Posts

• September 9, 2024 XS-Leaks Summit: Stopping XS-Leaks at Scale (v2)
• July 18, 2024 LocoMocoSec: How blocking third-party cookies can fix the web
• July 1, 2024 Security Signals: Measuring Web Security Posture at Scale
• January 22, 2024 Google Blog: A Recipe for Scaling Security
• October 27, 2023 Truly Paranoid Software Updates
• April 18, 2023 Google Blog: Securely Hosting User Data in Modern Web Applications
• November 3, 2022 hiSHtory: Launching on HN and Reddit
• October 15, 2022 hiSHtory: Cross-device Encrypted Syncing Design
• September 26, 2022 hiSHtory: Your shell history in context, synced, and queryable
• March 9, 2022 The limits of the same-origin policy: cross-origin (but same-site) attacks
• January 3, 2022 Log4j Scanning
• October 10, 2021 Stopping XS-Leaks at Scale
• July 6, 2021 DEF CON 29 Presentation: Worming through IDEs
• August 18, 2020 Three More Google Cloud Shell Bugs Explained
• July 21, 2020 Compiler Fun
• July 19, 2020 Playing with DigitalOcean Kubernetes
• June 8, 2020 Discovering an XXE in Postgres (CVE-2020-13692)
• May 18, 2020 Fuzzing libsignal-protocol-c with libfuzzer and OSS-Fuzz
• May 13, 2020 Rediscovering CVE-2019-18212: RCE in Eclipse Theia
• August 23, 2019 Keybase SSH: An Open Source SSH CA

• 1
• 2
• ›
• »