On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports – but you will also find other recommendations from time to time.

All InfoSec Reading Lists can be found here.

Best of Twitterverse

InfoSec

• BlackHat 2017: The Shadow Brokers — Cyber Fear Game Changers – interesting timelines + links to PDFs – link
• “The lack of focus on those more mundane problems came about because often security experts had little interest in or empathy for people, he said.” – Facebook calls for a more people-centric security industry – link
• Algorithms cannot discern good intentions, so they must be secure against everyone. – Going dark: encryption and law enforcement – there is a lot of truth in this article – link
• Ever get remote code execution by fragging a player? – Remote Code Execution In Source Games – link
• LinkedIn reveals your personal email to your connections – the interesting part of this article is the discussion around the contextual integrity (CI) theory by Helen Nissenbaum – link
• Black Hat 20 & DEFCON 25 – summary and recommended talks – link
•  Top 10 Most Obvious Hacks of All Time (v0.9) – growing list – link
• Breaking the Security Model of Subgraph OS – interesting discussion around the sandboxing capabilities of Qubes OS and Subgraph OS – definitively worth a read – link
• “I break things, I don’t fix them” – we all should learn more about defense – link
• Be Prepared: Journalists and Security Researchers – link and related to that – Media Training is an OPSEC skill – link
• Ross Anderson on Compartmentation is hard, but the Big Data playbook makes it harder still – link
• Windows DRM Social Engineering Attacks & TorBrowser – important to consider when using anonymization techniques – link

Layer 7

• How the Twitter App Bypasses Paywalls – relying on referer and user-agent for authentication purposes is bad but obviously a desperate try to hold non-tech-savvy users off the free web offers – link
• How i Hacked into a PayPal’s Server – Unrestricted File Upload to Remote Code Execution – OSINT for vulnerable subdomains, file upload without input validation, bruteforcing folder ID, execute uploaded script, game over – link
• Blind SSRF on Yahoo owned server – link
• $10k host header – High School student gets 10,000 USD bug bounty for changing host header information – nice catch – link

IoT (with S for “Security”)

• Exploiting a weak spot in the power grid – link

Malware/Phishing

• Mitigations: Completeness/Effectiveness vs Performance – link
• Learnings from analysing my compromised server – writeup about what can go wrong in case you pick a weak root password for your sshd – link

Mobile Related

• From Chrysaor to Lipizzan: Blocking a new targeted spyware family – link

Outdoors

• Whitewater Packrafting 101: 10 Things you need to know to paddle safe + strong – link
• Arctic Alaska Packrafting Gear Suggestions: an Annotated Photo-list – very helpful post by Roman Dial on packrafting gear based on 50 years of experience – link
• The Garmin inReach: Merging Navigation & Communication – these are the new devices that merge the traditional Garmin GPS devices and Delorme’s InReach – I’m specifically astonished about the battery: “100 hours in 10-min tracking mode / 30 days in 30-min interval power saving mode” – link
• The man who went on a hike and never stopped walking – link
• Vindelfjällens Traverse, a packrafting lesson – interesting report about how quickly things can go wrong when going packrafting – link
• 400 Miles Jordan Hike – this sounds amazing and I would love to go back to Jordan anytime – I always had amazing times there – link – they even have a nice booklet for thru-hikers – link – now looking forward to being able to download the full GPX

MISC

• Research Shows That Organizations Benefit When Employees Take Sabbaticals – link