Brad Larsen

@[email protected]
200 Followers
402 Following
846 Posts

Software toolsmith — application security, automated bug finding, secrets detection

I did binary static analysis for a few years, the spent a couple years *using* static analysis tools in anger to find security issues in C++ code. I did a couple years of client-facing appsec engagements. I've written lots of fuzzers and read a lot of code.

The past 4 years I've worked on secrets detection. I authored and maintained Nosey Parker, the fastest regex-based secrets detector out there, frequently used during offensive security engagements.

Currently a Principal Security Researcher at Truffle Security, working on all things secrets-related.

Formerly at Praetorian / Trail of Bits / Ab Initio Software / Veracode.

Websitehttps://bradfordlarsen.com
GitHubhttps://github.com/bradlarsen
Nosey Parkerhttps://github.com/praetorian-inc/noseyparker
Brad Larsen1d ago
Mattias Wadman1d ago
jaq 3.0.0 released 🚀 with multiple format support (YAML, CBOR, TOML, XML, CSV, TSV), new shiny manual, byte strings, speed ups, lots of jq compatibility fixes and a lot more.
Congrats and nice work Michael Färber!
https://github.com/01mf02/jaq/releases/tag/v3.0.0
#jq #jaq
Release 3.0 · 01mf02/jaq

jaq is a jq clone with focus on correctness, speed, and simplicity. The most outstanding change in jaq 3.0 is its multi-format support, allowing you to read and write several data formats such as Y...

GitHub
Show threadBrad Larsen2d ago
@fasterthanlime it's systolic
Brad Larsen4d ago
Per Vognsen4d ago
I've seen several independent, complete misconceptions of the Curry-Howard isomorphism just in the last week. Where are people getting these ideas, I wonder. Today's specimen, courtesy of the Hegel thread on HN: "Given Curry-Howard isomorphism, couldn't we ask AI to directly prove the property of the binary executable under the assumption of the HW model, instead of running PBTs?"
Show threadBrad Larsen4d ago
@pervognsen yes!! I saw that comment too and thought to myself that the commenter should put down the crack pipe. Big words but a completely ridiculous question that belies either trolling or a total misunderstanding of all of it. LLM commentary perhaps? It's an old account though.
Brad LarsenMar 19
if you love claude code so much why don't you marry it
Brad LarsenMar 19

Did you know that Go's 'encoding/json' package, in addition to its inability to express required fields in serialization, also is usually slower than Python's already-slow 'json' library?

I was shocked to discover this, but am seeing Go's json parsing go several times slower than Python's. (And yes, before you ask, this performance is significant in my application.)

Familiarity breeds contempt and all that...

Brad LarsenMar 18

I got a semi-plausible-looking malware email tonight from someone I had interacted with before.

The email was BCCd to who knows how many people.

I haven't looked at email source much before, but in this case, some software along the way ended up adding TLS verification metadata about every recipient in a custom header! I wonder how common this is (where headers leak the recipients / domains in the BCC list).

Brad LarsenMar 16
Adam Shostack  Mar 15

Is there a term of art for usable display of hashes, keys or other crypto material?

I want things that are recognizable to a person "at a glance" and change dramatically on a small change. (thanks for the clarifying q, @jbaggs !)

I'd used the phrase "visual hash" but I'm getting a lot of things about hashing images (eg, https://www.researchgate.net/profile/Xiaofeng-Wang-32/publication/276428507_A_Visual_Model-Based_Perceptual_Image_Hash_for_Content_Authentication/links/5593471908ae5af2b0eb7420/A-Visual-Model-Based-Perceptual-Image-Hash-for-Content-Authentication.pdf)

Think the sorts of swirling dot displays Apple uses something when you migrate between phones.

Show threadBrad LarsenMar 14
@codeslack I switched Nosey Parker to using vectorscan everywhere back in... 2023? I think it is ABI compatible with Hyperscan 5.4-something, but runs on more hardware. It at least has been API-compatible
Brad LarsenMar 13

I just published v0.0.6 of the `vectorscan-rs` crate for Rust. It includes a bugfix and upgrades the vendored version of Vectorscan from 5.4.11 to 5.4.12.

https://crates.io/crates/vectorscan-rs

crates.io: Rust Package Registry