Don't think of it as a place where you tell the world how amazing you are, but as a place where you keep a log of your past ideas and achievements.
In fact, your GitHub account is the place where your skills will be displayed in its purest format, so make sure you have a nice active and healthy presence.
Below you will find the contents of an email I just sent after I was asked 'So ... what is your C++ experience?', and note the difference between the period before and after I starter blogging (i.e links vs no-links)
And the worse part, is that not only I did not share those ideas with you (blog reader), I am also left of out it! (since those ideas and docs and now lost in old memories and laptops/vms long gone)
See Blogging is like speaking to my 'Future Self' for more on the idea that blogging is more about allow you in the future to have access to your ideas today
Here are some links about my dev and C++ experience:
- LinkedIn: https://www.linkedin.com/in/diniscruz
- GitHub: https://github.com/DinisCruz
- Blog: http://blog.diniscruz.com
- DefCon/RSA presentation and research
- Updated presentation of 'RESTing On Your Laurels will Get You Pwned' (RSA version)
- XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article
- Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
- Some C++ related blog posts
- Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
- Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings)
- IBM AppScan Standard, Source and VisualStudio (in the same GUI/App)
- Opening up a native Chrome Browser window inside Eclipse (raw version)
- Generating Fuzzing Images and trying them on WebBrowser (IE)
- Dynamically patching ASP.NET code in real-time? (Why don't WAF vendors do it?)
- Making Java, .Net and C++ apps work together
- My comments on the SATEC document (Static Analysis Tool Evaluation Criteria)
I was also involved in a number of C++ research which where done before I started my blog:
- Rooting the CLR where I was modifying the .NET CLR in real time to remove security features
- Use tools like Ollydb and IDAPro to reverse engineer C++ applications (and find vulns)
- Exploit all sorts of buffer overflows (stack, heap, off-by-one), including bypassing ASLR using Heap Spaying techniques
- Use Microsoft Detours API to hook to hook specific functions and write tools to introduce payloads via the hijacked functions
- Broke multiple copy protection solutions (for a customer of those solutions who wanted to know how good they where). The last one was done by using a kernel driver which was a variation of Rr0d, The Rasta Ring0 Debugger (code, slides). Yes I wrote a kernel driver to attack another kernel driver and bypass its copy protection actions
- Developed Security Training courses based on the Writing Secure Code book, which included tons of C++ material and examples
- Delivered training at BlackHat and OWASP conferences on advanced hacking techniques
One of my focus is on making developers understand the security implications of the code they are writing, and nothing shows that better than this PoC Real-Time Vulnerability Feedback in VisualStudio
