<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Bobo T. Jones</title><link>https://bobotjones.com/</link><description>Recent content on Bobo T. Jones</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Mon, 22 Jun 2026 09:39:17 -0500</lastBuildDate><atom:link href="https://bobotjones.com/index.xml" rel="self" type="application/rss+xml"/><item><title>Breather</title><link>https://bobotjones.com/2026/06/breather/</link><pubDate>Mon, 22 Jun 2026 09:39:17 -0500</pubDate><guid>https://bobotjones.com/2026/06/breather/</guid><description>&lt;p>I am publishing an incomplete post on proxies along with this one. Not exactly sure what happened but as I tried to compose that post, I found myself getting uncomfortably frustrated. Angry, even. In the grand scheme of things (and in hindsight), it was always likely that web application penetration testing was a stopgap discipline. The shittiness of most web pentesting tools makes that abundantly clear. There was no point to finishing the post because I learned what I needed to learn: the reason I hated doing that work is because while I was good at it, the value of it was obviously decreasing over time. The only people who respect that line of work are other web pentesters. Everyone else shat on us. Even though the sexier hacking was less likely to be exploited in the wild; that will also change in the near future.&lt;/p></description></item><item><title>Proxies</title><link>https://bobotjones.com/2026/03/proxies/</link><pubDate>Mon, 09 Mar 2026 09:59:05 -0500</pubDate><guid>https://bobotjones.com/2026/03/proxies/</guid><description>&lt;p>No surprise, it has not taken long for me to hit something of a productivity sandbar. The post I started writing for today is about proxies&amp;hellip; specifically, web proxies for web application assessment work. The goto standard for this tool is &lt;a href="https://portswigger.net/burp/communitydownload" target="_blank" rel="noopener noreferrer">Burp Suite from PortSwigger&lt;/a>. I have linked to the Community Edition, which is the free version. I&amp;rsquo;ve never been a fan of Burp, even though PortSwigger has made a fair number of positive changes to the tool over the past maybe 15 years. But I still remember the version that would hang on large server responses or freeze entirely, which was problematic because it did not automatically save any logs or state. I lost a lot of work over those years and I am naturally wired to hold a grudge for a long time.&lt;/p></description></item><item><title>Secrets Scanning</title><link>https://bobotjones.com/2026/02/secrets-scanning/</link><pubDate>Wed, 25 Feb 2026 16:27:19 -0600</pubDate><guid>https://bobotjones.com/2026/02/secrets-scanning/</guid><description>&lt;p>Secrets scanning is a checkbox for a pentest but it should also be part of a healthy security operations practice. Before I get to the review of the secrets scanning tools, I want to take a wee detour and share a useful Unix (yes, Unix) tool: &lt;a href="https://www.nevis.columbia.edu/cgi-bin/man.sh?man=1&amp;#43;script" target="_blank" rel="noopener noreferrer">script(1)&lt;/a>. The &lt;code>script&lt;/code> command logs everything in a terminal session. Most of the tools I am reviewing are run on the command line in a shell and sometimes it is the case that not all of the work I am doing gets saved in a way that is useful for later. It is very useful at the start of a day to run the &lt;code>script&lt;/code> command:&lt;/p></description></item><item><title>ProjectDiscovery Part 2: nuclei</title><link>https://bobotjones.com/2026/02/projectdiscovery-part-2-nuclei/</link><pubDate>Mon, 23 Feb 2026 14:42:25 -0600</pubDate><guid>https://bobotjones.com/2026/02/projectdiscovery-part-2-nuclei/</guid><description>&lt;p>Continuing with the theme of running a pentest, &lt;a href="https://github.com/projectdiscovery/nuclei" target="_blank" rel="noopener noreferrer">nuclei&lt;/a> is a logical next step in the discovery phase after &lt;a href="https://docs.projectdiscovery.io/opensource/subfinder/overview" target="_blank" rel="noopener noreferrer">subfinder&lt;/a>, in that you have a bunch of targets and you&amp;rsquo;re going to scan them for known vulnerabilities.&lt;/p>
&lt;p>The gist of vulnerability scanning is that there are databases of vulnerabilities scattered around the internet. My goto is the &lt;a href="https://www.cve.org/" target="_blank" rel="noopener noreferrer">Common Vulnerabilities and Exposures (CVEs)&lt;/a> database. These databases are not exhaustive; I&amp;rsquo;ve personally found and facilitated the remediation of dozens of exploitable oopsies and there are no CVEs (or really anything) with my name on them. Occasionally someone I worked with on an assessment will send me a CVE for something I found and we&amp;rsquo;ll share a sensible chuckle. See also,&lt;/p></description></item><item><title>ProjectDiscovery Part 1: subfinder</title><link>https://bobotjones.com/2026/02/projectdiscovery-part-1-subfinder/</link><pubDate>Mon, 16 Feb 2026 13:25:40 -0600</pubDate><guid>https://bobotjones.com/2026/02/projectdiscovery-part-1-subfinder/</guid><description>&lt;p>The first phase of a penetration test is almost always discovery. Up until the middle of 2025, I was still using older versions of &lt;a href="https://owasp.org/www-project-amass/" target="_blank" rel="noopener noreferrer">OWASP amass&lt;/a> and &lt;a href="https://github.com/shaheeryasirofficial/Sublist3r" target="_blank" rel="noopener noreferrer">Sublist3r&lt;/a> for discovery&amp;hellip; until a coworker gently mocked me and told me to use &lt;a href="https://docs.projectdiscovery.io/opensource/subfinder/overview" target="_blank" rel="noopener noreferrer">subfinder&lt;/a> instead.&lt;/p>
&lt;p>It was &lt;span class="fleur-de-leah-regular">A Moment&lt;/span> for me. I realized just how stale my skills had gotten over the last 4 years. An elephant has never sat on me but I’m pretty sure that’s what it feels like when one does. It hurt. That was the inspiration for this sabbatical project, to catch up on all of the training I was promised over the decades but never seem to get. Meanwhile, the &amp;ldquo;bills for skills&amp;rdquo; problem in security is a clusterfuck&amp;hellip; we&amp;rsquo;re all expected to know how to hack into anything and everything, even as tech stacks get more bloated and convoluted, to learn on our own AND pay for the 999 services necessary to, you know, practice? Let&amp;rsquo;s learn together. My treat.&lt;/p></description></item><item><title>Starting Line</title><link>https://bobotjones.com/2026/02/starting-line/</link><pubDate>Fri, 13 Feb 2026 10:37:04 -0600</pubDate><guid>https://bobotjones.com/2026/02/starting-line/</guid><description>&lt;h2 id="reluctantly-crouched">Reluctantly crouched&amp;hellip;&lt;/h2>
&lt;p>This morning, I created a GitHub repo: &lt;a href="https://github.com/boboTjones/bigbookofcyber" target="_blank" rel="noopener noreferrer">bigbookofcyber&lt;/a>. The inspiration for this work comes from the &lt;a href="https://github.com/search?q=awesome&amp;amp;type=repositories" target="_blank" rel="noopener noreferrer">awesome repos&lt;/a>. I started with &lt;a href="https://github.com/enaqx/awesome-pentest" target="_blank" rel="noopener noreferrer">enaqx/awesome-pentest&lt;/a>. While I have shared this repo with many people who are new to the cybersecurity industry, I have not had much time in the past to download, build and use these tools. Because I was busy working. One of my goals for my current sabbatical is to evaluate as much security tooling as I can grind through, starting with the stuff that is most popular and currently maintained. As I work my way through the top 100 of the nearly 2000 repos I have found so far, I will write at least one post for each. This should keep me occupied for a while.&lt;/p></description></item><item><title>Hello World</title><link>https://bobotjones.com/2026/02/hello-world/</link><pubDate>Thu, 12 Feb 2026 00:00:00 +0000</pubDate><guid>https://bobotjones.com/2026/02/hello-world/</guid><description>&lt;p>Look! I have a blog! For funsies, here are some survivers from when I tried this before:&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://sockpuppet.org/blog/2015/07/13/starfighter/" target="_blank" rel="noopener noreferrer">Starfighter, Summer 2015&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://sockpuppet.org/blog/2015/08/21/be-coachable/" target="_blank" rel="noopener noreferrer">Be Coachable&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>After that&amp;hellip; yes I know the font looks weird. I am visually impaired. Deal. XD&lt;/p></description></item><item><title>About Me</title><link>https://bobotjones.com/about/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://bobotjones.com/about/</guid><description>&lt;p>Hello&lt;/p>
&lt;p>My name is Erin L. Ptacek. I do security stuff, primarily application or product and offensive security stuff. I have also been a systems administrator, a startup founder and a full stack developer when necessary. This nonsense has consumed over three decades of my life. I have opinions.&lt;/p>
&lt;p>The T is for Tiberius.&lt;/p></description></item><item><title>Read This First</title><link>https://bobotjones.com/read-this-first/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://bobotjones.com/read-this-first/</guid><description>&lt;p>My career started in the early 1990s; back then, security was barely a thing. Because of the nature of the work I have done for the last 3 decades, I want to be very clear:&lt;/p>
&lt;p>&lt;strong>I cannot and will NEVER share specifics about any former clients or employers.&lt;/strong>&lt;/p>
&lt;p>Occasionally I may make observations on the software industry, the cybersecurity industry or the types of people I have encountered in my career. I might write something like &amp;ldquo;I did the Y2K audit for Charles Schwab&amp;rdquo; or &amp;ldquo;I did the first pentest of Twitter,&amp;rdquo; but I will never provide any details that could be risky.&lt;/p></description></item></channel></rss>