Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
"How containers work: overlayfs"
https://jvns.ca/blog/2019/11/18/how-containers-work--overlayfs/
"The Service Mesh: What Every Software Engineer Needs to Know about the World's Most Over-Hyped Technology"
Hmmm : thinking:
"The case of the $20000 cookie"
> The outsider ... had been communicating late last month with one of the company’s security analysts. In one message, the HackerOne analyst sent the community member parts of a cURL command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to.
"Authentication vulnerabilities in OpenBSD"
https://seclists.org/oss-sec/2019/q4/120
(A patch that fixes the issue has already been released)
Gonçalo Valério
boosted
Malicious Python libraries stealing OpenPGP and SSH keys:
https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/
– Look for python3-dateutil, and jeIlyfish.
– Both modules try to exfiltrate SSH/OpenPGP keys and send them to an IP address.
– This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository.
"Spot the security problem" advent.
(Java edition)
"Visualizing the distribution of trusted CA’s"
https://michaelhendrickx.com/201911-certgraph-visualizing-the-distribution-of-trusted-cas.html
"Learn two languages"
https://letterstoanewdeveloper.com/2019/01/28/learn-two-languages/
Solid advise! Not just 2 but at least 2.
Gonçalo Valério
boosted
Mozilla ranks products from "not creepy" to "super creepy" in terms of privacy, explaining the reasons behind every score.
https://foundation.mozilla.org/en/privacynotincluded/
hmmm, might be useful to have a very quick look on how a given tool or programming language works.
"Help stop the sale of Public Interest Registry to a Private Equity Firm"
"Internet world despairs as non-profit .org sold for $$$$ to private equity firm, price caps axed"
https://www.theregister.co.uk/2019/11/20/org_registry_sale_shambles/
🤦♂️
"We can't send email more than 500 miles"
https://web.mit.edu/jemorris/humor/500-miles
Entertaining story :)
"New NextCry Ransomware Encrypts Data on NextCloud Linux Servers"
Nice summary about how JWTs work and how they can be exploited.
Gonçalo Valério
boosted
TPM-FAIL – security vulnerabilities in Trusted Platform Modules:
http://tpm.fail/tpmfail.pdf (PDF file)
– Affected are Platform Trust Technology (Intel), and ST33 TPM chip (STMicroelectronics). TPMs from Nuvoton/Infineon aren't affected.
– A remote attacker could retrieve certain private keys (e.g., as used by ECDSA).
– Intel provides a firmware update; vulnerable ST33 chips can't be patched.
#tpm #tpmfail #sidechannel #attack #vulnerability #infosec #security #cybersecurity
"TL;DR: an attacker can mount a RIDL attack despite the in-silicon mitigations/microcode patches published in May 2019 being in place."
"Keylogging users via Slack themes "
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
