https://miscreants.github.io/blog.trailofbits.com/authors/dan-guido/Recent content in Dan Guido on The Trail of Bits BlogHugoen-usSat, 09 Aug 2025 00:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/08/09/trail-of-bits-buttercup-wins-2nd-place-in-aixcc-challenge/Sat, 09 Aug 2025 10:30:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/08/09/trail-of-bits-buttercup-wins-2nd-place-in-aixcc-challenge/Our team won the runner-up prize of $3M at DARPA’s AI Cyber Challenge, demonstrating Buttercup’s world-class automated vulnerability discovery and patching capabilities with remarkable cost efficiency.https://miscreants.github.io/blog.trailofbits.com/2025/08/01/the-unconventional-innovator-scholarship/Fri, 01 Aug 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/08/01/the-unconventional-innovator-scholarship/Trail of Bits founder Dan Guido establishes a $2,500 scholarship at his alma mater, Mineola High School, to recognize students who demonstrate the hacker spirit through self-driven learning, creative problem-solving, and unconventional technological exploration. The scholarship celebrates tomorrow’s security innovators who push boundaries and think differently about technology.https://miscreants.github.io/blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/Thu, 17 Apr 2025 00:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/This post describes a sophisticated social engineering campaign using Zoom’s remote control feature and provides technical solutions to protect organizations against this attack vector.https://miscreants.github.io/blog.trailofbits.com/2025/02/21/the-1.5b-bybit-hack-the-era-of-operational-security-failures-has-arrived/Fri, 21 Feb 2025 00:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/02/21/the-1.5b-bybit-hack-the-era-of-operational-security-failures-has-arrived/The $1.5B Bybit Hack demonstrates how the Era of Operational Security Failures has arrived, and most cryptocurrency companies are not prepared for its implications.https://miscreants.github.io/blog.trailofbits.com/2024/08/12/trail-of-bits-advances-to-aixcc-finals/Mon, 12 Aug 2024 19:23:13 -0400https://miscreants.github.io/blog.trailofbits.com/2024/08/12/trail-of-bits-advances-to-aixcc-finals/Trail of Bits has qualified for the final round of DARPA’s AI Cyber Challenge (AIxCC)! Our Cyber Reasoning System, Buttercup, placed in the top 7 out of 39 teams competing in the semifinal round held at DEF CON 2024. Competition Overview The AIxCC semifinal featured a series of challenges based on real-world software, including nginx, […]https://miscreants.github.io/blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/Fri, 09 Aug 2024 09:10:29 -0400https://miscreants.github.io/blog.trailofbits.com/2024/08/09/trail-of-bits-buttercup-heads-to-darpas-aixcc/With DARPA’s AI Cyber Challenge (AIxCC) semifinal starting today at DEF CON 2024, we want to introduce Buttercup, our AIxCC submission. Buttercup is a Cyber Reasoning System (CRS) that combines conventional cybersecurity techniques like fuzzing and static analysis with AI and machine learning to find and fix software vulnerabilities. The system is designed to operate […]https://miscreants.github.io/blog.trailofbits.com/2023/12/14/darpas-ai-cyber-challenge-were-in/Thu, 14 Dec 2023 09:00:45 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/14/darpas-ai-cyber-challenge-were-in/We’re thrilled to announce that Trail of Bits will be competing in DARPA’s upcoming AI Cyber Challenge (AIxCC)! DARPA is challenging competitors to develop novel, fully automated AI-driven systems capable of securing the critical software that underpins the modern world. We’ve formed a team of world class software security and AI/ML experts, bringing together researchers, […]https://miscreants.github.io/blog.trailofbits.com/2023/08/28/iverify-is-now-an-independent-company/Mon, 28 Aug 2023 07:00:45 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/28/iverify-is-now-an-independent-company/We’re proud to announce that iVerify is now an independent company following its four-year incubation at Trail of Bits. Originally developed in-house to ensure that our personal phones, which store data essential to our work and private lives, were secured to the standards of security professionals, iVerify quickly showed that it could be valuable to […]https://miscreants.github.io/blog.trailofbits.com/2023/08/14/can-you-pass-the-rekt-test/Mon, 14 Aug 2023 04:00:50 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/14/can-you-pass-the-rekt-test/One of the biggest challenges for blockchain developers is objectively assessing their security posture and measuring how it progresses. To address this issue, a working group of Web3 security experts, led by Trail of Bits CEO Dan Guido, met earlier this year to create a simple test for profiling the security of blockchain teams. We […]https://miscreants.github.io/blog.trailofbits.com/2023/07/31/how-ai-will-affect-cybersecurity-what-we-told-the-cftc/Mon, 31 Jul 2023 07:00:32 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/31/how-ai-will-affect-cybersecurity-what-we-told-the-cftc/Dan Guido, CEO The second meeting of the Commodity Futures Trading Commission’s Technology Advisory Committee (TAC) on July 18 focused on the effects of AI on the financial sector. During the meeting, I explained that AI has the potential to fundamentally change the balance between cyber offense and defense, and that we need security-focused benchmarks […]https://miscreants.github.io/blog.trailofbits.com/2023/07/12/what-we-told-the-cftc-about-crypto-threats/Wed, 12 Jul 2023 07:00:13 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/12/what-we-told-the-cftc-about-crypto-threats/In March, I joined the Commodity Futures Trading Commission’s Technology Advisory Committee (TAC), helping the regulatory agency navigate the complexities of cybersecurity risks, particularly in emerging technologies like AI and blockchain. During the committee’s first meeting, I discussed how the rapidly changing and public nature of blockchain technology makes it uniquely susceptible […]https://miscreants.github.io/blog.trailofbits.com/2020/07/12/new-manticore-verifier-for-smart-contracts/Sun, 12 Jul 2020 15:00:46 -0400https://miscreants.github.io/blog.trailofbits.com/2020/07/12/new-manticore-verifier-for-smart-contracts/Smart contract authors can now express security properties in the same language they use to write their code (Solidity) and our new tool, manticore-verifier, will automatically verify those invariants. Even better, Echidna and Manticore share the same format for specifying property tests. In other words, smart contract authors can now write one property test and […]https://miscreants.github.io/blog.trailofbits.com/2020/06/17/advocating-for-change/Wed, 17 Jun 2020 17:33:17 -0400https://miscreants.github.io/blog.trailofbits.com/2020/06/17/advocating-for-change/As a company, we believe Black lives matter. In the face of continued police brutality, racial disparities in law enforcement, and limited accountability, we demand an end to systemic racism, endorse restrictions on police use of force, and seek greater accountability for police actions. We believe police misconduct, militarization of police, and unchecked abuse of […]https://miscreants.github.io/blog.trailofbits.com/2020/05/22/emerging-talent-winternship-2020-highlights/Fri, 22 May 2020 07:50:14 -0400https://miscreants.github.io/blog.trailofbits.com/2020/05/22/emerging-talent-winternship-2020-highlights/The Trail of Bits Winternship is our winter internship program where we invite 10-15 students to join us over the winter break for a short project that has a meaningful impact on information security. They work remotely with a mentor to create or improve tools that solve a single impactful problem. These paid internships give […]https://miscreants.github.io/blog.trailofbits.com/2020/04/07/announcing-our-first-virtual-empire-hacking/Tue, 07 Apr 2020 07:00:06 -0400https://miscreants.github.io/blog.trailofbits.com/2020/04/07/announcing-our-first-virtual-empire-hacking/At Trail of Bits, we’ve all been working remotely due to COVID-19. But the next Empire Hacking event will go on, via video conference! When: April 14th @ 6PM How: RSVP via this Google Form or on Meetup. We’ll email you an invitation early next week. Come talk shop with us! Every two months, Empire […]https://miscreants.github.io/blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/Fri, 13 Mar 2020 07:52:37 -0400https://miscreants.github.io/blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/Voatz allows voters to cast their ballots from any geographic location on supported mobile devices. Its mobile voting platform is under increasing public scrutiny for security vulnerabilities that could potentially invalidate an election. The issues are serious enough to attract inquiries from the Department of Homeland Security and Congress. However, there has been no comprehensive […]https://miscreants.github.io/blog.trailofbits.com/2020/03/03/manticore-discovers-the-ens-bug/Tue, 03 Mar 2020 14:21:52 -0500https://miscreants.github.io/blog.trailofbits.com/2020/03/03/manticore-discovers-the-ens-bug/The Ethereum Name Service (ENS) contract recently suffered from a critical bug that prompted a security advisory and a migration to a new contract (CVE-2020-5232). ENS allows users to associate online resources with human-readable names. As you might expect, it allows you to transfer and sell domain names. Specific details about the bug were in […]https://miscreants.github.io/blog.trailofbits.com/2018/12/20/10000-research-fellowships-for-underrepresented-talent/Thu, 20 Dec 2018 10:00:32 -0500https://miscreants.github.io/blog.trailofbits.com/2018/12/20/10000-research-fellowships-for-underrepresented-talent/The Trail of Bits SummerCon Fellowship program is now accepting applications from emerging security researchers with excellent project ideas. Fellows will explore their research topics with our guidance and then present their findings at SummerCon 2019. We will be reserving at least 50% of our funding for marginalized, female-identifying, transgender, and non-binary candidates. If you’re […]https://miscreants.github.io/blog.trailofbits.com/2018/11/19/return-of-the-blockchain-security-empire-hacking/Mon, 19 Nov 2018 11:20:10 -0500https://miscreants.github.io/blog.trailofbits.com/2018/11/19/return-of-the-blockchain-security-empire-hacking/Remember last December’s Empire Hacking? The one where we dedicated the event to sharing the best information about blockchain and smart contract security? Let’s do that again, and let’s make it a tradition; a half-day mini conference focused exclusively on a single topic every December. On December 12, please join us at Buzzfeed’s NYC offices […]https://miscreants.github.io/blog.trailofbits.com/2018/11/16/trail-of-bits-devcon-iv-recap/Fri, 16 Nov 2018 06:50:22 -0500https://miscreants.github.io/blog.trailofbits.com/2018/11/16/trail-of-bits-devcon-iv-recap/We wanted to make up for missing the first three Devcons, so we participated in this year’s event through a number of talks, a panel, and two trainings. For those of you who couldn’t join us, we’ve summarized our contributions below. We hope to see you there next year. Using Manticore and Symbolic Execution to […]https://miscreants.github.io/blog.trailofbits.com/2018/10/04/ethereum-security-guidance-for-all/Thu, 04 Oct 2018 06:50:23 -0400https://miscreants.github.io/blog.trailofbits.com/2018/10/04/ethereum-security-guidance-for-all/We came away from ETH Berlin with two overarching impressions: first, many developers were hungry for any guidance on security, and second; too few security firms were accessible. When we began taking on blockchain security engagements in 2016, there were no tools engineered for the work. Useful documentation was hard to find and hidden among […]https://miscreants.github.io/blog.trailofbits.com/2018/06/29/trail-of-bits-donates-100000-to-support-young-researchers-through-summercon/Fri, 29 Jun 2018 07:50:15 -0400https://miscreants.github.io/blog.trailofbits.com/2018/06/29/trail-of-bits-donates-100000-to-support-young-researchers-through-summercon/We have a soft spot in our hearts for SummerCon. This event, the longest-running hacker conference in the US, is a great chance to host hacker friends from around the world in NYC, catch up in person, and learn about delightfully weird security topics. It draws a great crowd, ranging from “hackers to feds to […]https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Fri, 23 Mar 2018 00:28:08 -0400https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Two years ago, when we began taking on blockchain security engagements, there were no tools engineered for the work. No static analyzers, fuzzers, or reverse engineering tools for Ethereum. So, we invested significant time and expertise to create what we needed, adapt what we already had, and refine the work continuously over dozens of audits. […]https://miscreants.github.io/blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/Thu, 15 Mar 2018 13:58:03 -0400https://miscreants.github.io/blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/Two weeks ago, we were engaged by CTS Labs as independent consultants at our standard consulting rates to review and confirm the technical accuracy of their preliminary findings. We participated neither in their research nor in their subsequent disclosure process. Our recommendation to CTS was to disclose the vulnerabilities through a CERT. Our review of […]https://miscreants.github.io/blog.trailofbits.com/2018/03/08/2017-in-review/Thu, 08 Mar 2018 07:50:56 -0500https://miscreants.github.io/blog.trailofbits.com/2018/03/08/2017-in-review/What a roller coaster of a year! Well, outside of our office. Inside, 2017 was excellent. We published novel research that advanced – among others – the practices of automated bug discovery, symbolic execution, and binary translation. In the process, we improved many foundational tools that an increasing number of security researchers will come to […]https://miscreants.github.io/blog.trailofbits.com/2018/02/09/parity-technologies-engages-trail-of-bits/Fri, 09 Feb 2018 07:50:46 -0500https://miscreants.github.io/blog.trailofbits.com/2018/02/09/parity-technologies-engages-trail-of-bits/We’re helping Parity Technologies secure their Ethereum client. We’ll begin by auditing their codebase, and look forward to publishing results and the knowledge we gained in the future. Parity Technologies combines cryptography, cellular systems, peer-to-peer technology and decentralized consensus to solve the problems that have gone unaddressed by conventional server-client architecture. Their Ethereum client is designed for […]https://miscreants.github.io/blog.trailofbits.com/2017/12/22/videos-from-ethereum-focused-empire-hacking/Fri, 22 Dec 2017 07:50:57 -0500https://miscreants.github.io/blog.trailofbits.com/2017/12/22/videos-from-ethereum-focused-empire-hacking/On December 12, over 150 attendees learned how to write and hack secure smart contracts at the final Empire Hacking meetup of 2017. Thank you to everyone who came, to our superb speakers, and to Datadog for hosting this meetup at their office. Watch the presentations again We believe strongly that the community should share […]https://miscreants.github.io/blog.trailofbits.com/2017/10/19/trail-of-bits-joins-the-enterprise-ethereum-alliance/Thu, 19 Oct 2017 07:50:38 -0400https://miscreants.github.io/blog.trailofbits.com/2017/10/19/trail-of-bits-joins-the-enterprise-ethereum-alliance/We’re proud to announce that Trail of Bits has joined the Enterprise Ethereum Alliance (EEA), the world’s largest open source blockchain initiative. As the first information security company to join, and currently one of the industry’s top smart contract auditors, we’re excited to contribute our unparalleled expertise to the EEA. As companies begin to re-architect […]https://miscreants.github.io/blog.trailofbits.com/2017/10/16/our-team-is-growing/Mon, 16 Oct 2017 07:50:25 -0400https://miscreants.github.io/blog.trailofbits.com/2017/10/16/our-team-is-growing/We’ve added five more to our ranks in the last two months, bringing our total size to 32 employees. Their resumes feature words and acronyms like ‘CTO,’ ‘Co-founder’ and ‘Editor.’ You might recognize their names from publications and presentations that advance the field. We’re excited to offer them a place where they can dig deeper […]https://miscreants.github.io/blog.trailofbits.com/2017/10/12/ios-jailbreak-detection-toolkit-now-available/Thu, 12 Oct 2017 07:50:22 -0400https://miscreants.github.io/blog.trailofbits.com/2017/10/12/ios-jailbreak-detection-toolkit-now-available/We now offer a library for developers to check if their apps are running on jailbroken phones. It includes the most comprehensive checks in the industry and it is App Store compatible. Contact us now to license the iVerify security library for your app. Jailbreaks threaten your work Users like to install jailbreaks on their […]https://miscreants.github.io/blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/Thu, 16 Feb 2017 06:50:08 -0500https://miscreants.github.io/blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/I recently had the privilege of giving a keynote at BSidesLisbon. I had a great time at the conference, and I’d like to thank Bruno Morisson for inviting me. If you’re into port, this is the conference for you! I recommend that anyone in the area consider attending next year. I felt there was a […]https://miscreants.github.io/blog.trailofbits.com/2017/01/09/2016-year-in-review/Mon, 09 Jan 2017 08:28:15 -0500https://miscreants.github.io/blog.trailofbits.com/2017/01/09/2016-year-in-review/John Oliver may have written off 2016, but we’re darn proud of all that we accomplished and contributed this year. We released a slew of the security tools that help us -and you- work smarter, and promoted a few more that deserved recognition. We helped the New York City InfoSec community build a foundation for […]https://miscreants.github.io/blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/Mon, 12 Dec 2016 07:50:41 -0500https://miscreants.github.io/blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/I think you’ll agree when I say: there’s no VPN option on the market designed with equal emphasis on security and ease of use. That changes now. Today we’re introducing Algo, a self-hosted personal VPN server designed for ease of deployment and security. Algo automatically deploys an on-demand VPN service in the cloud that is not […]https://miscreants.github.io/blog.trailofbits.com/2016/10/26/come-find-us-at-oreilly-security/Wed, 26 Oct 2016 07:50:09 -0400https://miscreants.github.io/blog.trailofbits.com/2016/10/26/come-find-us-at-oreilly-security/We’re putting our money where our mouth is again. In continued support for New York’s growing infosec community we’re excited to sponsor the upcoming O’Reilly Security Conference. We expect to be an outlier there: we’re the only sponsor that offers consulting and custom engineering rather than just off-the-shelf products. We see this conference as an […]https://miscreants.github.io/blog.trailofbits.com/2016/10/04/first-ever-automated-code-audit/Tue, 04 Oct 2016 07:50:46 -0400https://miscreants.github.io/blog.trailofbits.com/2016/10/04/first-ever-automated-code-audit/Last month our Cyber Reasoning System (CRS) -developed for DARPA’s Cyber Grand Challenge– audited a much larger amount of code in less time, in greater detail, and at a lower cost than a human could. Our CRS audited zlib for the Mozilla Secure Open Source (SOS) Fund. To our knowledge, this is the first instance […]https://miscreants.github.io/blog.trailofbits.com/2016/09/12/plug-into-new-yorks-infosec-community/Mon, 12 Sep 2016 07:00:35 -0400https://miscreants.github.io/blog.trailofbits.com/2016/09/12/plug-into-new-yorks-infosec-community/Between the city’s size and the wide spectrum of the security industry, it’s easy to feel lost. Where are ‘your people?’ How can you find talks that interest you? You want to spend your time meeting and networking, not researching your options. So, we put together a directory of all of the infosec gatherings, companies, and […]https://miscreants.github.io/blog.trailofbits.com/2016/08/09/work-for-us-fall-and-winter-internship-opportunities/Tue, 09 Aug 2016 07:50:59 -0400https://miscreants.github.io/blog.trailofbits.com/2016/08/09/work-for-us-fall-and-winter-internship-opportunities/If you’re studying in a degree program, and you thrive at the intersection of software development and cyber security, you should apply to our fall or winter internship programs. It’s a great way to add paid experience -and a publication- to your resume, and get a taste of what it’s like to work in a commercial […]https://miscreants.github.io/blog.trailofbits.com/2016/08/01/your-tool-works-better-than-mine-prove-it/Mon, 01 Aug 2016 07:50:18 -0400https://miscreants.github.io/blog.trailofbits.com/2016/08/01/your-tool-works-better-than-mine-prove-it/No doubt, DARPA’s Cyber Grand Challenge (CGC) will go down in history for advancing the state of the art in a variety of fields: symbolic execution, binary translation, and dynamic instrumentation, to name a few. But there is one contribution that we believe has been overlooked so far, and that may prove to be the […]https://miscreants.github.io/blog.trailofbits.com/2016/07/11/why-i-didnt-catch-any-pokemon-today/Mon, 11 Jul 2016 23:37:27 -0400https://miscreants.github.io/blog.trailofbits.com/2016/07/11/why-i-didnt-catch-any-pokemon-today/tl;dr While the internet went crazy today, we went fact finding. Here are our notes on Pokemon Go’s permissions to your Google account. Here’s what Jay and I set out to do at around 6pm today: Find what permissions Pokemon Go is actually requesting Investigate what the permissions actually do Replicate the permissions in a test app […]https://miscreants.github.io/blog.trailofbits.com/2016/06/28/start-using-the-secure-enclave-crypto-api/Tue, 28 Jun 2016 07:50:42 -0400https://miscreants.github.io/blog.trailofbits.com/2016/06/28/start-using-the-secure-enclave-crypto-api/tl;dr – Tidas is now open source. Let us know if your company wants help trying it out. When Apple quietly released the Secure Enclave Crypto API in iOS 9 (kSecAttrTokenIDSecureEnclave), it allowed developers to liberate their users from the annoyance of strong passwords or OAuth. That is, if the developers could make do without […]https://miscreants.github.io/blog.trailofbits.com/2016/06/23/its-time-to-take-ownership-of-our-image/Thu, 23 Jun 2016 07:50:59 -0400https://miscreants.github.io/blog.trailofbits.com/2016/06/23/its-time-to-take-ownership-of-our-image/Gloves Goggles Checkered body suits The representation of hackers in stock media spans a narrow band of reality between the laughable and the absurd. It overshadows the fact that lots of hackers are security professionals. They may dress differently, but they serve a critical function in the economy. It’s easy to satirize the way the […]https://miscreants.github.io/blog.trailofbits.com/2016/05/19/empire-hacking-turns-one/Thu, 19 May 2016 07:50:13 -0400https://miscreants.github.io/blog.trailofbits.com/2016/05/19/empire-hacking-turns-one/In the year since we started this bi-monthly meetup, we’ve been thrilled by the community that it has attracted. We’ve had some excellent presentations on pragmatic security research, shared our aspirations and annoyances with our work, and made some new friends. It’s a wonderful foundation for an even better year two! To mark the group’s […]https://miscreants.github.io/blog.trailofbits.com/2016/05/05/the-dbirs-forest-of-exploit-signatures/Thu, 05 May 2016 16:56:12 -0400https://miscreants.github.io/blog.trailofbits.com/2016/05/05/the-dbirs-forest-of-exploit-signatures/If you follow the recommendations in the 2016 Verizon Data Breach Investigations Report (DBIR), you will expose your organization to more risk, not less. The report’s most glaring flaw is the assertion that the TLS FREAK vulnerability is among the ‘Top 10’ most exploited on the Internet. No experienced security practitioner believes that FREAK is […]https://miscreants.github.io/blog.trailofbits.com/2016/04/01/hacker-handle-bounty/Fri, 01 Apr 2016 07:50:44 -0400https://miscreants.github.io/blog.trailofbits.com/2016/04/01/hacker-handle-bounty/It’s time to close this chapter of our industry’s past. To distance ourselves from the World Wrestling Federation and comic book superheroes. We’re talking about hacker handles: Dildog, Thomas Dullien, Matt Blaze etc. When the Internet was young and fancy-free, hacker handles had their place. They afforded anonymity and supported the curious to explore the […]https://miscreants.github.io/blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/Wed, 17 Feb 2016 02:42:34 -0500https://miscreants.github.io/blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/Earlier today, a federal judge ordered Apple to comply with the FBI’s request for technical assistance in the recovery of the San Bernadino gunmen’s iPhone 5C. Since then, many have argued whether these requests from the FBI are technically feasible given the support for strong encryption on iOS devices. Based on my initial reading of […]https://miscreants.github.io/blog.trailofbits.com/2016/02/09/tidas-a-new-service-for-building-password-less-apps/Tue, 09 Feb 2016 06:50:54 -0500https://miscreants.github.io/blog.trailofbits.com/2016/02/09/tidas-a-new-service-for-building-password-less-apps/For most mobile app developers, password management has as much appeal as a visit to the dentist. You do it because you have to, but it is annoying and easy to screw up, even when using standard libraries or protocols like OAUTH. Your users feel the same way. Even if they know to use strong […]https://miscreants.github.io/blog.trailofbits.com/2016/02/04/join-us-at-code-as-craft/Thu, 04 Feb 2016 07:50:24 -0500https://miscreants.github.io/blog.trailofbits.com/2016/02/04/join-us-at-code-as-craft/We’re excited to announce that Sophia D’Antoine will be the next featured speaker at Etsy’s Code as Craft series on Wednesday, February 10th from 6:30-8pm in NYC. What is Code as Craft? Etsy Code as Craft events are a semi-monthly series of guest speakers who explore a technical topic or computing trend, sharing both conceptual […]https://miscreants.github.io/blog.trailofbits.com/2016/02/02/software-security-ideas-ahead-of-their-time/Tue, 02 Feb 2016 07:50:18 -0500https://miscreants.github.io/blog.trailofbits.com/2016/02/02/software-security-ideas-ahead-of-their-time/Every good security researcher has a well-curated list of blogs they subscribe to. At Trail of Bits, given our interest in software security and its intersections with programming languages, one of our favorites is The Programming Language Enthusiast by Michael Hicks. Our primary activity is to describe and discuss research about — and the practical […]https://miscreants.github.io/blog.trailofbits.com/2016/01/07/2015-in-review/Thu, 07 Jan 2016 07:50:18 -0500https://miscreants.github.io/blog.trailofbits.com/2016/01/07/2015-in-review/Now that the new year is upon us, we can look back and take assessment of 2015. The past year saw Trail of Bits continuing our prior work, such as automated vulnerability discovery and remediation, and branching out into new areas, like secure self-hosted video chat. We also increased our community outreach: we advocated against reactionary regulation, supported security-related non-profits, hosted a bi-monthly security meetup in NYC, and more.https://miscreants.github.io/blog.trailofbits.com/2016/01/05/lets-encrypt-the-internet/Tue, 05 Jan 2016 07:50:59 -0500https://miscreants.github.io/blog.trailofbits.com/2016/01/05/lets-encrypt-the-internet/We’re excited to announce our financial support for Let’s Encrypt, the open, automated and free SSL Certificate Authority (CA) that went into public beta on December 3. With so much room for improvement in the CA space, Let’s Encrypt offers a refreshing, promising vision of encrypting the web. Expensive SSL certificates are holding back Internet […]https://miscreants.github.io/blog.trailofbits.com/2015/12/15/self-hosted-video-chat-with-tuber/Tue, 15 Dec 2015 08:00:24 -0500https://miscreants.github.io/blog.trailofbits.com/2015/12/15/self-hosted-video-chat-with-tuber/Today, we’re releasing the source code to our self-hosted video chat platform, Tuber Time Communications (or just “Tuber”). We’ve been using Tuber for private video calls with up to 15 members of our team over the last year or two. We want you to use it, protect your privacy, and help us make it better. […]https://miscreants.github.io/blog.trailofbits.com/2015/10/30/why-we-give-so-much-to-csaw/Fri, 30 Oct 2015 07:50:52 -0400https://miscreants.github.io/blog.trailofbits.com/2015/10/30/why-we-give-so-much-to-csaw/In just a couple of weeks, tens of thousands of students and professionals from all over the world will tune in to cheer on their favorite teams in six competitions. If you’ve been following our blog for some time, you’ll know just what we’re referring to: Cyber Security Awareness Week (CSAW), the nation’s largest student-run cyber security event.https://miscreants.github.io/blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/Tue, 07 Jul 2015 14:52:12 -0400https://miscreants.github.io/blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/Never let a good incident go to waste. Today, we’re using the OPM incident as an excuse to share with you our top recommendations for shoring up the security of your Google Apps for Work account. More than 5 million companies rely on Google Apps to run their critical business functions, like email, document storage, calendaring, and […]https://miscreants.github.io/blog.trailofbits.com/2015/06/08/introducing-the-rubysec-field-guide/Mon, 08 Jun 2015 07:50:54 -0400https://miscreants.github.io/blog.trailofbits.com/2015/06/08/introducing-the-rubysec-field-guide/Vulnerabilities have been discovered in Ruby applications with the potential to affect vast swathes of the Internet and attract attackers to lucrative targets online. These vulnerabilities take advantage of features and common idioms such as serialization and deserialization of data in the YAML format. Nearly all large, tested and trusted open-source Ruby projects contain some of […]https://miscreants.github.io/blog.trailofbits.com/2015/05/05/empire-hacking/Tue, 05 May 2015 14:50:58 -0400https://miscreants.github.io/blog.trailofbits.com/2015/05/05/empire-hacking/Today we are launching Empire Hacking, a bi-monthly meetup that focuses on pragmatic security research and new discoveries in attack and defense. Empire Hacking is technical. We aim to bridge the gap between weekend projects and funded research. There won’t be any product pitches here. Come prepared with your best ideas. Empire Hacking is exclusive. […]https://miscreants.github.io/blog.trailofbits.com/2015/01/05/the-foundation-of-2015-2014-in-review/Mon, 05 Jan 2015 07:50:00 -0500https://miscreants.github.io/blog.trailofbits.com/2015/01/05/the-foundation-of-2015-2014-in-review/We need to do more to protect ourselves. 2014 overflowed with front-page proof: Apple, Target, JPMorgan Chase, etc, etc. The current, vulnerable status quo begs for radical change, an influx of talented people, and substantially better tools. As we look ahead to driving that change in 2015, we’re proud to highlight a selection of our […]https://miscreants.github.io/blog.trailofbits.com/2014/10/02/threads-14-scaling-security/Thu, 02 Oct 2014 08:00:20 -0400https://miscreants.github.io/blog.trailofbits.com/2014/10/02/threads-14-scaling-security/For every security engineer you train, there are 20 or more developers writing code with potential vulnerabilities. There’s no human way to keep up. We need to be more effective with less resources. It’s time to make security a fully integrated part of modern software development and operations. It’s time to automate. This year’s THREADS […]https://miscreants.github.io/blog.trailofbits.com/2014/09/29/nyu-womens-cybersecurity-symposium/Mon, 29 Sep 2014 08:50:11 -0400https://miscreants.github.io/blog.trailofbits.com/2014/09/29/nyu-womens-cybersecurity-symposium/Cyber security is an increasingly complex and vibrant field that requires brilliant and driven people to work on diverse teams. Unfortunately, women are severely underrepresented and we want to change that. Career Discovery in Cyber Security is an NYU-Poly event, created in a collaboration with influential men and women in the industry. This annual symposium […]https://miscreants.github.io/blog.trailofbits.com/2014/08/01/education-initiative-spotlight-threads-call-for-papers/Fri, 01 Aug 2014 08:50:49 -0400https://miscreants.github.io/blog.trailofbits.com/2014/08/01/education-initiative-spotlight-threads-call-for-papers/A 2-day conference exploring state-of-the-art advances in security automation. We would like to share the call for papers for THREADS 2014, a research and development conference that is part of NYU-Poly’s Cyber Security Awareness Week (CSAW). Trail of Bits is a founding sponsor of THREADS. The final deadline for submissions is October 6th, but you […]https://miscreants.github.io/blog.trailofbits.com/2014/07/30/education-initiative-spotlight-build-it-break-it/Wed, 30 Jul 2014 02:10:03 -0400https://miscreants.github.io/blog.trailofbits.com/2014/07/30/education-initiative-spotlight-build-it-break-it/We’re proud to be a sponsor of the first Build it Break it programming contest, run by the University of Maryland (UMD) and supported by one of our own employees and PhD student at the university, Andrew Ruef. Build it Break it is a “flipped CTF” where contestants both implement secure software and identify vulnerabilities in […]https://miscreants.github.io/blog.trailofbits.com/2014/07/28/education-initiative-spotlight-csaw-summer-program-for-women/Mon, 28 Jul 2014 08:50:00 -0400https://miscreants.github.io/blog.trailofbits.com/2014/07/28/education-initiative-spotlight-csaw-summer-program-for-women/At Trail of Bits we are proud of our roots in academia and research, and we believe it is important to promote cyber security education for students of every academic level. We recently sponsored a High School Capture the Flag (CTF) event, we released a CTF Field Guide, and we are a regular part of […]https://miscreants.github.io/blog.trailofbits.com/2014/07/15/trail-of-bits-adds-mobile-security-researcher-nicholas-depetrillo-to-growing-team/Tue, 15 Jul 2014 08:50:09 -0400https://miscreants.github.io/blog.trailofbits.com/2014/07/15/trail-of-bits-adds-mobile-security-researcher-nicholas-depetrillo-to-growing-team/New York, NY (July 15th, 2014)—Veteran computer security researcher Nicholas DePetrillo has joined Trail of Bits, the New York-based security company, as Principal Security Researcher. Trail of Bits Co-founder and CEO Dan Guido announced the hire today. DePetrillo brings the headcount of the firm, which was founded by a team of three in 2012, to […]https://miscreants.github.io/blog.trailofbits.com/2014/06/04/weve-moved/Wed, 04 Jun 2014 14:19:40 -0400https://miscreants.github.io/blog.trailofbits.com/2014/06/04/weve-moved/Trail of Bits headquarters has moved! Located in the heart of the financial district, our new office features a unique design, cool modern decor, and an open layout that makes us feel right at home.https://miscreants.github.io/blog.trailofbits.com/2014/06/03/dear-darpa-challenge-accepted/Tue, 03 Jun 2014 18:45:41 -0400https://miscreants.github.io/blog.trailofbits.com/2014/06/03/dear-darpa-challenge-accepted/We are proud to have one of the only seven accepted funded-track proposals to DARPA’s Cyber Grand Challenge. Computer security experts from academia, industry and the larger security community have organized themselves into more than 30 teams to compete in DARPA’s Cyber Grand Challenge —- a first-of-its-kind tournament designed to speed the development of automated security […]https://miscreants.github.io/blog.trailofbits.com/2014/05/20/trail-of-bits-releases-capture-the-flag-field-guide/Tue, 20 May 2014 09:00:33 -0400https://miscreants.github.io/blog.trailofbits.com/2014/05/20/trail-of-bits-releases-capture-the-flag-field-guide/Free Online Coursework Allows Students, Professionals to Build Essential Offensive Security Skills New York, NY (May 20, 2014)–Security researchers at Trail of Bits today introduced the CTF Field Guide (Capture the Flag), a freely available, self-guided online course designed to help university and high school students hone the skills needed to succeed in the fast-paced, […]https://miscreants.github.io/blog.trailofbits.com/2014/02/24/introducing-javelin/Mon, 24 Feb 2014 08:44:38 -0500https://miscreants.github.io/blog.trailofbits.com/2014/02/24/introducing-javelin/Javelin shows you how modern attackers would approach and exploit your enterprise. By simulating real-time, real-world attack techniques, Javelin identifies which employees are most likely to be targets of spearphishing campaigns, uncovers security infrastructure weaknesses, and compares overall vulnerability against industry competitors. Javelin benchmarks the efficacy of defensive strategies, and provides customized recommendations for improving […]https://miscreants.github.io/blog.trailofbits.com/2013/07/24/iverify-is-now-available-on-github/Wed, 24 Jul 2013 12:53:09 -0400https://miscreants.github.io/blog.trailofbits.com/2013/07/24/iverify-is-now-available-on-github/Today we’re excited to release an open-source version of iVerify! iPhone users now have an easy way to ensure their phones are free of malware. iVerify validates the integrity of supported iOS devices and detects modifications that malware or jailbreaking would make, without the use of signatures. It runs at boot-time and thoroughly inspects the […]https://miscreants.github.io/blog.trailofbits.com/2013/06/03/free-ruby-security-workshop/Mon, 03 Jun 2013 12:15:50 -0400https://miscreants.github.io/blog.trailofbits.com/2013/06/03/free-ruby-security-workshop/We interrupt our regularly scheduled programming to bring you an important announcement: On Thursday, June 6th, just in time for SummerCon, we will be hosting a free Ruby Security Workshop in NYC! Signups are first-come, first-serve and we only have space for 30 people. Sign up here and we will email the selected participants the location […]https://miscreants.github.io/blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/Mon, 20 May 2013 11:34:05 -0400https://miscreants.github.io/blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/In the final part of our three-part series, we investigate the how the toolkit user gained control of program flow and what their strategy means for the reliability of their exploit. Elderwood and the Department of Labor Hack Writing Exploits with the Elderwood Kit (Part 1) Writing Exploits with the Elderwood Kit (Part 2) Last time, […]https://miscreants.github.io/blog.trailofbits.com/2013/05/14/writing-exploits-with-the-elderwood-kit-part-1/Tue, 14 May 2013 12:00:57 -0400https://miscreants.github.io/blog.trailofbits.com/2013/05/14/writing-exploits-with-the-elderwood-kit-part-1/In the second part of our three-part series, we investigate the tools provided by the Elderwood kit for developing exploits from discovered vulnerabilities. Elderwood and the Department of Labor Hack Writing Exploits with the Elderwood Kit (Part 1) Writing Exploits with the Elderwood Kit (Part 2) Several mitigations must be avoided or bypassed in order […]https://miscreants.github.io/blog.trailofbits.com/2013/05/13/elderwood-and-the-department-of-labor-hack/Mon, 13 May 2013 12:00:10 -0400https://miscreants.github.io/blog.trailofbits.com/2013/05/13/elderwood-and-the-department-of-labor-hack/Recently, the Department of Labor (DoL) and several other websites were compromised to host a new zero-day exploit in Internet Explorer 8 (CVE-2013-1347). Researchers noted similarities between this attack and earlier ones attributed to Elderwood, a distinct set of tools used to develop several past strategic website compromises. We have not, however, identified any evidence […]