@moyix

740 Followers
1,003 Following
79 Posts

Associate Professor @ NYU Tandon. Security, RE, ML. PGP http://keybase.io/moyix/

On leave from NYU, building offsec agents at xbow.com

Founder of the MESS Lab: http://messlab.moyix.net

Homepagehttps://moyix.net/
Erdős-Bacon Number3+3=6
moyixJul 11, 2025
So... anyone else going to SummerCon today or tomorrow? I should be stopping by both days, for the first time in many years!
moyixNov 14, 2024
XBOW found a critical auth bypass (CVE-2024-50334) in Scoold, a widely-used open-source Q&A site, fully autonomously! @nicowaisman and I wrote up a post walking through the methodology it used – IMO it's a super cool bug and fascinating trace https://xbow.com/blog/xbow-scoold-vuln/
XBOW – How XBOW found a Scoold authentication bypass

As we shift our focus from benchmarks to real world applications, we will be sharing some of the most interesting vulnerabilities XBOW has found in real-world, open-source targets. The first of these is an authentication bypass in Scoold, a popular open-source Q&A platform.

moyixAug 5, 2024
XBOWAug 5, 2024
Our AI pentester matched the performance of a human expert with 20 years of experience, while taking 28 minutes to accomplish what took the human 40 hours. For more details, read more about the experiment here: https://xbow.com/blog/xbow-vs-humans/
XBOW – XBOW now matches the capabilities of a top human pentester

Five professional pentesters were asked to find and exploit the vulnerabilities in 104 realistic web security benchmarks. The most senior of them, with over twenty years of experience, solved 85% during 40 hours, while others scored 59% or less. XBOW also scored 85%, doing so in 28 minutes. This illustrates how XBOW can boost offensive security teams, freeing them to focus on the most interesting and challenging parts of their job.

moyixJul 15, 2024
XBOWJul 15, 2024
XBOW finds and exploits vulnerabilities in 75% of 647 renowned web benchmarks. Given a short description of the benchmark, it autonomously pursues high-level goals, executing commands and interpreting their output to achieve exploitation. Check it out: https://xbow.com
XBOW

Boosting offensive security with AI

moyixJul 15, 2024
XBOWJul 15, 2024
What if an AI’s “brilliant” solution to a problem is just memorized? Modern AI systems have seen the whole web, so there’s only one way to be sure—we created 104 novel benchmarks. Now we can be certain that beautiful solves like this one are real: https://bit.ly/4cIW0NI
XBOW

Boosting offensive security with AI

moyixDec 1, 2023
Is there, somewhere, a good account of the "full disclosure" debates from the 90s / early 2000s and how the security community landed on the policy of being very open about attack techniques and tools?
moyixNov 11, 2023
Preliminary writeup on my CSAW CTF Finals challenge, NERV Center: an Evangelion-themed Pwn+Crypto challenge that abuses select() to let you factor an RSA key! https://threadreaderapp.com/thread/1723398619313603068.html
Thread by @moyix on Thread Reader App

@moyix: Will still try to do a blog post on my @CSAW_NYUTandon CTF challenge, NERV Center, but for now here's a thread explaining the key mechanics. I put a lot of work into the aesthetics, like this...…

moyixOct 20, 2023
Suppose for a dataset we need to host 12TB of docker images somewhere. Where would be a good place to do that? I assume Docker Hub would be really unhappy with us if we tried it
moyixOct 18, 2023
It's honestly crazy how much pressure there is on kids to get involved in research early these days
moyixSep 20, 2023
Do I know someone on here who's good at number theory / cryptography that I can DM? I'm writing a CTF challenge for CSAW and have a maybe-interesting RSA question.