On February 11th, 2022, I took my first jog on my new treadmill, a single mile at 5mph. I’d been taking three mile walks for a couple weeks before, but that jog just under a year ago was my first workout over 4mph. Yesterday, I ran the 3M Half Marathon in Austin, crossing the finishContinue reading “Couch to Half Marathon: Closing My First Year of Running”
Author Archives: ericlaw
Defense Techniques: Reporting Phish
While I have a day job, I’ve been moonlighting as a crimefighting superhero for almost twenty years. No, I’m not a billionaire who dons a rubber bat suit to beat up bad guys– I’m instead flagging phishing websites that try to steal money and personal information from the less tech-savvy among us. I have hadContinue reading “Defense Techniques: Reporting Phish”
SlickRun
While I’m best known for creating Fiddler two decades ago, eight years before Fiddler’s debut I started work on what became SlickRun. SlickRun is a floating command line that provides nearly instant access to almost any app or website. Originally written in Visual Basic 3 and released as QuickRun for Windows 3.1, it was soonContinue reading “SlickRun”
2022 EOY Fitness Summary
I spent dramatically more time on physical fitness in 2022 than I have at any other point in my life, in preparation for my planned adventure this June. My 2022 statistics from iFit on my incline trainer/treadmill show that I walked/jogged/ran almost 700 miles after it was set up on January 24th: Perhaps surprisingly (givenContinue reading “2022 EOY Fitness Summary”
Attack Techniques: Priming Attacks on Legitimate Sites
Earlier today, we looked at two techniques for attackers to evade anti-phishing filters by using lures that are not served from http and https urls that are subject to reputation analysis. A third attack technique is to send a lure that entices a user to visit a legitimate site and perform an unsafe operation onContinue reading “Attack Techniques: Priming Attacks on Legitimate Sites”
Attack Techniques: Phishing via Mailto
Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. A similar technique is to encode the attack within a mailto URL, because anti-phishing scanners and email clients rarely apply reputationContinue reading “Attack Techniques: Phishing via Mailto”
Attack Techniques: Phishing via Local Files
One attack technique I’ve seen in use recently involves enticing the victim to enter their password into a locally-downloaded HTML file. The attack begins by the victim receiving an email with a HTML file attachment (for me, often with the .shtml file extension): When the user opens the file, a credential prompt is displayed, withContinue reading “Attack Techniques: Phishing via Local Files”
ProjectK.commit()
Cruising solo across the Gulf of Mexico last Christmas, I had a lot of time to think. Traveling alone, I could do whatever I wanted, whenever I wanted. And this led me to realize that, while I was about to have a lot more flexibility in life, I hadn’t really taken advantage of that flexibilityContinue reading “ProjectK.commit()”
Missed Half
After last month’s races, I decided that I could reduce some of my stress around my first half marathon (Austin 3M at the end of January) by running a slow marathon ahead of time — a Race 0 if you will. So, I signed up for the Decker Challenge, with a goal of finishing aroundContinue reading “Missed Half”
TLS Certificate Verification Changes in Edge
When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows delegated this validation task to APIs in the operating system, layering a minimal set of additional validation (e.g. this) onContinue reading “TLS Certificate Verification Changes in Edge”