Matt Suiche
Cybersecurity Researcher
Hello! My name is Matt Suiche. I am an independent researcher, advisor, and investor. I previously served as the Head of Detection Engineering at Magnet Forensics. Our organization was passionately dedicated to justice and protecting the innocent, a mission we embarked on more intensely after the 2022 acquisition of my cybersecurity start-up, Comae Technologies.
My professional journey began as the Chief Scientist and Co-Founder at CloudVolumes which was acquired by VMware (NASDAQ:VMW) in 2014, before founding Comae. In addition, I’m proud to have initiated the cybersecurity community project, OPCDE.
My life-long fascination with learning and understanding complex systems first led me to cybersecurity. My teenage years were spent immersed in reverse engineering, which ignited a profound curiosity about technology that continues to this day. I’ve since explored various fields including operating systems architecture, programming languages, virtualization, modern web application development, and generative art. Furthermore, I’ve delved into numerous domains such as privacy, surveillance, forensics, blockchain, and community development among others.
Latest
The Genesis: When Signatures Aren’t Enough 🔗In the world of mobile security research, there’s a recurring frustration that keeps many of us up at night: the most sophisticated exploits - the ones that really matter - are rarely shared. When Citizen Lab and Google TAG discover NSO Group’s latest 0-click exploits targeting journalists and activists, we get brilliant technical writeups, CVE numbers, and patches. What we don’t get? The actual samples.
The Discovery 🔗CVE-2025-43300 represents one of those subtle yet devastating vulnerabilities that security researchers dream (or have nightmares) about. According to Apple’s official advisory, this out-of-bounds write issue was discovered in their implementation of JPEG Lossless Decompression code within the RawCamera.bundle, which processes Adobe’s DNG (Digital Negative) files.
What elevates this from a typical vulnerability to a critical threat is Apple’s chilling acknowledgment: “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
This is the last part of a 3-part series on Bob and Alice in Kernel-land. You can find Part 1 here and Part 2 here.
CrowdStrike podcast “Adversary Universe Podcast” just released a new episode entitled “The Kernel’s Essential Role in Cybersecurity Defense” featuring Adam Myers w/ Alex Ionescu, who is the original architect of the CrowdStrike Falcon kernel agent and also known for being the co-author of “Windows Internals” book and to be among the most knowledgeable people when it comes to understanding how the Windows (or any other OS tbh) kernel works.
It’s been a month since I wrote Part 1 of “Bob and Alice in Kernel-land”. As expected, we saw minimal constructive feedback from vendors, with a few notable exceptions. Sophos provided the most detailed information about their drivers, while CrowdStrike offered valuable insights into their kernel architecture, including the use of Microsoft’s Winsock kernel file transfer. This feature, introduced in Windows Vista+, was designed to replace the outdated Transport Driver Interface (TDI).
Over the past decade, several cyber incidents have shed light on how SWIFT operates between institutions. In 2017, I covered the vulnerabilities with PASSFREELY and the JEEPLEA SIGINT operations revealed in TheShadowBrokers leaks. Additionally, the 2016 Bangladesh Central Bank Heist, orchestrated by North Korea, offered valuable insights into the workings of international inter-bank SWIFT messaging. Since then, financial messaging standards have undergone significant changes. Legacy standards like ISO 15022 and
As the U.S. presidential elections draw closer, the topic of election security is gaining increasing attention. This issue took on added significance yesterday when the current U.S. Vice President and new Democratic candidate, Kamala Harris, tweeted the following:
Paper ballots are the smartest, safest way to ensure your vote is secure against attacks by foreign actors. Russia can’t hack a piece of paper like they can a computer.
Already dubbed “The Largest IT, Outage In History, the CrowdStrike update from July 18, 2024, has affected at least 8.5 million Windows devices, according to Microsoft. Several of these devices are critical assets and run multiple essential services. For instance, I was unable to pay for my coffee in Dubai because the payment systems used by the coffee shop were down, and a friend lost her passport while stranded in Barcelona due to flight disruptions.
As part of the attack chain, the initial infection starts with attackers dispatching a malicious PDF as an iMessage attachment. This particular attachment is crafted to stealthily leverage a remote code execution vulnerability in the FontParser, identified as CVE-2023-41990 and reported by Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky to Apple.
As someone who worked at the NSA, I always think it's hilarious when people feel like real APTs can be minimized to the MITRE matrix.
More than 14 weeks pasted since Apple Product Security team reported the issue affecting WebP open source project to Google, in follow up to the BLASTPASS iOS exploit that was discovered in the wild by CitizenLab and discussed in September. This means that the email chain is now public as of December 14, 2023.
We also learn that that Brotli compression algorithm almost got impacted by the same issue (c.f. BrotliBuildHuffmanTable) but the shape of Huffman tree is checked before actual lookup table is built so it was not vulnerable.
Introduction 🔗Once again compression algorithms are showing us that they are ruling the internet. My initial encounter with compression algorithms was in the year 2007, while reversing the Windows hibernation file to reimplement the now well-known Microsoft LZXpress which I discovered later was used in most Microsoft products until today. This journey continues today, with the scrutiny of the vulnerability CVE-2023-4863 located within the open-source Libwebp library, affecting Chromium-based browsers such as such Mozilla, Chrome, and Edge but also messaging applications such as iMessage.