Software Supply Chain Security: The Case for Minimal Dependencies

In 2016, removing an 11-line npm package called left-pad broke thousands of projects worldwide. Nine years later, attackers compromised packages with 2.6 billion weekly downloads using phishing and self-propagating malware. The Problem: A Decade of Escalating Supply Chain Attacks Timeline March 2016: Left-pad incident - removing an 11-line dependency broke thousands of projects including Babel and React. October 2021: ua-parser-js compromise - library with 7M+ weekly downloads hijacked multiple times, injecting cryptocurrency miners and password stealers. ...

September 23, 2025 · 4 min

Drouter: Dynamic Route Injection for Docker Containers

When working with Docker containers on complex networks, you often need to add static routes so containers can reach networks that aren’t directly connected to their default gateway. This becomes especially important when using macvlan network drivers where containers get their own IP addresses on your physical network. I’ve just released drouter, a lightweight systemd service that solves this problem by automatically injecting routes into Docker containers based on simple labels. The Problem Consider this scenario: you’re using a macvlan network driver so your containers get real IP addresses on your network (say 192.168.1.0/24). Your router is at 192.168.1.1, but you have additional internal subnets like 10.0.0.0/8 that are reachable through a different gateway at 192.168.1.254. ...

September 20, 2025 · 3 min

Creating a Mikrotik BGP.Tools Session

When running a network with its own ASN, you will likely end up spending some time working with BGP. Knowing how your peer networks connect can help with your own network planning. BGP.Tools is a service that maps out different networks and the routes between them by having networks opt to provide bgp.tools with a BGP session sharing their exportable routes. This guide will walk you through setting up a BGP.Tools session with a Mikrotik router running RouterOS 7. ...

February 11, 2024 · 2 min

BygoneSSL - dealing with residual certificates for pre-owned domains

This is the blog version of my DEFCON 26 talk Lost and Found Certificates: dealing with residual certificates for pre-owned domains, which I co-presented with Dylan Ayrey. You can learn more about BygoneSSL and see a demo at insecure.design. The Problem A Certificate can outlive the ownership of a domain. If the domain is then re-registered by someone else, this leaves with the first owner with a valid SSL certificate for the domain now owned by someone else. ...

August 13, 2018 · 8 min

CertGraph

Certgraph is a tool I’ve been developing to scan and graph the network of SSL certificate alternative names. It can be used to find other domains that belong to an organization that may be several orders removed and not always obvious. Background The idea for this project came about after examining the SSL certificate for XKCD.com. If you look closely at the screenshot below you will see that the SSL certificate used on XKCD.com is also valid for many of domains which have no relationship to XKCD or Randall Munroe. ...

April 6, 2018 · 7 min

Ambergris

For those of you not in the know, ambergris is defined as: a wax-like substance that originates as a secretion in the intestines of the sperm whale, found floating in tropical seas and used in perfume manufacture. However, that will not be what this post is about (sorry to disappoint). Instead, I’ll present what happens when building an image on Docker that contains a reverse shell in the Dockerfile. ...

January 19, 2017 · 7 min

Badgy

A while ago I came into possession of a few HID iClass readers. After collecting dust in my project drawer for a few months I decided to find a fun use for them, which ended up in the project I call Badgy. Background The back of the HID readers have 10 colored wires coming out of them. Luckily the readers also had a nice sticker telling me which wire was what. ...

December 24, 2016 · 7 min

TRIPLEX DVRLink DVR468RW Exploit

At an internship I had a while ago one project assigned to me was to regain access to a CCTV security system which we had been locked out of for some years. (The previous manager left without leaving the password.) The DVR system was a TRIPLEX DVRLink DVR468RW, whatever that is. It seemed cheap; a small embedded computer with video in/out, a hard-drive and CD-RW drive for recording storage. The administration interface was accessed either by a web server running on the device or a desktop client you installed on your computer. ...

June 20, 2013 · 3 min

PHP Karaoke Queue

A while ago I decided that I needed some more JavaScript/AJAX experience, and what better way to get it than to use it to solve an existing problem. Every now and then my apartment hosts karaoke nights, we have a lot of songs, enough to fill a 4-inch binder. Searching for songs was a pain. In order to find the song’s ID code to give to the DJ you must search through pages of songs and artists that were in no particular order. I decided to fix this problem with my skill set, so I created DJQueue. DJQueue is a collection of hacked together PHP, JavaScript, and SQL magic. ...

May 25, 2013 · 1 min

SMS DOS: Cellphone Denial Of Service via text messages

A while ago I wondered how well modern cellphones could handle a flood of text messages. So I created a simple python program to test just that. The program works by sending emails to a SMS Gateway which will forward the message to the phone in the form of a text message. I tested my program on two devices, my modern HTC Incredible running Android and my aging LG Chocolate dumb-phone. The results where surprising! After starting the program my HTC Incredible froze after receiving the first 20 messages. A battery pull was required to get it to respond. The second it finished booting it froze again! I was only able to make it respond by stopping my program and rebooting the phone. After it boot it froze again while catching up on all the messages that where sent. ...

March 11, 2012 · 2 min