Olivia
Online
Anthony Weems
@amlweems
Cloud Vulnerability Research • The opinions stated here are my own, not those of my company.
Joined April 2008
272 Following
2.9K Followers
178 Posts
Pinned Tweet
Learn how Google CVR could have potentially exfiltrated Gemini 1.0 Pro before launch last year. We describe the vulnz, the fix, and tips for bughunters. Also, shout-out to @epereiralopez for teaming up to adapt this work to another cloud provider.
https://t.co/65PY5o3mtV
Today our Cloud Vulnerability Research (CVR) team shared this research into LLM security, which is broadly applicable to AI domain security practitioners working in this rapidly evolving space.
Learn more: https://t.co/QtcOoDKgez
Introducing https://t.co/iULfuMrtEd🕵️♀️
Be the first to participate in the first-of-its-kind cloud hacking competition. 🤝
WIN PRIZES from our 4.5M$ prize pool. 💰
Register your exploit > https://t.co/pr7GC5uRqu
@msftsecresponse @awscloud @googlecloud
🕺"Leaving tradition" is one of the best parts of Google's security culture and has led to some of the most interesting attack chains I've gotten to work on. There's nothing quite like starting with a blank slate and ending with a root shell.💃
Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲
Discover how Google's security teams turn employee farewells into security tests.
https://t.co/Mapn7Nrs78
@rez0__ Transparency. Microsoft announced a similar change after the CSRB report on Storm-0558.
https://t.co/RUly8lDOeb
Who to follow
starlabs
@starlabs_sg
A Singapore company that discovers vulnerabilities to help customers mitigate the risks of cyber attacks. Organisers of @offbyoneconf
Semgrep 
@semgrep
A fast, open-source, static analysis tool for profoundly improving software security and reliability.
Jacob Soo
@_jsoo_
Founder https://t.co/dU7gVAkwY9
Effective today, Google will issue CVEs for critical vulnerabilities in Google Cloud that are fixed internally and do not require customer action or patching.
https://t.co/obc0Tz9Nv5
Exciting update on Project Zero’s LLM research: https://t.co/TRmtdU9B9g
Before joining Google, I submitted some Cloud bugs to the Google Vulnerability Rewards Program (VRP). Today, we announced a dedicated Cloud VRP and I'm so excited to be a part of the program that got me into Google in the first place.
Send us vulnz 🙂
https://t.co/9cddeUoYcL
Cloud CISO Perspectives Blog for mid-October ‘24 is up covering:
- Sharing AI vulnerability research
- Virtual red teams
- Advances in DDoS mitigation
- Securing inherited cloud deployments
- Can AI keep a secret?
- and more…..
https://t.co/y9CtqKKAIj
Excited to share this blog post about server-side memory corruption that my team exploited in production.
Shout-out to @scannell_simon, @epereiralopez, and @thatjiaozi - this was a very fun project. :-)
https://t.co/63Ho3HvF4w
The Mines of Kakadûm: Blindly Exploiting Load-Balanced Services by @scannell_simon and @amlweems is now live!
Very excited to present this with @amlweems! See you in Berlin!
(@epereiralopez and @thatjiaozi) were also working on that project and will also be there :)
@therealshodan fyi: if you search for keys, the magic command byte can be obfuscated, I've updated the code with an example.
@solardiz This is an excellent point, I had only been considering the simple case where the values were e.g. 2*1+0, but it makes more sense that they'd be large ints to look less suspicious. I'll update the .patch later today.
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-)
https://t.co/CvKo3xPRkP
@therealshodan Did you capture SSH certificates as well? The payload is embedded in the CA signing key in the cert and will always start with 16 bytes that match a specific pattern.
(see https://t.co/CvKo3xPRkP for the payload format)
https://t.co/5MSMjKzqhK
Our research on the deep mines of the JPX standard is now public. I had the pleasure and the privilege to work with @scannell_simon , @amlweems and @epereiralopez on this one.
Pretty interesting client side info leak vector :)
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers