Mastodawn

Daniel Davidson Mar 23

https://tailscale.com/blog/how-nat-traversal-works

A delightful and thorough explanation of NAT traversal.

/ht @Cirio

How NAT traversal works

Learn how NAT traversal works, how Tailscale can get through and securely connect your devices directly to each other.

Daniel Davidson Mar 13

“The entire enterprise private network is not considered an implicit trust zone.”

If your VPN rules include, “from trust to trust”, it’s not #ZeroTrust.

Daniel Davidson Mar 5

I had my first #freelance client call yesterday. A solid first performance… except for the part where I referred to the NIST Cybersecurity Framework as the NIST Cloud something something. Fortunately, the client wasn’t fussed about it. 😅

#NetSec

Daniel Davidson Mar 5

Funniest thing I heard today that’s actually a good idea: “this docuemnt should be pinned to every channel in slack and considered required reading” When I shared a link to our Data Taxonomy Management System (DTMS).

Daniel Davidson Feb 23

I'm pretty stoked on https://github.com/mrwadams/stride-gpt for helping folks produce STRIDE-based threat models. I was pleasantly surprised by the threats identified by pointing it at some public GitHub repos. Looking forwarding to trying it at work this week

GitHub - mrwadams/stride-gpt: An AI-powered threat modeling tool that leverages OpenAI's GPT models to generate threat models for a given application based on the STRIDE methodology.

An AI-powered threat modeling tool that leverages OpenAI's GPT models to generate threat models for a given application based on the STRIDE methodology. - mrwadams/stride-gpt

GitHub

Daniel Davidson Feb 22

#FounderMode vs leading from behind. Looking back at this last project, implementing preliminary ZTNA: we got there in the end, but in almost none of the ways I intended for it be implemented… I haven’t decided yet if I should have been more hands on and prescriptive, or if I gave folks the appropriate level of autonomy and the process worked as intended. In any case, more #ZeroTrust and less VPN is better.

Daniel Davidson Feb 15

Unfortunately my first reaction was, of course Microsoft is vulnerable to an ATO scheme… but in theory any provider that supports device code flow is vulnerable. It’s not an OAuth 2 problem, it’s a phishing problem.

This attack method emphasizes the importance of device verification and authorization. An untrusted device shouldn’t be permitted to participate in the device code flow.

https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/

What is device code phishing, and why are Russian spies so successful at it?

Overlooked attack method has been used since last August in a rash of account takeovers.

Ars Technica

Daniel Davidson Feb 14

Sam Stepanyan

🐘Feb 14

#AWS: "whoAMI" attacks give attackers code execution on Amazon EC2 instances:

https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-code-execution-on-amazon-ec2-instances/

#CloudSecurity

whoAMI attacks give hackers code execution on Amazon EC2 instances

Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.

BleepingComputer

Daniel Davidson Feb 13

OAuth2 Proxy: the MVP of zero trust network access.

https://oauth2-proxy.github.io/oauth2-proxy/

#ZeroTrust

Welcome | OAuth2 Proxy

OAuth2 Proxy

Daniel Davidson Feb 13

Cool example of using an LLM for threat modelling that I’m keen to try.
https://xvnpw.github.io/posts/scaling-threat-modeling-with-ai/

h/t @adamshostack

Scaling Threat Modeling with AI: Generating 1000 Threat Models Using Gemini 2.0 and AI Security Analyzer

An in-depth look at how I leveraged Gemini 2.0 to create a massive security documentation repository, complete with practical examples and lessons learned.

xvnpw personal blog