Blog Posts

USENIX Security Symposium 2019

Thinkst in Santa Clara Last week Haroon and I found ourselves at the 28th USENIX Security Symposium in balmy Santa Clara. We made the trip from Vegas for Haroon’s invited talk at the main event, and I took the opportunity to present at one of the side workshops (HotSec). This is a short recap of our USENEX experience. Neither Haroon nor I have attended USENIX events previously, despite over 20 Black Hat USAs between the two of us. What’s worse, we

Continue Reading

One Month with Thinkst

Recently, I was faced with a career dilemma. Go back to the enterprise and be a CISO Take a gig that would be part research, part bizdev A research and writing gig Consulting/Advisory work Join another vendor SPOILER: I chose the last one… but why? Why Thinkst? Thinkst Applied Research is the company behind the popular Canary product. Though they started off as more of a research firm that would build various products, the Canary product took off and has

Continue Reading

When document.domain is not equal to document.domain

Background One of our most popular Canarytokens is one we call the “Cloned-Site Token”. Essentially, we give you a tiny piece of JavaScript to add to your public webpage. If this JS is ever loaded on a server that doesn’t belong to you, it fires an alert. You can be alerted at an email address or webhook in the free version, or to your SIEM, slack channel or a bunch of other alternatives in the paid version. The Cloned-Site Token

Continue Reading

Developing a full stack… of Skyballs

We like solving problems. Sometimes, we make up new ones so we can solve them. Skyball Pyramids are one such case! Last year we discovered these amazing Skyballs and decided to make them a regular feature at our conference booths.  Canary Skyballs They have just the right amount of heft and weight to make them genuinely fun to play with. Of course, this leaves us with the devilish problem of how to display them… At Infosec Europe 2018, some of

Continue Reading

When you can’t do awesome things, because of crushing bureaucracy

I’ve sometimes bumped into people who bemoan their broken company cultures with varying degrees of self-awareness. Around 2007, a then-customer heard we were heading to Vegas to speak at BlackHat and said: You guys are so lucky.. my company won’t let us go to anything like that At the time I bristled. We worked for months on that research, dedicating many nights and burnt family time before we could stand up and talk. For sure our company celebrated those wins,

Continue Reading

Save My Vid

SaveMyVid was created during our 2018 HackWeek. It’s goals are simple. I want to be able to tag/submit videos for watching, and then want them reliably stored somewhere (ideally on my iPad) Usage: Once you have an account on savemyvid.net, you are given an email address (like savemyvid+d1cf..@savemyvid.net) and a URL which is your personal podcast (like: http://d1cfc…savemyvid.net/podcast/output.rss) When you see a tweet with a video you want, or come across some video you are interested in, simply forward the

Continue Reading

HackWeek 2018

Two weeks ago we ran the second edition of our internal HackWeek, and it was fantastic. Last year’s event was great fun and produced projects we still use; going into this year’s HackWeek we anticipated a leveling up, and weren’t disappointed. We figured we’d talk a little bit about the week, and discuss some of the “hacks”. Our HackWeek parameters are simple: We downtools on all but the most essential work (primarily anything customer-facing) and instead scope and build something.

Continue Reading

Making NGINX slightly less “surprising”

Dan Geer famously declared that security is “the absence of unmitigatable surprise”. He said it while discussing how dependence is the root source of risk, where increasing system dependencies change the nature of surprises that emanate from composed systems.  Recently, two of our servers “surprised” us due to an unexpected dependence, and we thought this incident was worth talking about. (We also discuss how to mitigate such surprises going forward). Background:Every Canary deployment is made up of at least two

Continue Reading

Good Pain vs. Bad Pain

aka: You know it’s supposed to hurt, you just don’t know which kind of hurt is the good kind One of the common problems when people start lifting weights (or doing CrossFit) is that they inadvertently overdo it. Why don’t they stop when it hurts? Because everyone knows it’s supposed to hurt. Hypertrophy is the goal, so the pain is part of the deal… right? Pain, Guaranteed In an old interview on the rise of Twitter, Ev Williams said something

Continue Reading

They see me rolling (back)

Moving backward is a feature too! We go through a lot of pain to make sure that Canary deployments are quick and painless. It’s worth remembering that even though the deployment happened in minutes, a bunch of stuff has happened in the background. (Your bird created a crypto key-pair, exchanged the public key with your console, and registered itself as one of your birds). From that point on, all communication between your bird and your console is encrypted (with a

Continue Reading

Site Footer

Authored with 💚 by Thinkst