Mick Grove
@micksmix.bsky.social
Interested in computer security. 🐕 friendly. Security at MongoDB. Formerly at Apple, AWS, other places.
Pinned
Mick Grove
@micksmix.bsky.social
· Jun 17
Introducing Kingfisher: Real-Time Secret Detection and Validation | MongoDB Blog
Discover Kingfisher, MongoDB’s open-source tool for security and DevOps engineers to detect and validate exposed secrets in code and repositories.
www.mongodb.com
The crazy fast secret discovery program I wrote in Rust has been open-sourced. Check it out!
Billion dollar idea…Splunk, but fast 🫠
November 14, 2025 at 1:04 AM
Billion dollar idea…Splunk, but fast 🫠
Reposted by Mick Grove
📚 The 2nd edition of 🔒Container Security 🔒 is out now! 📚
bookshop.org/p/books/cont...
bookshop.org/p/books/cont...
Container Security: Fundamental Technology Concepts That Protect Cloud Native Applications
Fundamental Technology Concepts That Protect Cloud Native Applications
bookshop.org
October 12, 2025 at 5:31 PM
📚 The 2nd edition of 🔒Container Security 🔒 is out now! 📚
bookshop.org/p/books/cont...
bookshop.org/p/books/cont...
Reposted by Mick Grove
Very late on getting this video out the door, but a teeny weeny showcase of the recent Docker for Desktop on Windows & MacOS container escape, CVE-2025-9074 -- proof of concept was included so a simple demo of arbitrary file write & file read on the host: youtu.be/dTqxNc1MVLE
September 3, 2025 at 1:05 PM
Very late on getting this video out the door, but a teeny weeny showcase of the recent Docker for Desktop on Windows & MacOS container escape, CVE-2025-9074 -- proof of concept was included so a simple demo of arbitrary file write & file read on the host: youtu.be/dTqxNc1MVLE
Reposted by Mick Grove
the recording of my talk on the Black Hat show floor is up on yout00b :) youtu.be/whhOYRWd_rs
August 22, 2025 at 1:15 PM
the recording of my talk on the Black Hat show floor is up on yout00b :) youtu.be/whhOYRWd_rs
Reposted by Mick Grove
I’ve been exploring what it means to be an AI-native PM. Marily Nika’s workflow feels like the state of the art.
Perplexity for user research filtered to Reddit, custom GPTs for specs in her voice, and v0 for UI mockups. Prototypes in hours, not weeks.
Hardest part is getting the tools approved.
Perplexity for user research filtered to Reddit, custom GPTs for specs in her voice, and v0 for UI mockups. Prototypes in hours, not weeks.
Hardest part is getting the tools approved.
The Future of Product Management Is AI-Native
Takeaways from My Conversation with Marily Nika
www.oreilly.com
August 9, 2025 at 1:16 PM
I’ve been exploring what it means to be an AI-native PM. Marily Nika’s workflow feels like the state of the art.
Perplexity for user research filtered to Reddit, custom GPTs for specs in her voice, and v0 for UI mockups. Prototypes in hours, not weeks.
Hardest part is getting the tools approved.
Perplexity for user research filtered to Reddit, custom GPTs for specs in her voice, and v0 for UI mockups. Prototypes in hours, not weeks.
Hardest part is getting the tools approved.
Reposted by Mick Grove
anyone working in security knows
that tools can be used for good or for evil
but dont forget they are often used for stupid
that tools can be used for good or for evil
but dont forget they are often used for stupid
August 8, 2025 at 11:10 PM
anyone working in security knows
that tools can be used for good or for evil
but dont forget they are often used for stupid
that tools can be used for good or for evil
but dont forget they are often used for stupid
Reposted by Mick Grove
OpenAI released their long-promised open weight models today under clean Apache 2 licenses and with benchmarks that put them shockingly close to o3-mini and o4-mini
I've run the smaller (20B) model on my Mac and it's very impressive, despite only using ~15GB of RAM simonwillison.net/2025/Aug/5/g...
I've run the smaller (20B) model on my Mac and it's very impressive, despite only using ~15GB of RAM simonwillison.net/2025/Aug/5/g...
OpenAI’s new open weight (Apache 2) models are really good
The long promised OpenAI open weight models are here, and they are very impressive. They’re available under proper open source licenses—Apache 2.0—and come in two sizes, 120B and 20B. OpenAI’s …
simonwillison.net
August 5, 2025 at 8:39 PM
OpenAI released their long-promised open weight models today under clean Apache 2 licenses and with benchmarks that put them shockingly close to o3-mini and o4-mini
I've run the smaller (20B) model on my Mac and it's very impressive, despite only using ~15GB of RAM simonwillison.net/2025/Aug/5/g...
I've run the smaller (20B) model on my Mac and it's very impressive, despite only using ~15GB of RAM simonwillison.net/2025/Aug/5/g...
Reposted by Mick Grove
The second challenge in our monthly CTF series is out! This time focused on a container escape.
🏆 Can you escape a container & become THE ULTIMATE CLOUD SECURITY CHAMPION?
This month's scenario was crafted by Sagi Tzadik to explore container escape techniques, the same kinds of risks we'll be diving into at #BlackHat next week!
Challenge #2 👉
cloudsecuritychampionship.com/challenge/2
This month's scenario was crafted by Sagi Tzadik to explore container escape techniques, the same kinds of risks we'll be diving into at #BlackHat next week!
Challenge #2 👉
cloudsecuritychampionship.com/challenge/2
July 31, 2025 at 2:20 PM
The second challenge in our monthly CTF series is out! This time focused on a container escape.
The crazy fast secret discovery program I wrote in Rust has been open-sourced. Check it out!
Introducing Kingfisher: Real-Time Secret Detection and Validation | MongoDB Blog
Discover Kingfisher, MongoDB’s open-source tool for security and DevOps engineers to detect and validate exposed secrets in code and repositories.
www.mongodb.com
June 17, 2025 at 12:39 AM
The crazy fast secret discovery program I wrote in Rust has been open-sourced. Check it out!
Reposted by Mick Grove
If you never used the Piper extension, I recommend to watch the 4-minute demo I gave last year during my talk at
NorthSec 🛠️
NorthSec 🛠️
NSEC2023 - Burp Suite Pro tips and tricks, the sequel
Based on my in-depth knowledge of both Burp Suite and its extensions, this talk aims to provide bug hunters and pentesters with a set of useful strategies. T...
www.youtube.com
April 10, 2024 at 7:18 AM
If you never used the Piper extension, I recommend to watch the 4-minute demo I gave last year during my talk at
NorthSec 🛠️
NorthSec 🛠️
Reposted by Mick Grove
Nice clear explanation of how GitHub roll out new implementations of features out that get 2,000 queries a second - including dark-shipping to 1% of users where the new implementation is invisibly compared with the production one via a background job
We rebuilt GitHub Issues search to make it faster, more flexible, and now powerful with nested queries and boolean operators! 🔎
Take a look at the engineering behind this revamp and then try out the advanced search syntax for yourself to find exactly what you need. ⬇️
Take a look at the engineering behind this revamp and then try out the advanced search syntax for yourself to find exactly what you need. ⬇️
GitHub Issues search now supports nested queries and boolean operators: Here's how we (re)built it
Building this feature presented significant challenges. We're excited to take you behind the scenes.
github.blog
May 25, 2025 at 10:04 PM
Nice clear explanation of how GitHub roll out new implementations of features out that get 2,000 queries a second - including dark-shipping to 1% of users where the new implementation is invisibly compared with the production one via a background job
Reposted by Mick Grove
Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing.
Here's a flexible PoC:
jorianwoltjer.com/blog/p/hacki...
Here's a flexible PoC:
jorianwoltjer.com/blog/p/hacki...
The Ultimate Double-Clickjacking PoC | Jorian Woltjer
Combing a lot of browser tricks to create a realistic Proof of Concept for the Double-Clickjacking attack. Moving a real popunder with your mouse cursor and triggering it right as you're trying to bea...
jorianwoltjer.com
May 25, 2025 at 5:30 PM
Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing.
Here's a flexible PoC:
jorianwoltjer.com/blog/p/hacki...
Here's a flexible PoC:
jorianwoltjer.com/blog/p/hacki...
Reposted by Mick Grove
In case you've a hard time intercepting Firefox traffic to the loopback interface, open the about:config page and set "network.proxy.allow_hijacking_localhost" to True 🎁
Thanks @onemask.bsky.social for the tip 🙏
Thanks @onemask.bsky.social for the tip 🙏
May 16, 2025 at 4:35 PM
In case you've a hard time intercepting Firefox traffic to the loopback interface, open the about:config page and set "network.proxy.allow_hijacking_localhost" to True 🎁
Thanks @onemask.bsky.social for the tip 🙏
Thanks @onemask.bsky.social for the tip 🙏
Reposted by Mick Grove
Pink Draconian (who apparently isn't on Bluesky 😢) published a walk-through of the "Damn Vulnerable RESTaurant" app
The video contains some pretty good tips related to Burp Suite, give it a look!
youtu.be/CdVTG3aWTew?...
The video contains some pretty good tips related to Burp Suite, give it a look!
youtu.be/CdVTG3aWTew?...
Damn Vulnerable RESTaurant - API hacking
YouTube video by PinkDraconian
youtu.be
April 6, 2025 at 1:56 PM
Pink Draconian (who apparently isn't on Bluesky 😢) published a walk-through of the "Damn Vulnerable RESTaurant" app
The video contains some pretty good tips related to Burp Suite, give it a look!
youtu.be/CdVTG3aWTew?...
The video contains some pretty good tips related to Burp Suite, give it a look!
youtu.be/CdVTG3aWTew?...
Reposted by Mick Grove
As LLMs and AI-powered IDEs like Cursor are transforming how we code, security tools haven’t kept up. That's why we built our MCP server, which gives LLMs the ability to use Semgrep (kind of like how ChatGPT uses Python for math).
🔗 semgrep.dev/blog/2025/gi...
🔗 semgrep.dev/blog/2025/gi...
April 4, 2025 at 7:10 PM
As LLMs and AI-powered IDEs like Cursor are transforming how we code, security tools haven’t kept up. That's why we built our MCP server, which gives LLMs the ability to use Semgrep (kind of like how ChatGPT uses Python for math).
🔗 semgrep.dev/blog/2025/gi...
🔗 semgrep.dev/blog/2025/gi...
Reposted by Mick Grove
My interactive AWS NAT Gateway blog post is now published. Check it out at malithr.com/aws/natgatew....
Interactive AWS NAT Gateway - Malith R
An interactive blog post exploring AWS NAT Gateway
malithr.com
March 20, 2025 at 8:56 AM
My interactive AWS NAT Gateway blog post is now published. Check it out at malithr.com/aws/natgatew....
Reposted by Mick Grove
Just dropped another completely free API security lesson on JustHacking, this time we’re looking at WebSocket APIs. In this 30min lesson you’ll learn what a WebSocket is and the types of apps that use them, how to communicate to WebSockets and some of the security issues in them!
March 20, 2025 at 9:18 PM
Just dropped another completely free API security lesson on JustHacking, this time we’re looking at WebSocket APIs. In this 30min lesson you’ll learn what a WebSocket is and the types of apps that use them, how to communicate to WebSockets and some of the security issues in them!
Reposted by Mick Grove
This is my entire life
March 17, 2025 at 1:53 AM
This is my entire life
Reposted by Mick Grove
Generated a few fuzz harnesses using new local models, OlympicCoder was best, fixing own bugs zero-shot & few hallucinations
Open R1 OlympicCoder 32B
DeepSeek R1 Distill Qwen 32B
QwQ 32B
Gemma-3-27b-it
All 4bit quant. Coder was by bartowski, the rest were Unsloth dynamic quant
Open R1 OlympicCoder 32B
DeepSeek R1 Distill Qwen 32B
QwQ 32B
Gemma-3-27b-it
All 4bit quant. Coder was by bartowski, the rest were Unsloth dynamic quant
March 13, 2025 at 4:19 AM
Generated a few fuzz harnesses using new local models, OlympicCoder was best, fixing own bugs zero-shot & few hallucinations
Open R1 OlympicCoder 32B
DeepSeek R1 Distill Qwen 32B
QwQ 32B
Gemma-3-27b-it
All 4bit quant. Coder was by bartowski, the rest were Unsloth dynamic quant
Open R1 OlympicCoder 32B
DeepSeek R1 Distill Qwen 32B
QwQ 32B
Gemma-3-27b-it
All 4bit quant. Coder was by bartowski, the rest were Unsloth dynamic quant
Reposted by Mick Grove
I'm taking requests for my BSides Rekjavik k8s talk.
* Do you want a demo of something?
* Talk about something specific?
* A new tool that could use a boost?
Serious and/or sarcastic accepted.
Please reshare because the algorithm still needs tuning
cfp.bsidesreykjavik.com/2025/talk/KP...
* Do you want a demo of something?
* Talk about something specific?
* A new tool that could use a boost?
Serious and/or sarcastic accepted.
Please reshare because the algorithm still needs tuning
cfp.bsidesreykjavik.com/2025/talk/KP...
Command and KubeCTL: Kubernetes Security for Pentesters and Defenders 2025
Kubernetes is a security challenge that many organizations need to take on, and we as pentesters, developers, security practitioners, and the technically curious need to adapt to these challenges. In ...
cfp.bsidesreykjavik.com
March 2, 2025 at 6:02 PM
I'm taking requests for my BSides Rekjavik k8s talk.
* Do you want a demo of something?
* Talk about something specific?
* A new tool that could use a boost?
Serious and/or sarcastic accepted.
Please reshare because the algorithm still needs tuning
cfp.bsidesreykjavik.com/2025/talk/KP...
* Do you want a demo of something?
* Talk about something specific?
* A new tool that could use a boost?
Serious and/or sarcastic accepted.
Please reshare because the algorithm still needs tuning
cfp.bsidesreykjavik.com/2025/talk/KP...
Reposted by Mick Grove
My closing keynote from Rust Nation UK last week is now online: "Microsoft is Getting Rusty: A Review of Successes and Challenges"
Microsoft is Getting Rusty: A Review of Successes and Challenges - Mark Russinovich
YouTube video by Rust Nation UK
www.youtube.com
February 26, 2025 at 10:18 PM
My closing keynote from Rust Nation UK last week is now online: "Microsoft is Getting Rusty: A Review of Successes and Challenges"
Reposted by Mick Grove
Microsoft is getting #rustlang -y: a review of successes and challenges www.youtube.com/watch?v=1Vgp...
Microsoft is Getting Rusty: A Review of Successes and Challenges - Mark Russinovich
YouTube video by Rust Nation UK
www.youtube.com
February 26, 2025 at 9:22 PM
Microsoft is getting #rustlang -y: a review of successes and challenges www.youtube.com/watch?v=1Vgp...
Reposted by Mick Grove
gopls v0.18.0 quietly released a new "modernize" tool which automatically adjusts your #golang code to use newer std APIs and language features!
modernize -fix ./...
For example: range over int, min and max, slices APIs like Contains or Delete.
github.com/golang/tools...
modernize -fix ./...
For example: range over int, min and max, slices APIs like Contains or Delete.
github.com/golang/tools...
Release gopls/v0.18.0 · golang/tools
This release contains some small changes to gopls behavior, bug fixes, and new features.
Notably, the new modernize analyzer reports hint diagnostics suggesting ways that Go code could be updated t...
github.com
February 23, 2025 at 12:32 PM
gopls v0.18.0 quietly released a new "modernize" tool which automatically adjusts your #golang code to use newer std APIs and language features!
modernize -fix ./...
For example: range over int, min and max, slices APIs like Contains or Delete.
github.com/golang/tools...
modernize -fix ./...
For example: range over int, min and max, slices APIs like Contains or Delete.
github.com/golang/tools...