Console Jockey Cypherpunk. Toots occasionally in Swedish.
I work with Secure Development, focusing a lot on #threatmodeling. Occasionally do some red teaming.
| Blog | https://joakim.uddholm.com |
I though these signs were pretty funny yesterday when taking a walk. Each little footpath bridge I passed had one on each side.
No worries though, I crossed without being harmed.
Had some fun hacking with #networking / #linux today 
I was able to set up my laptop act as an access point and routing all clients over a VPN.
Our PS5 has been having network issues. The store often takes a long time to load, and online required or multiplayer games struggle to connect.
We think it might be related to our ISP, so I set this up to experiment if tunneling over a VPN could avoid any potential ISP-fuckery.
Happy to say the experiment worked and we get much better connectivity over my VPN-ed network π
Next step will be to put this on a static device - i.e. router (or raspberry pi probably works fine too).
An update on Gram, the #threatmodeling diagramming tool, and the main features we have added to it during the past half-year (I'm bad at marketing it, been meaning to post this a long time ago π )
We extended the stencil of the diagram to now allow for the ability to label and threat model the Data Flows. They now function like normal components and can have threats/controls added to them. In addition they also let the diagram show more context by having labels that can tell you as a viewer more exactly e.g. what protocol is used.
We added an automatic "Quality Check". This allows us to automate many of the typical validation checks we would do as reviewers of a threat model to ensure it's "good enough" quality. It has had a great effect in motivating developers to properly fill out their threat models and set a better baseline for the average threat model we review, and helps us encourage developers to use new stencil features (like previously mentioned labels :)).
We have started adding Resources into Gram. This is to help automatically show any infrastructure resources, assets or external systems connected to the system you are threat modeling. At Klarna we connect this to our "Cloud Inventory" to automatically suggest resources that should be in the threat model. In practice, this means AWS resources for us like S3 buckets, RDS instances, lambdas, but also other systems marked as dependencies in the metadata.
For now, this is just a read-only list of associated resources, but my colleague is working on making it so you can automatically match and add these resources to your threat model. This feature has already helped us spot when resources are missing from the diagram (e.g. forgotten S3 buckets, lambdas).
If you're interested in Gram, you can check out our project here:
https://github.com/klarna-incubator/gram
We ship this software for free so β's are very much appreciated β€οΈ and helps me sell #opensource development to the man in a suit 
Any question or feedback? Just ping me here :)
Upgraded my nephews harddrive today. Poor dude only had 500gb so could only ever really keep one or two games installed at a time. So I got him a 2TB one for his birthday.
His desktop only has a single m.2 slot so I put both old and new drive into my own laptop which has two slots, then used a live USB to dd if=<old drive> of=<new drive>. Worked perfectly.
After years of Gram only having three component types for the diagram, there's now a fourth - the Trust Boundary.
Already merged into the main branch and should be tagged for release later this week.
Started working on a tool to create PDFs for printing backups of cryptographic keys. Uses @bcrypt 's niceware format/encoding. Meant for use in storing offline copies of yubikey/disk encryption keys.
β οΈ Not ready for use yet. Please do not use in production and lose your keys.
Just sharing the initial prototype.
Still todo:
These #hetzner prices for storage seem very reasonable - time to do my own dyi-dropbox?
So far loving the service with them. Shame this isn't part of their #terraform provider.
The threat modeling tool I've been posting about for the past year, is finally available as a public repo πβ
https://github.com/klarna-incubator/gram
It is currently in a beta state, which it will probably be for some time, but it has the essentials now to get started.
