Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Recent Blog Posts

  • On Art, Heritage, Nazis, & 3D Scanners

    or: How an 18th century painter saved Warsaw from the Nazis, and how 3D scanners may save Ukraine While researching applications that use the iPhone’s LiDAR scanner or perform more pure photogrammetry, I came across an effort by Polycam - likely the largest player in this space - to help protect the heritage of Ukraine and its people: Backup Ukraine. This is an effort to recruit people in Ukraine to leverage Polycam (provided a no cost as part of this program), to create detailed scans of artwork, buildings, and other items of cultural significance.

    Read more…

  • Logseq: My External Brain

    Over the years I’ve used most of the major note taking tools around, I’ve been a paying customer of Evernote for over a decade, I’ve used Standard Notes, Good Notes, pen & paper, and a bunch of others I can’t recall now. They were never quite right for my needs — some were close, but none were what I was after. One of the major challenges was that I didn’t know what I needed, and it’s hard to find something when you don’t know what you’re looking for.

    Read more…

  • On Productivity

    Productivity and efficiency have been passions of mine from a young age, I’m not sure why, but achieving as much as possible, as quickly and efficiently as possible has always driven much of my thoughts, actions, and plans. I was around 10 years old when I learned that there were people that specialised in worker productivity, which led me to researching process design, why restaurants are setup the way they are, the psychology of work and motivation, and a variety of other related topics.

    Read more…

  • Death, Cancer, and Missed Chances

    In early December, about a month ago, I had the to perform one of the hardest tasks I’ve ever faced as a leader, letting my team know that a colleague had passed away. She was a friend to us all, and the glue that held the team together; telling them that she was gone was, without question, the hardest thing I’ve had to do in a work setting. What made this so hard was not just what I was telling them, but my own feelings for her as a friend, and the opportunity I had missed.

    Read more…

  • Trojan Source and Why It Matters

    Yesterday the news hit of a new vulnerability that threatens the security of all code; dubbed Trojan Source by the researchers from the University of Cambridge. From an initial analysis, it does seem to impact just about everything, and the status of fixes is very hit or miss at this point. But the real question is, does this even matter? Is this issue worth spending your time on? Let’s look closer.

    Read more…

All Blog Posts | Archive

Recent Security Research

  • Exploiting the Jackson RCE: CVE-2017-7525

    Earlier this year, a vulnerability was discovered in the Jackson data-binding library, a library for Java that allows developers to easily serialize Java objects to JSON and vice versa, that allowed an attacker to exploit deserialization to achieve Remote Code Execution on the server. This vulnerability didn’t seem to get much attention, and even less documentation. Given that this is an easily exploited Remote Code Execution vulnerability with little documentation, I’m sharing my notes on it.

    Read more…

  • Breaking the NemucodAES Ransomware

    The Nemucod ransomware has been around, in various incarnations, for some time. Recently a new variant started spreading via email claiming to be from UPS. This new version changed how files are encrypted, clearly in an attempt to fix its prior issue of being able to decrypt files without paying the ransom, and as this is a new version, no decryptor was available1. My friends at Savage Security contacted me to help save the data of one of their clients; I immediately began studying the cryptography related portions of the software, while the Savage Security team was busy looking at other portions.

    Read more…

  • PL/SQL Developer: HTTP to Command Execution

    While looking into PL/SQL Developer – a very popular tool for working with Oracle databases, to see how it encrypts passwords I noticed something interesting. When testing Windows applications, I make it a habit to have Fiddler running, to see if there is any interesting traffic – and in this case, there certainly was. PL/SQL Developer has an update mechanism which retrieves a file containing information about available updates to PL/SQL Developer and other components; this file is retrieved via HTTP, meaning that an attacker in a privileged network position could modify this file.

    Read more…

Insane Ideas

The Insane Ideas series is a group of blog posts the detail various ideas that I found interesting, but didn't pursue due to time restrictions or other factors. The goal of publishing these ideas is to make the concept available to others, in hopes that they will pursue the idea - or at least find amusement in it.

  • Insane Ideas: NFT the Stars

    This is part of the Insane Ideas series. A group of blog posts that detail ideas, possible projects, or concepts that may be of interest. These are ideas that I don’t plan to pursue, and are thus available to any and all that would like to do something with them. I hope you find some inspiration – or at least some amusement in this. NFTs are drawing in vast amounts of money; the cryptocurrency community couldn’t be more excited unless Elon sold himself as an NFT.

    Read more…

  • Insane Ideas: Stock in People

    This is part of the Insane Ideas series. A group of blog posts that detail ideas, possible projects, or concepts that may be of interest. These are ideas that I don’t plan to pursue, and are thus available to any and all that would like to do something with them. I hope you find some inspiration – or at least some amusement in this. There are many ways to invest in a variety of things, though there is one hugely promising front that has barely begun to emerge, that could have massive potential for profit, and incredible ramifications: the ability to invest in individuals.

    Read more…

  • Insane Ideas: Blockchain-Based Automated Investment System

    This is part of the Insane Ideas series. A group of blog posts that detail ideas, possible projects, or concepts that may be of interest. These are ideas that I don’t plan to pursue, and are thus available to any and all that would like to do something with them. I hope you find some inspiration – or at least some amusement in this. A few months ago I was reading about high-frequency trading (HFT) – algorithms that allow investors to make money essentially out of nothing by executing trades at high speed, and leveraging the natural (and artificial) volatility of the market.

    Read more…

Fine Art Photography

About my Photography. | Buy Limited Edition Prints | My Portfolio | My Photo Blog

Projects

  • YAWAST - The YAWAST Antecedent Web Application Security Toolkit.
  • libsodium-net - The .NET library for libsodium; a modern and easy-to-use crypto library.
  • ccsrch - Cross-platform credit card (PAN) search tool for security assessments.
  • Underhanded Crypto Contest - A competition to write or modify crypto code that appears to be secure, but actually does something evil.

About Adam Caudill

Adam Caudill is a security leader with over 20 years of experience in security and software development; with a focus on application security, secure communications, and cryptography. Active blogger, open source contributor, writer, photographer, and advocate for user privacy and protection. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.