Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
Gonçalo Valério
boosted
What's that sound? AAAH, Zombies!
Sin and co are live on Twitch for some #7daystodie: https://www.twitch.tv/GamingOnLinux
"Urgent security issue in NGINX/php-fpm"
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
PHP issue: https://bugs.php.net/bug.php?id=78599
XXE to RCE in XML plugins for VS Code, Eclipse and other software based on LSP4XML.
https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/
https://twitter.com/0xInfection/status/1148267196306427904
Be careful with those blacklists.
Gonçalo Valério
boosted
"Roads" by Max Böck https://mxb.dev/blog/roads/
Brilliant satire on modern web development.
https://darkport.co.uk/blog/ahh-shhgit!/
:thumbsup: tldr: Do not commit secrets to your code repo. There are some tools available to help detect and avoid when it happens accidentally.
"Samsung: Anyone's thumbprint can unlock Galaxy S10 phone"
https://www.bbc.com/news/technology-50080586
"biometrics" 🤷♂️
> When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
Several years too late, but built in PGP support is coming to Thunderbird.
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
Gonçalo Valério
boosted
Google, Xiaomi, and Huawei devices affected by zero-day flaw that unlocks root access https://thenextweb.com/security/2019/10/04/google-xiaomi-and-huawei-devices-affected-by-zero-day-flaw-that-unlocks-root-access/
Security theater and security superstition
"There *was* a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up."
https://bugs.chromium.org/p/project-zero/issues/detail?id=1943
"In summary, usage of the package key to rename dependencies in Cargo.toml is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo will ignore package and download the wrong dependency"
https://blog.rust-lang.org/2019/09/30/Security-advisory-for-cargo.html
Disclosure of a Lightning network bug/vulnerability (already fixed in recent versions):
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html
"Software Security Field Guide for the Bewildered"
https://zwischenzugs.com/2019/09/22/software-security-field-guide-for-the-bewildered/
Simple explanations of how websites can track user activity:
* https://kevq.uk/how-online-tracking-works
* https://kevq.uk/how-browser-fingerprinting-works
Tool to search for security weaknesses in your Kubernetes clusters.
"Basic Electron Framework Exploitation"
https://www.contextis.com/en/blog/basic-electron-framework-exploitation
On using certificate authentication with SSH:
https://smallstep.com/blog/use-ssh-certificates/
An good and open source tool to help you with this is Hashicorps Vault.
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
