Skip to content

Instantly share code, notes, and snippets.

Avatar

Lance R. Vick lrvick

View GitHub Profile
View Makefile
mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
current_dir := $(notdir $(patsubst %/,%,$(dir $(mkfile_path))))
userid = $(shell id -u)
groupid = $(shell id -g)
image = "bitgo/$(current_dir):latest"
default: build
lint: helm-lint
fetch: submodule-update
latest: submodule-latest build
View gist:f106d30826eb4680f2e447c5967a11db
[lrvick@qatan crosshatch-PQ3A.190801.002]$ ls -lah crosshatch-avb_pkmd.bin
-rw-r--r-- 1 lrvick lrvick 520 Aug 6 2019 crosshatch-avb_pkmd.bin
[lrvick@qatan crosshatch-PQ3A.190801.002]$ sudo ./fastboot flash avb_custom_key crosshatch-avb_pkmd.bin
target reported max download size of 268435456 bytes
Sending 'avb_custom_key' (0 KB)...
OKAY [ 0.120s]
Writing 'avb_custom_key'...
FAILED (remote: Failed flash avb custom key Device Error)
Finished. Total time: 0.687s
@lrvick
lrvick / physsec_shopping.md
Last active Feb 13, 2020
PhysSec Shopping List
View physsec_shopping.md

PhysSec Shopping List

Need to get into a building? Start a police car? Borrow a bulldozer? Go to a restricted elevator floor? It is pretty easy with the right tools and sometimes a bit of practice.

Knowing what those tools even are is half the battle. This guide attempts to solve that for you for for free.

Actually obtaining these tools is non-trivial but -all- of them can be obtained

@lrvick
lrvick / role.md
Last active Mar 6, 2020
My default canned response to all recruiters. Know what you want out of your career and articulate it specifically if you want to get it either at your current employer, or a different one.
View role.md

I know exactly what I want in a long term role so I can save us some time.

For me to be willing to change jobs at this point I would expect:

  • A high level of autonomy where I am allowed to work weird hours.
  • Have my obsession for auditable everything be humored/tolerated
    • I prefer to work with open platforms like RISC-V and OpenPower and open operating systems like Linux, FreeBSD, OpenBSD, Sel4, etc
    • I am never asked to rely on any software I can't audit on any of my personal or company devices.
  • No need to go find clients myself or worry about the business side of the house
  • Travel/lodging covered for the 2-3 security conferences I try to attend every year.
View xinitrc
#!/bin/bash
# Let GPG know about our current terminal
gpg-connect-agent updatestartuptty /bye
# Start compositor for faster rendering for terminals etc
compton &
# Set wallpaper
nitrogen --set-scaled ~/.wallpaper/yourcoolwallpaper.jpg
@lrvick
lrvick / usbninja.ino
Last active Sep 6, 2019
One size fits all BadUSB attack for Mac/Windows for the USBNinja. Logs all attacks to server. Server can optionally provide a unique payload for each target hostname/user combo.
View usbninja.ino
#include <NinjaKeyboard.h>
void setup(){}
void loop() {}
void payloadA(){
USBninjaOnline();
NinjaKeyboard.begin();
NinjaKeyboard.delay(1000);
@lrvick
lrvick / distributed_trust_git_flow.md
Last active Feb 20, 2019
An opinionated git workflow optimized for a strong resistance to tampering by any single party.
View distributed_trust_git_flow.md

Distributed Trust Git Flow

Goals

  • Remove chance of undetected malicious or accidental mutations of code in VCS
  • The VCS and review tool servers as well as their maintainers must never be trusted.
  • We must be able to cryptographically prove
    • Who authored all commits
    • Who on engineering team signed the release candidate tag on a ref
    • Who on release team signed the release tag for a ref
@lrvick
lrvick / hardening_playbook.md
Created Jan 25, 2019
Hardening Playbook: My dumping ground for my system hardening research, mostly focusing on Linux but paying attention to other systems.
View hardening_playbook.md

Hardening Playbook

Threat profile

  • Attacker has unlimited funding
  • Attacker has decades of patience
  • Attacker knows everything you do and more
  • Attacker has no morals and can break any law
  • Attacker can compromise any single system
  • Attacker can compromise any single individual
View random_red_team.md

Random Red Team

Summary

This document seeks to detail intentionally introducing security vulnerbilties into projects to test code review processes and foster a healthy and expected culture of distrust and higher security scrutiny during code reviews regardless of social standing, or experience level of the author.

Motivation

@lrvick
lrvick / diff-tree.md
Created Oct 2, 2018
Git diff-tree issues
View diff-tree.md

Git 2.11.0

$ git rev-parse HEAD
2e6215c920f384f958dc6dafcbaee5698c965657
$ git diff-tree -p "HEAD^"..HEAD | sha256sum
ae4fc1d2285ab6ac84cdd8ff6235f5534b6ded467dd8f586cbe1bfe885cc1afe  -
$ git diff-tree -p "HEAD^"..HEAD | git patch-id --stable
d9c0bf01265096e69f24b6e10d6c471f92d203c3 0000000000000000000000000000000000000000
You can’t perform that action at this time.