Documentary photographer, old creaky hacker. Co-author of the @OWASP ASVS standard. Blackhat/Brucon Review Board.
By far the best episode of “between two nerds”: https://podcasts.apple.com/gb/podcast/risky-bulletin/id1621305970?i=1000702599167
I couldn’t agree with both of them anymore. The forced scarcity of bugs and misconception that so many in this industry have about the use of ohdayz is baffling. Both Tom and The Gruqg really do spell it out
@wirepair thanks. Lesson learned. These things go missing too easily if you don’t tie them to a block of wood like a petrol station toilet key
Aaaand found that missing yubikey so I could finally auth to this.
@kurtseifried I do agree and seeing the impact ECH has on those trying to subvert and control, it makes me wonder why more don't enable it.
I'm now making it my mission to get it into the ASVS so we can push this more, that's for sure
You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):
I guess we now know that Encrypted Client Hello (ECH) technology works, especially when it pisses off the FSB and other Russians who like controlling the narrative
Roskomnadzor it took the decision after Cloudflare enabled ECH by default for customer accounts in October.
The agency said ECH was being used by Russian citizens to bypass its censorship measures and access restricted resources.
So if it's annoying the russkis that much, I know it's good and as such now have added it as a PR for 5.0
https://github.com/OWASP/ASVS/pull/2359
If it annoys them, I like it and think this is mosdef an addition we need to enable all to help push privacy.
PR merged after 72 hours of mega work, if anyone fancies seeing/commenting, i'd love the insights
https://github.com/OWASP/ASVS/blob/master/5.0/en/0x14-V6-Cryptography.md
For those who have bandwidth, there are a load of issues already present on this new branch, namely:
Soooooo, our PR was merged into 5.0 and there's still a lot of work needed here, but more importantly, there's comments from the community that would help us too.
https://github.com/OWASP/ASVS/blob/master/5.0/en/0x14-V6-Cryptography.md
If you see an issue, raise an issue and help us make this usable for all.
Thank you
@SiteRelEnby the struggle real. Today is crunch day
That yearly decision process where I debate profusely if I renew the .io domain I’ve yet to use but costs 50 a year….
Very interesting issue with Okta here, especially with the use of bcrypt
https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/
As Yan (@bcrypt) said
“reminder that the bcrypt hash function ignores input above a certain length! so if you do bcrypt(username || password) for some reason, a sufficiently long username will make it accept any password. to fix this you can sha256 the input first”
It has taken a while but Mark Carney and I have just done a pull request to the OWASP ASVS 5.0 branch introducing major changes to V6 Cryptography
https://github.com/OWASP/ASVS/pull/2212
It builds upon the work we’ve done to hopefully make apps more secure from a cryptographic perspective & we are sure will see a lot of good discourse from all involved
We’d love to hear your thoughts and comments, as it’s a community-driven standard and always has been
@cynicalsecurity @marasawr please anonymise and share
Err, hmmm, I, just….
“It works by taking static screenshots that are constantly sent back to the API in real-time”
Said most malware writers who use multi-stage payloads to exfiltrate data out or an AI giant announcing their new feature
It’s hard to tell these days
If you are going to own a high-profile target, maybe OPSEC should be a level above "skid"
@Viss hell yes!!!! Not far but I’ll make the trip
Benefits of country living is amazing red aurora in the skies with hardly any light pollution
@vfxsup I’ve tried to stay away from drones for this exact reason
Africa, as a continent has truly epic talent, it’s just you rarely hear about it.
Peter is a Kenyan hacker of note. Adding a custom ECU, he designed, to classic cars and a bloody good job at the same time. All designed around the @arduino with custom maps too. Make no mistake, what he’s done is off the scale, that’s coming from someone with classic Mercedes-Benz’s and who likes to tinker
