I predicted that sooner or later a 🇨🇭 association for the disabled would sue for #EVoting. We're not yet there, but the strong Schweizerische Blindenverband is raising the pressure.
Also: Clear call for #ECollecting
https://www.inside-it.ch/blindenverband-fordert-umgehend-e-voting-20230905

@michelamarie Ah, and before I forget: Shodan is blocked at PL2, but we might want to consider it per default.

@michelamarie We're doing a multi-level approach here. Via the CRS paranoia levels if you are familiar with the concept. So the list above are the worst, then a myriad of other bad UAs on PL2 and then finally some stuff you usually welcome on a server like search engine bots. They will also be blocked at PL4 and you need to allow them specifically if you want to have them on that security level.

@michelamarie @Edent As it happens I pushed a pull request to CRS (the OWASP ModSecurity Core Rule Set project) lately. It's about almost 2K bad user agents.

https://github.com/coreruleset/coreruleset/pull/3202

Headless Chrome is on the list.

I've consolidated a list of security scanners user agents. Many modern one send a fake UA. But some don't. Here is the list - minus public security services such as ssllabs; all lowerkey and abbreviated to essential keyword:

betabot
bewica-security-scan
dirbuster
fimap
gobuster
havij
hexometer
jbrofuzz
jorgee
libwhisker
masscan
massscan
morfeus fucking scanner
nessus
netlab360
netsparker
nikto
nmap
nuclei
openvas
sitelockspider
sqlmap
sysscan
w3af.org
webbandit
webshag
wfuzz
whatweb
wprecon
wpscan
zgrab
zmeu

I've gone through many, many different sources. Did I miss anything?

@MirkoDziadzka Yes, I've seen it before. Is not there a PHP library too? I thought about making this a ModSecurity rule set but never got going. With the CRS plugin functionality, I think it would be possible to run this in lua, cache the results (key: Hash of the UA) and then display the consolidated identifier of the browser in the access log. I think that would be really, really useful.

1st real use case for chatgpt where it allows me to perform something I would not attempt without assistance:

Qualify a list of ~2K user agents I grabbed from github. Chatgpt tells me if they are popular at all and what their use case is.

Working with the CLI by @mmabrouk_.

The video of my @1ns0mn1h4ck keynote

"Crazy Incentives And How They Drive Security Into No Man's Land"

is now online.

Watch this if you believe in Bug Bounties, pie charts or if you think the shepherd got bad press when he cried wolf too often.

https://www.youtube.com/watch?v=612Pi_yk3s8

Ah, interesting twist. I'll investigate this option, thanks.

ACK

Thanks @occirol

Data retention regulation is priced in, no worries. But I see separate backups as the way to do (see different thread). Complex, but doable.

That's already quite a lot @lpwaterhouse

I had this in mind, but was not sure: So every batch gets a separate backup and when the data needs to be erased, the series of backups for a given batch gets kicked.

The number of batches is likely below 1 dozen for any given moment, so this is tedious but doable.

Thanks @lpwaterhouse

I'm sorry but I can not reveal more than I did (I know it's very little). The project is about the user data and the jurisdiction will trigger a removal of the user data on day X. On the plus side, it will be in batches and definition of the batches is known beforehand. Think online-shop orders for week X (the example fits, even if the project is not about an online shop).

I agree that clone the VM is a poor approach in this situation. :)

Difficult question:

I'm facing a situation where I need to prepare an architecture including backup that will allow to remove user data in the future, also from the backups.

What design options do I have?
Where can I read about this?
Who do I need to talk to?

Sorry, but it's not my site @adorkable. It's an online magazine.

Online voting is a wide field and you are touching on very important questions. Some of them solved to a certain extent, some of them remain unadressed.

Here is a 60 pages summary of an expert dialogue I moderated in 2020 for Swiss government. It's a relatively good overview of the status of the problems and their solution.
https://www.bk.admin.ch/dam/bk/en/dokumente/pore/Summary%20of%20the%20Expert%20Dialog%202020.pdf.download.pdf/Summary%20of%20the%20Expert%20Dialog%202020.pdf

And finally a few Swiss key items to put things in perspective: 90+% of voters vote by mail in Switzerland (and the security guarantees of mail in ballots are really quite weak). We vote at least 4 times a year (semi-direct democracy), we regularly have 5-10% invalid ballots in elections due to the complex things you are allowed to do on the paper ballots (or not allowed to do) and there is no technique in sight that guarantees blind people and quadriplegics a secret ballot outside of online voting.

I am not really a pro-Online-Voting person. But outside of the well known risks connected to the technology, there are also a few valid arguments in favor of EVoting.

In a recent interview I explained that building trust in #EVoting will take many years - if ever.
And that it can only grow through successful management of failures and crisis.

The interview is part of a series in🇨🇭@inside_it magazine. Thanks Thomas Schwendener for the great questions!

https://www.inside-it.ch/e-voting-report-vertrauen-ist-eine-funktion-der-zeit-20230404

@hac_overflow It's been a pleasure to work with you John and I hope to read more journalism from you in the future!

PortSwigger has closed The Daily Swig and I've been made redundant, so I'm looking for freelance tech journalism work #journojobs

Switzerland is in the middle of a real storm. Last week, it was a bank, today it was a train ...

The Swiss Cyber Storm conference has been running for many years and we regularly have exceptionally positive feedback from the audience.

Here is my take on how to deliver a great IT security conference. 10 points in the blog post. Here is a brief summary.

https://www.swisscyberstorm.com/2023/03/20/how-to-set-up-a-great-conference/

#1: Know who you are and what you want
#2: A great program is essential (but not for the reasons you expect)
#3: Creating a great program based on a CfP often fails
#4: Creating a curated program is much easier
#5: Create a speaker flyer (you did not see this coming, did you?)
#6: Pay your speakers (at least all their expenses)
#7: Keep the sponsors away from the main track
#8: Treat your speakers like stars
#9: Coach your speakers
#10: Don’t underestimate the catering

As the program chair, I seem to be somewhat fixated on the program. :)

And I will the defend the need for great sponsors very much. It's just that handing them over the main stage undermines the value of the conf - and that's ultimately what they are paying for. So you kind of need to protect the conference from the individual sponsors for all the other sponsors since the main stage is a limited resource.