Encrypted sounds like it fixes a long-standing weakness in SNI. This is really interesting. ,

I once asked a candidate if they knew what SNI was. He replied that it was the thing that let him know what web sites people were going to even though they were using https. Correct answer I suppose.

blog.mozilla.org/security/2018

Paco Hope boosted

Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on your network from learning your browsing history. You can enable encrypted SNI today and it will automatically work with any site blog.mozilla.org/security/2018

Paco Hope boosted

"Detecting the use of "curl | bash" server side" (as opposed to curl & save to a file).
Now this is some very clever, and scary, stuff. It's possible to detect if a #HTTPS request is being piped directly into #bash or just saved to a file. You can use this to send a different file (& commands!) only when it's going straight into bash.

idontplaydarts.com/2016/04/det

Off to for a few days. Then . Busy week. all next week (home) and the week after.

I hate the birdsite’s algorithmic timeline. Someone posts “here’s a great keynote.” Original tweet of keynote is 3 days old. I watch the keynote. It is good. Now I have like 5 more tweets in my timeline saying “here’s a great keynote” all linking to exactly the same tweet. Ugh.

logs show the impact on my server of taking the blog off . Most of the network traffic had been blog traffic. But the blog changes so rarely, that's really pointless traffic.

Wanna tell what you think of them? They're actually surveying. They want to know how the business is perceived by people. If you wanted a chance to be heard, this is that chance.
amazon1.qualtrics.com/jfe/form

Paco Hope boosted

I finally did it. I moved my blog off of self-hosted WordPress and onto static HTML on S3, CloudFront, etc. using Hugo. I brought all my WP content across, converted to markdown. There are plenty of glitches, but this is faster, cheaper, and more secure.
blog.paco.to/

I make various -themed parody songs. Taking famous songs and rewriting the lyrics to be funny stuff. They’re on my YouTube channel. Here’s “Thank God I’m a Hacker Boy”, to the tune of John Denver’s “Thank God I’m a County Boy”. youtu.be/qCdRoTHwrtg

Spent the whole day teaching cloud security to AWS partners. Fun but exhausting.

If, your job title, department, and company name combine to use the word MORE than 3 times, I can't even.

And if you "Cyber Security" as well as "Blockchain Evangelism" on your CV, I think we can safely pass...

People with "knowledge of the cyber domain" are also low on my list. What the fuck is ? Can you name me two things? One that everyone would agree is cyber and one that everyone would agree is totally not cyber? I mean, I'm gonna assume a horse isn't cyber. But maybe it is. A chair? A door? Obviously everything that has electricity is cyber. An electric toothbrush, a kettle, an analog wristwatch. I just want to cyberstab myself in the cybereye.

It is hard to take someone seriously whose CV talks about the "challenges of Cyber" including the gratuitous capitalisation...

I don't want to fly to Toulouse unless I can fly to TLS1.2.

While a hilarious news story, it also shows how—for outsiders—Dublin is Ireland. London is the UK. Edinburgh is Scotland. Paris is France. When you're acquainted with these countries, you lose this association. But the fact that they use "Ireland" in the headline shows how implicit this association is. newsbots.eu/@boingbot/10083819

Reading about the alleged hardware supply chain attack. This is a hilarious quote.

my personal politics Show more

I have been a user for a very long time. But I have rarely been prouder of them than when i read their Code of Conduct. Wow. Just Wow. So thorough. Impressive. I hope they live up to it in practice.
freebsd.org/internal/code-of-c

I'm sick and tired of people framing the speed disparity between security and development as "development going to fast" instead of "security going too slow". A blog post from ThreatStack (typical survey-backed marketing spew) got me going this morning. I rewrote it from the "your security team can't keep up" point of view. Makes it a really different read.
peerlyst.com/posts/what-happen

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.