Clever Title Goes Here

Security educator, researcher, and developer

Page 2


Hackprenticeship Alpha

Read this first: Applications for this trial run of the Hackprenticeship are closed. 365 folks applied and only 1 can get in, so no further applications will be accepted. (Please don’t email/tweet/carrier pigeon at me asking about an exception; I’ve received so many of those already!)

Who Am I

I’m Cody Brocious (@daeken), an experienced hacker, developer, and educator. My work in security ranges from console hacking, to hotel locks, to web apps, and everything in between. A small selection of my work:

  • Hotel lock hack affecting 4-10 million locks
  • Emulator for reverse-engineering the Nintendo Switch
  • Online class in security

I head up hacker education for HackerOne, but this is not a HackerOne initiative. This is just you and I!

Goal and Process

I want to find a hacker who is interested in learning the bug bounty ropes, who will work beside me for 6 months. For the first 3...

Continue reading →


Bounty Progress - March 2019

I have a few goals for my bug bounty work in 2019:

  • $50k in total bounties/bonuses
  • At least one $5k bounty (for reference, current best is $4802)
  • At least half my reports rated high/critical (CVSS 7+)
  • Blog about my progress monthly, with a continuously updated entry for each month

Goal Health

Current total earnings for the year: $13179

This is 26.35% of my goal for the year. By the end of March I should be at $12500 to be on track, putting me $679 ahead as of 2019-03-26

Lifetime Stats

  • 19 bounties paid
  • $24141 total earned
  • $1270 average bounty

Bugs

  • HIGH Discovered 2018-11-29, Paid 2019-03-03 by private – $667 (total $3000 bounty, shared with two other researchers; $1000 paid previously)
  • LOW Discovered 2019-03-06, Paid 2019-03-11 by private – $100
  • HIGH Discovered 2019-03-07, Paid 2019-03-11 by private – $1500
  • CRITICAL Discovered 2019-03-17, Unpaid by private
  • CRITICAL...

Continue reading →


Bounty Progress - January/February 2019

I have a few goals for my bug bounty work in 2019:

  • $50k in total bounties/bonuses
  • At least one $5k bounty (for reference, current best is $4802)
  • At least half my reports rated high/critical (CVSS 7+)
  • Blog about my progress monthly, with a continuously updated entry for each month

Obviously on this last point I’ve failed so far, so this first blog will cover the first two months of the year. I’ll update this one with any further bugs I find.

Additionally, I’m going to list bugs that were discovered in 2018 but weren’t paid until this year, because … $50k is a lot of money, and I need the help!

Goal Health

Current total earnings for the year: $9862

This is 19.7% of my goal for the year. By the end of February I should be at $8333 to be on track, putting me $1529 ahead as of 2019-02-25

Bugs

  • HIGH Discovered 2018-11-24, Paid 2019-01-02 by private – $3362
  • CRITICAL Discovered...

Continue reading →


Hacker101 CTF Architecture

Introduction

The Hacker101 CTF has been up for about two and a half months now, with thousands of users finding tens of thousands of flags. It has been working beautifully – after a few rough days at the beginning – with hundreds of simultaneous instances running in parallel. Getting there, though, was an adventure.

Structure

The CTF is built on with five notable pieces:

  • Messaging protocol
  • Web frontend
  • Manager
  • Runners
  • Database – This is just Postgres
  • Levels – These are individual Docker images, completely self-contained and having their own web server

One overall note: every part of this system is built in Python, with the exception of some levels. Much <3 for Python.

Messaging protocol

I built a custom messaging protocol for this, as I had really specific goals in mind for it. In all likelihood, there is something off-the-shelf that would do what I wanted, but this was...

Continue reading →


Nintendo Switch nvservices Info Leak

In this post I’m going to discuss a Nintendo Switch bug I submitted to the Nintendo bug bounty program a few months ago, which they fixed recently (in 6.0, I believe, though I haven’t tested this myself).

Background

The Switch runs on a custom OS called Horizon. It’s a really sleek, simple microkernel, and because of that, the majority of key functionality that would normally be in the kernel is actually in a userland service. To communicate between services or from an app/game to services, you use IPC: Get a handle to a service (by an <=8 character name, e.g. ‘ssl’), then send messages to it. Each message consists of some amount of data and some number of objects, which are typically kernel objects. Kernel objects are things like transfer memory, shared memory, event handles, etc. The details here aren’t important, with one exception: transfer memory.

Transfer memory is a...

Continue reading →


No, Presidential alerts can’t “access […] your phone”

On 2018-10-03, John McAfee tweeted:

This has spread like wildfire, with nearly 30k retweets and 41k likes as of writing. Unfortunately, it’s also completely untrue and does nothing but spread FUD.

While I have issues with the Presidential alert system (something I plan on writing about soon), absolutely none of the claims made in this tweet have even a grain of truth. Let’s break this down.

There is no E911 chip

Simply put, there’s no such thing as an E911 chip in any phone that has ever or will ever exist. This is one of many things that the baseband of...

Continue reading →


If I were Bitfi

(Disclaimer: I am with HackerOne’s community team. I don’t want to bury the lede on that in any way, as H1 does come into this story.)

If you’ve been on Twitter in the past two months and live in the security world, chances are good that you’ve seen the fighting around Bitfi. A short summary for those who missed it:

  • Bitfi launched a hardware wallet for cryptocurrency
  • They subsequently launched a $250k reward for it to be hacked, claiming it to be unhackable, the “Bitfi Bounty”
  • Numerous researchers successfully hacked the device, to varying degrees
  • Harassing tweets and threats were made by Bitfi employees against these researchers, when they attempted to claim the reward
  • Bitfi subsequently pulled the reward and rescinded the unhackable claim, as well as signaling their intention to launch a HackerOne bug bounty
  • They also hired a head of security, who subsequently quit the next day...

Continue reading →


A Stupidly Simple, Fast Octree Traversal Algorithm for Ray Intersection

I’ve been doing some game dev stuff lately and I needed to intersect a ray with an octree of triangles, for collision detection. I first implemented a naive algorithm that simply checked if the AABB of each octant intersected the ray, then found the closest point. This was devastatingly slow, as you might expect. I then implemented the algorithm described by Revelles et al which is a nice algorithm, but limited (all octants must be half the size of their parents, for instance; this means it can work only on true octrees and not “loose octrees” or k-d trees) and fairly complicated.

Today I had a random thought while doing day-job work: what if I treat the octree divisions as splitting planes and essentially do a binary search? By knowing which plane my ray is closest to at a given step, I know which nodes I need to search. To my surprise – and slight horror, because it’s never a...

Continue reading →


Steal This Idea

This blog post will exist as a living document of ideas – some very fleshed out, some barely more than a concept – which I would love to implement if I had 15 of me. Unfortunately, there’s just the one (for now) and I don’t have time to work on any of this. As such, please take these ideas and run with them; if you make them and charge for them, I will throw money at you.

I completely rescind any rights to these ideas. You are free to implement them in any form you wish. I just want to see these happen.

Mario Maker clone

Mario Maker is an awesome game, but by its nature it’s limited to Wii U (and kind of, almost 3ds. But not really) and thus the audience is even more limited. Additionally, I think there’s some really fun stuff that could be done regarding visual scripting to make this powerful and awesome.

I actually started work on something like this a while back but...

Continue reading →


Running Project List

I always have a large number of projects, which shuffle between active, inactive, and effectively abandoned. In the interest of self-accountability and maybe letting others take over or get involved in projects, I’ve decided to make an incomplete list (last ~6 months), which I’ll attempt to keep up to date:

  • HypervisorSharp (H) [Active]: This project seeks to allow trivial development of hypervisors and emulators for .NET Core. Currently targets only Hypervisor.framework on MacOS. https://github.com/daeken/PaleFlag/tree/master/HypervisorSharp
  • PaleFlag [Active]: Xbox emulator built on H. https://github.com/daeken/PaleFlag/tree/master/PaleFlag
  • GdbStub [needs real name - Active]: .NET [Core] library to embed a GDB stub trivially in any emulator, hypervisor, or other project. https://github.com/daeken/PaleFlag/tree/master/GdbStub
  • SharpStation [Inactive/Abandoned?]: Playstation...

Continue reading →