Revealed: Microsoft Contractors Are Listening to Some Skype Calls https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls
"Detecting incognito mode in Chrome 76 with a timing attack"
WPA3 – two new vulnerabilities were discovered:
– CVE-2019-13377: Brainpool curves introduce a second class of side-channel leaks in the Dragonfly handshake of WPA3
– CVE-2019-13456: information leak in FreeRADIUS' EAP-pwd due to aborting when needing more than 10 iterations
– according to @vanhoefm (Twitter), "Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1"
3 reasons for a false sense of security:
– reason 1: Legacy configuration and outdated security tips
– reason 2: No threat model
– reason 3: No checks and no monitoring
Don’t just assume security; actually check it.
Nice overview about docker "container" capabilities.
So the government of Kazakhstan is MITM'ing all SSL'ed traffic https://lobste.rs/s/uqj8nq/mitm_on_all_https_traffic_kazakhstan#c_0boxyk
The way they are doing this is by adding a Certificate Authority (CA) that allows them to snoop all traffic.
This is, by the way, why SSL is criticized as being "only as secure as the weakest CA in your system". Here it's deliberate, but that's a problem in general.
NEWS: A New Stable Version of FreedomBox
We are pleased to announce that a new stable version of the #FreedomBox software system has been released! 🎉 🎉 🎉
The new stable version of FreedomBox is a big improvement over the previous stable version. It features a redesigned user interface, many more applications and features, and a streamlined user experience.
Please download and test it out!
"Bluetooth LE’s anti-tracking technology beaten"
In fact that justification for the "commands based on image size" was a little strange.
Super Small Summary:
* Zoom for Mac lets any website force your client to join a call
* With the camera turned on
* Installs a web-server that is not deleted when you remove the app
* That web-server can be used to remotely reinstall the zoom app and do some sort of DOS on your machine.
(Not patched yet)
"strong_password v0.0.7 rubygem hijacked"
"Learnings from modern app sec teams"
Small and useful intro to threat modeling 👌