The Good, The Bad, The Ugly: Projects, Tracking, and Rust in Web Security

Gabriele BiondoGabriele Biondo
4 min read

Table of contents

It’s been a while since I last posted here — or on the other blog, for that matter. My fault.
Adulthood, personal affairs, and a few darker things kept me away from the keyboard. I suspect many of you can relate.

Still, none of that ever really stopped me from writing. So it’s only fair I share what’s been brewing on my side.

The Good

Over the past months, I’ve been deep into a few major projects. The first — and the one I’m most excited about — is a new way of thinking about web security. The moment I saw it, I fell in love.

It’s not a library. It’s not a WAF. It’s not a rule engine. It’s a SaaS, but a strange one. And although I’m under NDA, I can still give you a glimpse into what makes it different.

Traditional WAFs — even the more advanced ones — share some fundamental problems:

  • They’re prone to false positives. Lots of them.

  • They’re also prone to false negatives. And that should scare you.

  • A skilled penetration tester can detect them and, although it takes effort, craft payloads that bypass their protections.

  • The effectiveness of the solution depends heavily on who configures it.

No matter how well you tune them, these issues persist.

Lately, there’s a new wave of ITSec tools trying to inject AI into the mix — promising smarter detection, automated defenses, and adaptive behavior.

But here’s the thing: deterministic algorithms are still more efficient and trustworthy than these early attempts at AI-driven controls.

The solution I’ve been working on flips the script.

It’s not about dropping a gateway that blocks regex matches. It’s about dissecting the input, understanding its intent, and giving the asset owner a clean answer: YES, it’s an attack. NO, it’s not.

But the part I’m truly obsessed with — the one eating most of my dev time and that I genuinely love building — is the deceptive security module.

That’s where the fun begins.

The startup behind it is called a-maze. They’re currently incorporating, and I can already say it’s one of the most enjoyable teams I’ve worked with in a long time.

The Bad

A few weeks ago, I was contacted by this funny guy — I can mention his name, he has no problem — Mr. Dave Null.

The name immediately reminded me of the /dev/null device in Unix: the bottomless pit where unwanted things go. Turns out, that’s no coincidence. It’s a nickname — and that explains why he doesn’t care if I write about him. In fact, he encouraged it.

These guys commissioned me to run a research project on how the average Internet user is tracked.

Now — I already knew we’re all tracked. We all do.

But I hadn’t fully realised the depth and pervasiveness of the practice. It’s not “surveillance capitalism.” That’s a euphemism. It’s more like digital embezzlement — and the worst part? The victim (that’s us) doesn’t even know it’s happening.

We all know about spam. The word itself has entered most natural languages.
But tracking is worse. Much worse.
It impacts all of us, invisibly, constantly — and only benefits a handful of actors.

So I wrote a lengthy document that reverse-engineers the entire process — from techniques to technologies, from cookies to pixels to browser fingerprinting. I might also publish a follow-up with practical containment measures.

Nickname or not, real person or not — it’s good to know that the Internet still produces people (or collectives) willing to fight back. To learn. To understand what’s being done to them.

And hopefully, to take action.

The Ugly

Other projects are spinning up on my side, and I barely have time to write things down.

I’ve written a good chunk of code in Rust — which, to be clear, is not ugly as a language. Quite the opposite. But learning it hasn’t been (and still isn’t) the easiest journey I’ve ever embarked on.

Some components of that SaaS beast will eventually be written in other languages.
(No — not Python, not JavaScript. That would be ugly.)
Which means: more tech stacks, more brain friction, more context switching.

We’re also developing a cross-platform desktop app for another tool. So yeah...

...spare time will only shrink from now on.

But I’ll keep writing here. Maybe even more regularly — I’ll try, at least.

Thanks for reading through this long — yet overdue — rant. See you in the next post.

Have fun, dudes.

0
Subscribe to my newsletter

Read articles from Gabriele Biondo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

deceptive securityWeb Securitytrackingreverse engineeringSaaScomebackspersonalprivacy#infosecRust

Written by

Gabriele Biondo
Gabriele Biondo

Math guy who's into Cryptography, into iOS/MacOS development, and obviously into hacking/pentesting. Writing stuff in C/C++/ObjectiveC/Swift/Python/Assembly.