Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
[Header photo by Colin Watts, source Unsplash]
Joined Apr 2017
"Internet Archive Infrastructure"
https://archive.org/details/jonah-edwards-presentation
Super interesting 👍
"Are Xiaomi browsers spyware? Yes, they are…"
https://palant.info/2020/05/04/are-xiaomi-browsers-spyware-yes-they-are.../
"An Exploration of JSON Interoperability Vulnerabilities"
https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities
👍
"Avoiding npm substitution attacks"
https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/
"Common Nginx misconfigurations"
https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/
"Total Cookie Protection, works by maintaining a separate “cookie jar” for each website you visit."
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
"Traitor packages up a bunch of methods to exploit local misconfigurations and vulnerabilities (including most of GTFOBins) in order to pop a root shell."
"... ByteDance's censorship machine"
https://www.protocol.com/china/i-built-bytedance-censorship-machine
"Malware in open-source web extensions"
"The "P" in Telegram stands for Privacy"
https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html
And like others have said, the "s" stands for security.
"What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?"
"For instance, the main culprit of Python dependency confusion appears to be the incorrect usage of an “insecure by design” command line argument called --extra-index-url."
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
"Intercept SSM Agent Communications"
"Supercookie uses favicons to assign a unique identifier to website visitors."
"Why npm lockfiles can be a security blindspot for injecting malicious modules"
https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
I would say this also applies to other languages and package managers.
"As an interim solution to help people in Iran get connected again, we’ve added support in Signal for a simple TLS proxy that is easy to set up, can be used to bypass the network block, and will securely route traffic to the Signal service."
"Growth, where it no longer serves a purpose beyond the accumulation of more growth — in the form of investors’ returns, company coffers and the personal wealth of founders — is worshipped. And the cost is astronomical."
Gonçalo Valério
boosted
They were so busy asking “will it scale?” they forgot to ask “does it need to scale?”
Gonçalo Valério
boosted
Element on Google Play Store - https://element.io/blog/element-on-google-play-store/
> We submitted an appeal asking for clarification at 23:18, and at 05:31 received an update from the Google Play Policy team citing that the app has been removed due to content which contravenes their terms of use, and asking us to “make the necessary changes to [our] app” and “upload a new app using a new package name and a new app name”
🤦♂️
"Heap-based buffer overflow in Sudo (CVE-2021-3156)"
https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
[Header photo by Colin Watts, source Unsplash]
Joined Apr 2017
