Posts on plygrnd

Credit card number hyperfixation notes

Mon, 25 Nov 2024 00:00:00 +0000

Why are AmEx card numbers shorter?

Amex is its own payment network. Most card numbers are 16 digits because they’re issued either by Visa or Mastercard — both of which decided on 16 digit numbers for most cards.

Amex has far fewer customers than Visa and Mastercard, so they can get away with shorter numbers; changing the number format would also be a HUGE, complicated operation.

Want more info? Read on!

On Departure

Sat, 20 May 2023 00:00:00 +0000

This is a personal update.

What’s going on?

On May 11, 2023, I unexpectedly left my job at AWS. I didn’t have a say in the matter; I have negative feelings about the event and will leave it at that. This post will run a bit long — it’s a way to get my feelings out and clarify where I am right now.

Leaving AWS felt like a bad, unexpected breakup, where your partner says, “Look — it’s not working out. You have to leave. And we’re keeping the couch.” I stayed with Amazon for almost 11 years and built a significant fraction of my identity around my job — I was proud to tell people about my work in AWS’s Security Outreach team, work with some of the best security researchers in the world, and build New Shinies to help my team be excellent. That part of me has been yanked away without warning, and filling the gap has been challenging. I’m now without income and work authorization in the USA, and the last three weeks have been the most anxiety-provoking of my life.

The 9 Commandments of Coordinated Vulnerability Disclosure

Thu, 03 Feb 2022 00:00:00 +0000

This was originally a Twitter thread. In case Twitter goes the way of the dodo, I’ll preserve the content here (with some edits now that I’m no longer limited to 280 characters per point).

The nine points below capture, at a high level, most of what I know about responsible disclosure / CVD / the ins and outs of reporting security issues in other people’s software.

Operate with good intentions in mind. You’re hacking on other people’s stuff (and presumably doing so for the common good). Treat other people’s infrastructure like you treat your phone, wallet, car, or favorite plushie — respect it and try not to break it. If your targets publish rules of engagement, follow them to the letter.
Be verbose — more info is better. Don’t assume that anyone will know what you’re reporting from context. Include as many details and as much background as possible in your report.
Produce — and provide — a proof of concept which bears out your assertions. Decent incident responders won’t balk at reading a 10-page description of your findings. If they can’t reproduce them, though, they can’t help you.
Be prepared for disappointment. Bug hunting is hard, painful, irritating work which may be thrown away as known issue or won’t fix or accepted risk. It happens — and it’s not personal.
People are fallible. Everyone’s wrong sometimes. If you disagree with a decision not to accept a report or fix an issue, and you have compelling evidence to indicate that your findings are valid, fight for yourself. Escalate if you need to. But — be nice about it.
Be prepared to go unrewarded — it’ll make the first bounty feel that much better. Rewards are nice, but not mandatory. Bounties are at the vendor’s discretion.
Act with integrity. Badgering or threatening vendors to extract a reward isn’t responsible disclosure. It’s extortion. Such behavior might result in your report being downplayed. It can also get you removed from bug bounty programs or banned from using the service you researched.
If you’re confident in your findings, include a disclosure date in your report and be upfront about your disclosure plan (blog, tweet, other). This keeps everyone on the same page and helps the responding party determine the scope and pace of their work.
Above all, have some fun. Get to know the teams you report stuff to — we love making new friends. :)