Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
Gonçalo Valério
boosted
What's that sound? AAAH, Zombies!
Sin and co are live on Twitch for some #7daystodie: https://www.twitch.tv/GamingOnLinux
"Urgent security issue in NGINX/php-fpm"
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
PHP issue: https://bugs.php.net/bug.php?id=78599
XXE to RCE in XML plugins for VS Code, Eclipse and other software based on LSP4XML.
https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/
https://twitter.com/0xInfection/status/1148267196306427904
Be careful with those blacklists.
Gonçalo Valério
boosted
"Roads" by Max Böck https://mxb.dev/blog/roads/
Brilliant satire on modern web development.
https://darkport.co.uk/blog/ahh-shhgit!/
:thumbsup: tldr: Do not commit secrets to your code repo. There are some tools available to help detect and avoid when it happens accidentally.
"Samsung: Anyone's thumbprint can unlock Galaxy S10 phone"
https://www.bbc.com/news/technology-50080586
"biometrics" 🤷♂️
> When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
Gonçalo Valério
boosted
ECSM 2019 – Tips for your cyber hygiene:
https://infosec-handbook.eu/blog/ecsm2019-cyber-hygiene/
We present about 20 quick actions to keep or improve your level of information security in day-to-day life. Feel free to share your tips.
#ecsm2019 #ecsm #cyberhygiene #security #infosec #cybersecurity
Several years too late, but built in PGP support is coming to Thunderbird.
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
Gonçalo Valério
boosted
Google, Xiaomi, and Huawei devices affected by zero-day flaw that unlocks root access https://thenextweb.com/security/2019/10/04/google-xiaomi-and-huawei-devices-affected-by-zero-day-flaw-that-unlocks-root-access/
Security theater and security superstition
"There *was* a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up."
https://bugs.chromium.org/p/project-zero/issues/detail?id=1943
"In summary, usage of the package key to rename dependencies in Cargo.toml is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo will ignore package and download the wrong dependency"
https://blog.rust-lang.org/2019/09/30/Security-advisory-for-cargo.html
Disclosure of a Lightning network bug/vulnerability (already fixed in recent versions):
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html
"Software Security Field Guide for the Bewildered"
https://zwischenzugs.com/2019/09/22/software-security-field-guide-for-the-bewildered/
Simple explanations of how websites can track user activity:
* https://kevq.uk/how-online-tracking-works
* https://kevq.uk/how-browser-fingerprinting-works
Tool to search for security weaknesses in your Kubernetes clusters.
Gonçalo Valério
boosted
LastPass releases update for security vulnerability:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1930
– The vulnerability allowed extracting credentials of previously-visited websites.
– Tavis Ormandy: "I think it's fair to call this 'High' severity, even if it won't work for *all* URLs."
– fixed in v4.33.0/v4.33.
#lastpass #security #vulnerability #tavisormandy #projectzero #infosec #cybersecurity
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
