Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
Gonçalo Valério
boosted
"Roads" by Max Böck https://mxb.dev/blog/roads/
Brilliant satire on modern web development.
https://darkport.co.uk/blog/ahh-shhgit!/
:thumbsup: tldr: Do not commit secrets to your code repo. There are some tools available to help detect and avoid when it happens accidentally.
"Samsung: Anyone's thumbprint can unlock Galaxy S10 phone"
https://www.bbc.com/news/technology-50080586
"biometrics" 🤷♂️
> When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
Gonçalo Valério
boosted
ECSM 2019 – Tips for your cyber hygiene:
https://infosec-handbook.eu/blog/ecsm2019-cyber-hygiene/
We present about 20 quick actions to keep or improve your level of information security in day-to-day life. Feel free to share your tips.
#ecsm2019 #ecsm #cyberhygiene #security #infosec #cybersecurity
Several years too late, but built in PGP support is coming to Thunderbird.
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
Gonçalo Valério
boosted
Google, Xiaomi, and Huawei devices affected by zero-day flaw that unlocks root access https://thenextweb.com/security/2019/10/04/google-xiaomi-and-huawei-devices-affected-by-zero-day-flaw-that-unlocks-root-access/
Security theater and security superstition
"There *was* a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up."
https://bugs.chromium.org/p/project-zero/issues/detail?id=1943
"In summary, usage of the package key to rename dependencies in Cargo.toml is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo will ignore package and download the wrong dependency"
https://blog.rust-lang.org/2019/09/30/Security-advisory-for-cargo.html
Disclosure of a Lightning network bug/vulnerability (already fixed in recent versions):
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html
"Software Security Field Guide for the Bewildered"
https://zwischenzugs.com/2019/09/22/software-security-field-guide-for-the-bewildered/
Simple explanations of how websites can track user activity:
* https://kevq.uk/how-online-tracking-works
* https://kevq.uk/how-browser-fingerprinting-works
Tool to search for security weaknesses in your Kubernetes clusters.
Gonçalo Valério
boosted
LastPass releases update for security vulnerability:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1930
– The vulnerability allowed extracting credentials of previously-visited websites.
– Tavis Ormandy: "I think it's fair to call this 'High' severity, even if it won't work for *all* URLs."
– fixed in v4.33.0/v4.33.
#lastpass #security #vulnerability #tavisormandy #projectzero #infosec #cybersecurity
"Basic Electron Framework Exploitation"
https://www.contextis.com/en/blog/basic-electron-framework-exploitation
On using certificate authentication with SSH:
https://smallstep.com/blog/use-ssh-certificates/
An good and open source tool to help you with this is Hashicorps Vault.
Gonçalo Valério
boosted
ProtonMail adds support for Web Key Directory (WKD), DANE, and MTA-STS:
https://protonmail.com/blog/security-updates-2019/
– WKD is also available for external keys now
– DANE is also available for custom domains
– Besides, they added HTTP headers (Expect-CT, Public-Key-Pins-Report-Only), DNS CAA, and monitoring (e.g., TLSRPT)
– There will be an independent security audit of all Proton apps
#protonmail #gpg #infosec #security #cybersecurity #openpgp #wkd #wks #dane #mtasts
> A lot of Chromebook and Chromebox users don't realize this, but all ChromeOS devices have an expiration date.
🤦♂️ put linux on it or don't buy this kind of stuff.
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
