Welcome, Joe FitzPatrick! (@securelyfitz)
Joe got started working at a CPU vendor, analyzing verilog and hardware for vulnerabilities. He moved on to training people in the company to look for these as well.Afterwards, he moved to a private company doing trainings with his company SecuringHardware.comJoe worked on a part of the NSAplayset, specifically the Slot Screamer, which works over PCI express. Ulf Frisk later built a software suite for it that auto ran a bunch of commands.A recent snafu with software behind the mirror...https://twitter.com/securelyfitz/status/870348354022133762
With USB-C, every device needs to be smart. If you want to watch traffic you need to do so with a tool like USB Proxy (Dominic Spill). The other Great Scott Gadget being used for USB analyisis is the Daisho (Jared Boone)Thunderbolt3 converged with USB C.We had previously talked about USB C when Jason Cerundulo was on talking about his EZ Bake Oven.Joe talks about "hardware implants"JTAG, SVF filesOregon professional engineer who was getting suedBug bounty companies like Bug CrowdThere is an ISO standard about security disclosuresJoe will be at Recon helping with former guest Dmitry Nedospasov's training about using programmable hardware devices to test vulnerabilities.There is a new joint group of trainings happening Nov 6-9 in San Francisco. More info can be found here: HardwareSecurity.trainingdevtty0 on TwitterJoe's talk about compromising a yubikey and an RSA Token. Slides can be found here.Joe's final words: Trust, but verify
Chris is still frightened.