This sounds like a pretty awesome upcoming #javadeser talk by Ian Haken x.com/BlackHatEvents…

A new technique for the automated discovery of deserialization gadget chains in Java that offers efficiency for defensive teams and penetration testers alike + a FOSS toolkit which utilizes this methodology. #BHUSA Briefing by Ian Haken ow.ly/sV7H30l16NO

Long time, no tweet, but I'm looking to get back in the game!

Looking forward to giving my BH talk this afternoon. Look out for some new tricks for developing deserialization exploits!

.Ian Haken teaching folks about automated gadget chain discovery! Really great work! Black Hat

Ian Haken great talk! I bet the 0-byte file write could be used to overwrite .htaccess.

If you're looking for slides from my talk (including all the links) it's available here: i.blackhat.com/us-18/Thu-Augu… Tool is on github here: github.com/JackOfMostTrad…

I've had quite a few people ask about generalizing my deserialization work to .NET. If that's something you're interested in or might work on, let me know on twitter so I can RT and connect folks together!

Ian Haken I'm interested in and might work on is my exact feeling about this topic.

Brought home a Dell server. Wife: can I see the server? Me: here’s the server. Wife: why do you need that? Me: For testing. Wife: no.... I mean I thought you went #serverless? Me: 😶 Wife: I mean... you have the t-shirts and stuff... Me: 😶 I had no words.

Do you use RSA SSH certs (e.g. BLESS)? Pay attention to openssh.com/txt/release-7.8 as it changes how 7.8 clients offer RSA certs to all servers. The result: bugs.launchpad.net/ubuntu/+source… bugzilla.redhat.com/show_bug.cgi?i… bugs.archlinux.org/task/59838?pro…

If you want to do your best work, have a clear impact on millions of people, learn from stunning colleagues and push the field forward please reach out to me. Netflix is an amazing place to work. If you want to have an informal chat before applying, that's cool too.

Come see Ian Haken give his talk "Automated Discovery of Deserialization Gadget Chains" at the OWASP San Diego meeting on Thurs 10/18 meetup.com/Open-Web-Appli…

Attend this panel discussion at #osfintech led by Ken Owens, Louis Ryan, Ian Haken, Torin Sandall & @whenfalse as they will cover how organizations are using open source software tools around identity based access management to get to “zero trust” models. -sched.co/G4N5

I found a new RCE deserialization gadget chain in Clojure. Seriously, don't deserialize untrusted data, ya'll! github.com/frohoff/ysoser…

Worth noting that clojure is the 6th most popular mvn dep per mvnrepository.com/popular. Please don't deserialize untrusted data #javadeser x.com/ianhaken/statu…