a Monero miner op OSX.

- monero, mining, osx, cryptocurrency


Meta

Backgrond information about the website.

- meta, about, creator, website


Fixing the critical software update OSX install message

A short article about fixing the critical software update error message when re-installing a Macbook Pro with a touch bar.

- OSX, Macbook, touch bar


A journey into cracking RSA moduli with a common GCD

In this article I share some experiences from cracking RSA moduli in bulk by exploiting the use of common GCDs.

- RSA, GCD, crypto, cracking, global


Helpdesk - Stupid things people say

It's about seven years ago I worked at a helpdesk. At that time, I created a document to register what people say (in Dutch). Don't get me wrong; people are not stupid. They are just end users.

- helpdesk, psychology, people


Kobo Aura H2O hacking

Bypassing registration for the Kobo Aura H2O so you can use it like the actual product you payed for.

- Kubo Aura, hacking, no registration


Added RSS feed

I've added a Really Simple method for generating an RSS feed. Most information I got from w3schools. There was a hick-up with XML-escaping, luckily the neat xmlescape method from the Python package xml.sax.saxutils was perfect for this. Also, it turns out that the 'guid' element can just be the URL to an article.

- meta, RSS, graa.nl


Spot The Bug challenge 2016 write-up

Write-up for the Spot The Bug challenge 2016 from Securify.

- challenge, write-up, php, code review


Spot The Bug challenge December 2016

Briefing for the Spot The Bug challenge 2016 from Securify.

- challenge, php, code review


Spot The Bug challenge 2015 write-up

Write-up for the Spot The Bug challenge 2015 from Securify.

- code review, challenge, securify, write-up


Spot The Bug challenge 2015 briefing

Briefing for the Spot The Bug challenge 2015 from Securify.

- code review, challenge, securify


Trainpooling

Back in 2014 I thought of a hack for the Dutch train system I call trainpooling.

- ov-chipcard, trains, hacks