This page lists only 100 posts at a time. Click the “Load more posts” button at the bottom of the page to load more.
An Improbable Recovery
Way back on May 11th of 2022, I was visiting my team (Edge browser) for the week in Redmond, Washington. On Wednesday night, I left my ThinkPad X1 Extreme laptop in a work area on the 4th floor of the…
AI Injection Attacks
A hot infosec topic these days is “How can we prevent abuse of AI agents?” While AI introduces awesome new capabilities, it also entails an enormous set of risks from the obvious and mundane to the esoteric and elaborate. As…
2025 Summer Vacation
The boys and I went to Maryland for the first half of August to visit family and check out some roller coasters. They hit Kings Dominion, Busch Gardens, Six Flags America (final season), and Hershey Park. We also hiked up…
Security Product Efficacy
I’ve written about security products previously, laying out the framing that security products combine sensors and throttles with threat intelligence to provide protection against threats. As a product engineer, I spend most of my time thinking about how to improve…
Family Safety Content Filtering
Microsoft Family Safety is a feature of Windows that allows parents to control their children’s access to apps and content in Windows. The feature is tied to the user accounts of the parent(s) and child(ren). When I visit https://family.microsoft.com and…
First Look: Apple’s NEURLFilter API
At WWDC 2025, Apple introduced an interesting new API, NEURLFilter, to respond to a key challenge we’ve talked about previously: the inherent conflict between privacy and security when trying to protect users against web threats. That conflict means that security…
Web Category Filtering
Since the first days of the web, users and administrators have sought to control the flow of information from the Internet to the local device. There are many different ways to implement internet filters, and numerous goals that organizations may…
Fiddler in 2025
The Fiddler Web Debugger is now old enough to drink, but I still use it pretty much every day. Fiddler hasn’t aged entirely gracefully as platforms and standards have changed over the decades, but the tool is extensible enough that…
Attack Techniques: Fake Literally Everything! (Escrow Scam)
The team recently got a false-negative report on the SmartScreen phishing filter complaining that we fail to block firstline-trucking.com. I passed it along to our graders but then took a closer look myself. I figured that maybe the legit site…
Vibe-coding for security
Recently, there’s been a surge in the popularity of trojan clipboard attacks whereby the attacker convinces the user to carry their attack payload across a security boundary and compromise the device. Meanwhile, AI hype is all the rage. I recent…
Understanding SmartScreen and Network Protection
The vast majority of cyberthreats arrive via one of two related sources: That means that by combining network-level sensors and throttles with threat intelligence (about attacker sites), security software can block a huge percentage of threats. Protection Implementation On Windows…
A Solid 10K
After last year’s disappointing showing at the Capitol 10K, I wanted to do better this time around. We left the house at 6:47; traffic was light and we pulled into my regular parking spot at 7:09. It was a very…
Defensive Technology: Exploit Protection
September 2025 tl;dr: You probably should not touch Exploit Protection settings. This post explains what the feature does and how it works, but admins and end-users should probably just leave it alone to do what it does by default. Over…
Defensive Technology: Windows Filtering Platform
Last November, I wrote a post about the basics of security software. In that post, I laid out how security software is composed of sensors and throttles controlled by threat intelligence. In today’s post, we’ll look at the Windows Filtering…
Runtime Signature Checking Threat Model
Telerik developers recently changed Fiddler to validate the signature on extension assemblies before they load. If the assembly is unsigned, the user is presented with the following message: In theory, this seems fine/good– signing files is a good thing! However,…
Spring Break
Spring break is one of the best times to be in Texas. The weather’s usually nice, and outdoor fun things to do aren’t miserably hot. This year, the kids are obsessed with roller coasters, so we bought Season Passes to…
Debugging Chromium
A customer recently complained that after changing the Windows Security Zone Zone configuration to Disable launching apps and unsafe files: … trying to right-click and “Save As” on a Text file loaded in Chrome fails in a weird way. Specifically,…
Authenticode in 2025 – Azure Trusted Signing
I’ve written about signing your code using Authenticode a lot over the years, from a post in 2015 about my first hardware token to a 2024 post about signing using a Digicert HSM. Recently, Azure opened their Trusted Signing Service…
Guidelines for Secure Filename Display
Many years ago, I wrote the first drafts of Chromium’s Guidelines for Secure URL Display. These guidelines were designed to help feature teams avoid security bugs whereby a user might misinterpret a URL when making a security decision. From a…
Attack Techniques: “I Already Hacked You” Scams
Scammers often try to convince you that you’ve already been hacked and you must contact them or send them money to prevent something worse from happening. I write about these a bunch: Another common “Bad thing already happened” scam is…
Winter 2025 Races
Austin Half On January 19th, I ran the newly-renamed “Austin International Half Marathon” (formerly 3M). The night before I had spaghetti and meat sauce with the kids, and the morning of, I woke at 5:15 and had a cup of…
Welcome to 2025!
I’d intended to write this post weeks ago, but I’ve been rather unproductive. I ran the Dallas Half Marathon with an out-of-town friend on December 15th. It was a hard and very slow trek, but I managed to get back…
On Mortality
Content Warning: This post is about mortality. This morning, I awoke from a dream. I’d just discovered a ticking time bomb was a fake, and the dream ended as I said to my companion “There’s nothing quite as exhilarating as…
Mark-of-the-Web: Real-World Protection
Two years ago, I wrote up some best practices for developers who want to take a file’s security origin into account when deciding how to handle it. That post was an update of a post I’d written six years prior…
My New Desktop
After a frustrating morning with my troublesome P1 Gen 7 laptop, I decided it was time to bite the bullet and stop working off laptops full-time, a habit that I inexplicably fell into at the start of the pandemic. I…
Fiddler – My Mistakes
On a flight back from Redmond last week, I finally read Linus Torvalds’ 2002 memoir “Just For Fun.” I really enjoyed its picture of Linux (and Torvalds) early in its success, with different chapters varyingly swooning that Linux had 12…
Parallel Downloading
I’ve written about File Downloads quite a bit, and early this year, I delivered a full tech talk on the topic. From my very first days online (a local BBS via 14.4 modem, circa 1994), I spent decades longing for…
Security Software – An Overview
I’ve spent nearly my entire professional career in software security: designing software to prevent abuse by bad actors. I’ve been battling the bad guys for over two decades now, from hunting security bugs in Microsoft Office (I once won an…
Best Practices for SmartScreen AppRep
Last year, I wrote about how Windows integrates SmartScreen Application Reputation to help ensure users have a secure and smooth experience when running downloaded software. tl;dr: When a user runs a downloaded program, a call to SmartScreen’s web-based reputation service…
Defensive Technology: Controlled Folder Access
Most client software’s threat models (e.g. Edge, Chrome) explicitly exclude threats where the local computer was compromised by malware. That’s because, without a trusted computing base, it’s basically impossible to be secure against attackers. This concept was immortalized decades ago…
On Politics
I do not come from an especially political family. One parent has not voted in decades, and the other votes regularly, but is not an enthusiast and values harmony over potentially-divisive political discussions. Politically, I am left of center– the…
Lenovo P1, Gen7: Meh
I’ve been a loyal user of Thinkpads for over twenty-five years now, and I currently own four (with another on loan from Microsoft). In July, the screen on my Lenovo X1 Yoga Gen 6 failed at an inopportune time, and…
Defensive Technology: Antimalware Scan Interface (AMSI)
Endpoint security software faces a tough challenge — it needs to be able to rapidly distinguish between desired and unwanted behavior with few false positives and false negatives, and attackers work hard to obfuscate (or cloak) their malicious code to…
Content-Blocking in Manifest v3
I’ve written about selectively blocking content in browsers several times over the last two decades. In this post, I don’t aim to convince you that ad-blocking is good or bad, instead focusing on one narrow topic. Circa 2006, I was…
Attack Techniques: Encrypted Archives
Tricking a user into downloading and opening malware is a common attack technique, and defenders have introduced security scanners to many layers of the ecosystem in an attempt to combat the technique: With all this scanning in place, attackers have…
Welcome to Fall, I guess?
Two months without a blog post? Sheesh. A lot has happened in two months, although perhaps nothing especially interesting. I splurged on a new laptop, a Lenovo P1 Gen7 (22-core Ultra 9 185H and 64 gigs of memory). It’s big,…
Browser Features: Find in Page
For busy web users, the humble Find-in-Page feature in the browser is one of the most important features available. While Google or Bing can get you to the page you’re looking for faster than ever before, once you get to…
Memento Mori – Farewells
A sad part of getting older is losing friends along the way. But it’s an important reminder that every day is a gift, and no tomorrow has been promised. Last week brought the sad news that David Ross has passed…
Attack Techniques: PayPal Invoice Scams
Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” — we look at Invoice Scams. PayPal and other sites allow anyone (an attacker) to send anyone (their victims) an invoice containing the text of the attacker’s…
Attack Techniques: Trojaned Clipboard
Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” — the trojan clipboard technique. In this technique, the attacking website convinces the victim to paste something the site has silently copied to the user’s clipboard into…
Authenticode in 2024
My 2021-2024 Authenticode certificate expired yesterday, so I began the process of getting a replacement last week. As in past years, I again selected a 3 year OV certificate from DigiCert. Validation was straightforward. After placing my order, I got…
Attack Techniques: Remote Control Software
In yesterday’s post, I outlined the two most successful (and stupid simple) attack techniques that you might not expect to work (and you’d be so very wrong): Today, let’s explore number 3: “Please give me control of your computer so…
Attack Techniques: Full-Trust Script Downloads
While it’s common to think of cyberattacks as being conducted by teams of elite cybercriminals leveraging the freshest 0-day attacks against victims’ PCs, the reality is far more mundane. Most attacks start as social engineering attacks: abusing a user’s misplaced…
Spring 2024 Updates
After a slow and painful 2024 Cap10K, I ran the HEB Sunshine Run 10K on May 5th in 1:05:53, just 22 seconds faster, but without pain or surprises. After months without running several hours per week, my fitness has definitely…
ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox
Recently, many Microsoft employees taking training courses have reported problems accessing documents linked to in those courses in Chrome and Edge. In Edge, the screen looks like this: But the problem isn’t limited to Microsoft’s internal training platform, and can…
Mouse Gestures in Edge
Over twenty years ago, the Opera browser got me hooked on mouse gestures, a way for you to perform common browser actions quickly. After I joined the IE team in 2004, I fell in love with a browser extension written…
Going Electric – Solar 1 Year Later
In March of 2023, I had an 8kw solar array installed and I was finally permitted to turn it on starting April 21, 2023. My pessimistic/optimistic assumption that my buying an expensive solar array was going to be the trigger…
Browser Security Bugs that Aren’t: JavaScript in PDF
A fairly common security bug report is of the form: “I can put JavaScript inside a PDF file and it runs!” For example, open this PDF file with Chrome, and you can see the alert(1) message displayed: Support for JavaScript…
A Slow 10K
I “ran” the Capitol 10K for a third time on Sunday. It did not go well, but not for any of the reasons I worried about. The rain stopped hours before the race, and the course wasn’t wet. My knees…
Attacker Techniques: Gesture Jacking
A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the user intentionally requested the action. As noted in…
pushState and URL Blocking
The Web Platform offers a handy API called pushState that allows a website’s JavaScript to change the URL displayed in the address bar to another URL within the same origin without sending a network request and loading a new page.…
Browser Extensions: Powerful and Potentially Dangerous
Regular readers of my blogs know that I love browser extensions. Extensions can make using your browser more convenient, fun, and secure. Unfortunately, extensions can also break web apps in bizarre or amusing ways, dramatically slow your browser performance, leak…
Second Seaside Half
I ran my second Galveston Half Marathon on Sunday, February 25th. The course was identical to last year’s race, starting at Stewart beach heading north before looping back down to the Pleasure Pier before returning to the start/finish line on…
The Importance of Feedback Loops
This morning, I found myself once again thinking about the critical importance of feedback loops. I thought about obvious examples where small bad things can so easily grow into large bad things: – A minor breach can lead to complete…
Cloaking, Detonation, and Client-side Phishing Detection
Today, most browsers integrate security services that attempt to protect users from phishing attacks: for Microsoft’s Edge, the service is Defender SmartScreen, and for Chrome, Firefox, and many derivatives, it’s Google’s Safe Browsing. URL Reputation services do what you’d expect…
x22i Treadmill Review
I love my treadmill, but two years in, I cannot recommend it. On New Year’s Day 2022 I bought a NordicTrack x22i Incline Trainer (a treadmill that supports 40% incline and 6% decline) with the aim of getting in shape…
How Downloads Work
I delivered a one hour session on the internals of file downloads in web browsers at THAT Conference 2024. The slides are here and a MP3 of the talk is available. If you’d prefer to read, much of the content…
A Cold and Slow 3M Half
My second run of the 3M Half Marathon was Sunday January 21, 2024. My first half-marathon last year was cold (starting at 38F), but this year’s was slated to be even colder (33F) and I was nervous. For dinner on…
The Blind Doorkeeper Problem, or, Why Enclaves are Tricky
When trying to protect a secret on a client device, there are many strategies, but most of them are doomed. However, as a long-standing problem, many security experts have tried to chip away at its edges over the years. Over…
Coding at Google
I wrote this a few years back, but I’ve had occasion to cite it yet again when explaining why engineering at Google was awesome. To avoid it getting eaten by the bitbucket, I’m publishing it here. Background: From January 2016…
Fall 2023 Races
While I’ve been running less, I haven’t completely fallen out of the habit, and I still find spending an hour on the treadmill to be the simplest way to feel better for the rest of the day. Real-world racing remains…
Defense Techniques: Blocking Protocol Handlers
Application Protocols represent a compelling attack vector because they’re the most reliable and cross-browser compatible way to escape a browser’s sandbox, and they work in many contexts (Office apps, some PDFs handlers, some chat/messaging clients, etc). Some protocol handlers are…
Attack Techniques: Steganography
Attackers are incentivized to cloak their attacks to avoid detection, keep attack chains alive longer, and make investigations more complicated. One type of cloaking involves steganography, whereby an attacker embeds hidden data inside an otherwise innocuous file. For instance, an…
Troubleshooting Edge (or Chrome) Broken UI
Last time, we looked at how to troubleshoot browser crashes. However, not all browser problems result in the tab or browser crashing entirely. In some cases, the problem is that some part of the browser UI doesn’t render correctly. This most…
Troubleshooting Edge (or Chrome) Browser Crashes
In the modern browser world, there are two types of crashes: browser crashes and renderer crashes. In a browser crash, the entire browser window with all of its tabs simply vanishes, either on startup, or at some point afterward. The…
Driving Electric – One Year In
One year ago, I brought home a new 2023 Nissan Leaf. I didn’t really need a car, but changing rules around tax credits meant that I pretty much had to buy the Leaf last fall if I wanted to save…
Protecting Auth Tokens
Authenticating to websites in browsers is complicated. There are numerous different approaches: Each of these authentication mechanisms has different user-experience effects and security properties. Sometimes, multiple systems are used at once, with, for example, a Web Forms login being bolstered…
ServiceWorkers vs. Network Filtering
In a recent post, I explored how the design of network security features impact the tradeoffs of the system. In that post, I noted that integrating a URL check directly into the browser provides the security check with the best…
Security: The Impact of Time
Two years ago, I wrote a long post about the importance of time, and how practical time machines can help reduce emergencies into more mundane workitems. Today, we revisit the same topic, with a focus on the Security impact of…
Beware: URLs are Pointers to Mutable Entities
Folks often like to think of URLs as an entity that can be evaluated: “Is it harmless, or is it malicious?” In particular, vendors of security products tend to lump URLs in with other IoCs (indicators of compromise) like the…
Email Etiquette: Avoid BCC’ing large distribution lists
While Microsoft corporate culture has evolved over the years, and the last twenty years have seen the introduction of new mass communication mechanisms like Yammer and Teams, we remain an email heavy company. Many product teams have related “Selfhost” or…
Fiddler Web Debugger Turns 20
Twenty years ago (!!?!) was the first official release of Fiddler. I still run Fiddler for some task or another almost every working day. I still run my version (Fiddler Classic) although some of the newer tools in the Fiddler…
Security Tradeoffs: Privacy
In a recent post, I explored some of the tradeoffs engineers must make when evaluating the security properties of a given design. In this post, we explore an interesting tradeoff between Security and Privacy in the analysis of web traffic.…
Security: Tradeoffs
Absolute security is simple– put your PC in a well-guarded vault, and never power it on. But that’s not what PCs are built for, and good luck finding a job that would pay you for such advice. Security Engineering (like…
Web Platform Weirdness: Babies and Bathwater
When moving from other development platforms to the web, developers often have a hard time understanding why the web platform seems so … clunky. In part, that’s because the platform is pretty old at this point (>25 years as an…
Web Weirdness: Probing Localhost
If you closely watch the Network tab in the Chromium Developer Tools when you try to log into Fidelity Investments, you might notice something that looks a bit weird. JavaScript on the page attempts to create WebSocket connections to a…
Attack Techniques: Fullscreen Abuse
It’s extremely difficult to prevent attacks when there are no trustworthy pixels on the screen, especially if a user doesn’t realize that none of what they’re seeing should be trusted. Unfortunately for the browsing public, the HTML5 Fullscreen API can…
The Challenge of IP Reputation
When protecting clients and servers against network-based threats, it’s tempting to consider the peer’s network address when deciding whether that peer is trustworthy. Unfortunately, while IP addresses can be a valuable signal, attempts to treat traffic as trustworthy or untrustworthy…
Defensive Techniques: Application Guard
Earlier this year, I mentioned that I load every phishing URL I’m sent to see what it does and whether it tries to use any interesting new techniques. While Edge’s “Enhanced Security Mode” reduces the risks of 0-day attacks against…
Kilimanjaro – To Exit Gate & Home
Saturday, July 8, 2023; Day 9 and Sunday, July 9, 2023; Home After another night of decent sleep, we turn on the light at 4:45am. It’s a cozy 50F in the tent. Our coffee should arrive in 15 minutes, and…
Kilimanjaro – Descent to Mweka
Friday, July 7, 2023; Day 8 Last night’s sleep was the best to date, even with high winds and noisy groups traipsing by after 1am. Exhaustion is the best sleep aid, I suppose. :) The tent is again just under…
Kilimanjaro – To Summit
Thursday, July 6, 2023; Day 7 It’s been noisy throughout the night as teams of hikers from Barafu pass through after midnight. They seem to make no effort toward keeping quiet, and there’s singing and shouts as they pass. Our…
Kilimanjaro – To Kosovo/Respicius Camp
Wednesday, July 5, 2023; Day 6 I slept okay last night with long periods awake, turning a story over in my mind, the details of which I’ve since forgotten. At 5:50am I sat up when I heard the coffee crew…
Kilimanjaro – Up Barranco Wall to Karanga Camp
Tuesday, July 4, 2023; Day 5 I slept okay last night, with no real nasal congestion unlike the night before, and the camp quieted down eventually. I had a few 1+ hour stretches of sleep. I jotted in my journal…
Kilimanjaro – To Lava Tower and Barranco Camp
Monday, July 3, 2023; Day 4 I didn’t feel quite as cold last night, and I got a solid amount of sleep. I had two mild-but-elaborate nightmares though, both featuring my ex. Ugh. I was a little congested, which is…
Kilimanjaro – To Shira 2 Camp
Sunday, July 2, 2023; Day 3 I slept somewhat more comfortably in the night — my sleeping pad, inflated by our porters before we got to Shira 1, was not overfilled and provided a bit more comfort than it had…
Kilimanjaro – To Shira 1 Camp
Saturday, July 1, 2023; Day 2 It was an uncomfortable night– the sleeping bag and my body temperature were comfy, but the ground was so, so hard. I felt like I didn’t sleep much at all. More than the body…
Kilimanjaro – Trailhead to Forest Camp
Friday, June 30, 2023; Day 1 Ndarakwai provided the best night’s sleep of the trip yet, with the combination of the cool breeze through the hut pairing beautifully with the cozy blanket on the comfy bunk. After sleeping at 9p,…
Kilimanjaro – Meet the Team; To Ndarakwai Lodge
Thursday, June 29, 2023; Day 0 Another night of rough sleep, but I got two solid blocks from 10:30p-1a and 4a-7:45a. I took a quick shower before heading to our last breakfast at the hotel. There was no omelette chef…
Kilimanjaro – Mini Safari
Wednesday June 28, 2023; Day -1 I again spent long periods awake overnight, this time starting around 2am. When we got up somewhere around 8 in the morning, we had another nice breakfast on the hotel’s patio dining room, again…
SmartScreen Application Reputation, with Pictures
Last Update: Sept 3, 2025 I’ve previously explained how Chromium-based browsers assign a “danger level” based on the type of the file, as determined from its extension. Depending on the Danger Level, the browser may warn the user before a…
Divorce – 18 Months In
I got separated in March 2020 and finally divorced in January 2022. It was a long time in coming, but it wasn’t awesome. In hindsight, I disassociated a bit, spreading the pain out over time rather than feeling it all…
Kilimanjaro – Coffee Tour
I woke up at 8am after a rough night’s sleep, awake for at least an hour around 3:30am, full of worries and nostalgia. Eight seemed a bit too early so I reset my watch’s alarm for 8:15, but either I…
Attack Techniques: QR Codes
As outlined in earlier posts in this series, attackers know that security software can detect their phishing lures and block users from even seeing the lure if it contains a known-phishing URL. For example, both Windows Live and Gmail block…
Enforcing SmartScreen with Policy
Microsoft Defender SmartScreen provides protection against the most common forms of attack: phishing and malware. SmartScreen support is built-in to Microsoft Edge and the Windows 8+ shell. The SmartScreen web service also powers the Microsoft Defender Browser Protection extension for…
Attack Techniques: SMS Gift Card Scams
Last week, I had the chance to fly to Redmond to meet my new teammates on the Protection team in Microsoft Defender. I also had the chance to catch up with a few old friends from the Edge team, one…
Kilimanjaro – Getting There
My kids and I flew from Austin to Maryland on Friday, June 23rd, and spent a day getting them settled in with their grandparents as I finished collecting a few last-minute essentials for the adventure. My brother and I had…
Kilimanjaro – Journal
Following two previously-posted entries: …this is an index post with links to the day-by-day journal of my Kilimanjaro trip. I’ve split the posts up by day because the idea of summarizing the entire trip in a single post feels like…
Kilimanjaro – Gear
This is the second post in my Kilimanjaro series. The index is here. When I was initially thinking about signing up for a trek up Kilimanjaro, I had two major areas to think about: my fitness, and all of the…
Kilimanjaro – Overview
Writing about my Kilimanjaro trek will not be easy: How can I do justice in describing what was: … all at the same time? Nevertheless, I’ve been back for a few weeks now and I’m compelled to put fingers to…
Something went wrong. Please refresh the page and/or try again.
text/plain 