Cloudflare now supports security.txt! It's off by default, but this should really help adoption. This is a very good thing.

HT @troyhunt, who posted this to X but not here.

I posted some notes on API keys. Bearer API keys, JWTs as API keys (🤮), and signature based API keys. Considerations around storing hashed vs plaintext API keys, using unique key prefixes, and how we can make signature-based API keys more common.

https://0xda.de/garden/api-keys/

On some level I think people become stronger engineers by running their own databases for a time. Pulling back the cover and seeing the hidden complexity can breed an understanding that serves folks well.

Obviously not a requirement--but something to consider.

I started working on a modern #cryptography tutorial as a single Python file, for some reason. It all got a bit out of hand. It’s not finished, so probably just gets you to the point of blowing your foot off. Err... enjoy?

https://gist.github.com/NeilMadden/985711ded95ab4b2235faac69af45f30

A couple notes about the Infineon timing side channel affecting most YubiKeys.

1. yubikey-agent is unaffected in the evil maid threat model as the attacker needs physical access *and PIN*

2. lol, Infineon

3. Go mitigates timing side-channels in ECDSA nonce inversion by not being clever and just using Fermat's little theorem, which is as simple as a constant time exponentiation by p - 2 (which can be optimized with @mbmcloughlin's addchain)

https://ninjalab.io/eucleak/
https://www.yubico.com/support/security-advisories/ysa-2024-03/

preparing to make friends at https://www.p99conf.io

Founder Mode is essentially “It’s easier for me to make every decision than hire competent people I can trust, set up the right incentive structure and then hold them accountable”.

It’s a way to cope with not having certain leadership skills which is OK if that gap exists.

@rbidou Agree with the overall message of the post. What I like doing when coding with an LLM is saying something like "Now critique your code and fix it" or "What security considerations apply here"? It works surprisingly well, but of course it's not perfect and you still better understand well what you're doing.

Regex isn't hard enough, so I present you with a crossword where all hints are regular expressions!

I confess at first it looked like the hints don't contain enough information to solve the puzzle but after some slow but steady progress I can confirm that they do 🤣

The original puzzle is from https://puzzles.mit.edu/2013/coinheist.com/rubik/a_regular_crossword/

I shared this on my blog: https://mathspp.com/blog/problems/regex-crossword

#puzzle #puzzles

The Seattle-Tacoma International Airport has confirmed that a cyberattack is likely behind the ongoing IT systems outage that disrupted reservation check-in systems and delayed flights over the weekend.

https://www.bleepingcomputer.com/news/security/seattle-tacoma-airport-it-systems-down-due-to-a-cyberattack/

😌 https://notgull.net/announcing-dozer/

With the new Nextcloud OCS API it's possible to develop Apps in all kind of language. Here is a nice webinar to show you how to build a Nextcloud App using Python. https://nextcloud.com/blog/event/build-nextcloud-app-python/

The initial news of a vulnerability in Google Pixel phones was very alarming—it seemed like hackers could easily take over any Pixel phone. A closer look by @GrapheneOS revealed that to be exploited, an attacker would need both physical access to the phone and the user's password.

So nothing to fret about—but as usual, keep your phone updated!

#Privacy #CyberSecurity #DigitalSecurity

It's here! #Phrack officially released online, and with it my article! http://phrack.org/issues/71/9.html#article It's about writing a good virus, using oldschool techniques to show you how effective old stuff can still be! #infosec #malware

Are "MIFARE-compatible" contactless cards not playing fair? That's what you may wonder after
@doegox spotted some odd
behavior.

Curiosity led to experiments that resulted in devising a new attack technique that uncovered some backdoors, and here we are 🙀

The RFID hacking spirit lives on!

https://blog.quarkslab.com/mifare-classic-static-encrypted-nonce-and-backdoors.html

A new attack on web browsers is exploited in the wild on Linux and MacOS systems.

For some reasons, 0.0.0.0 and 255.255.255.255 can be abused by a rogue website to connect to local ports, this bypass CSRF. Sandboxing is not effective because it relies on network.

A bug was opened on mozilla bug tracker in 2006 about this https://bugzilla.mozilla.org/show_bug.cgi?id=354493

OpenBSD mitigated this in 1998 https://marc.info/?l=openbsd-ports&m=172318365826454&w=2

This reminds me of the SSH vulnerability of last month, mitigated the exploit back in 2001.

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

This is clearly not the first time software running on OpenBSD remain unaffected by serious vulnerabilities, it is cool to see its pro-activity paying off :flan_thumbs:

OpenBSD 7.6 performance should be top-notch and hardware accelerated video encoding/decoding should work, it will be a great release :flan_cool:

Linux may have a lot of security mechanisms, many of them are disabled because software crash or system performance suffer. OpenBSD chose to go through the pain and fix software and accept the performance loss.

Don't get me wrong, I also enjoy using Linux as it is my main system for work and I am really happy with it, but security is often a second class citizen although I think it is balanced by the amount of people reviewing the code and the fast responses provided by major distributions :flan_thumbs:

Anyway, the best security oriented operating system I found at the moment is Qubes OS, by far :flan_shrug: too bad it sucks for some workflows

CrowdStrike attempts takedown of parody site: https://clownstrike.lol/crowdmad/

(cue references to https://en.wikipedia.org/wiki/Streisand_effect)

Our greatly improved web installer is now available through our official site:

https://grapheneos.org/install/web

For everything other than legacy extended support releases for 4th generation Pixels, it uses a new installation process. Main benefit is higher tolerance for bad USB support.

Microsoft 365 goes down - again https://www.zdnet.com/article/microsoft-365-is-down-again/ by @sjvn

If it's not one #Microsoft thing, it's another.