X_Cli boosted
X_Cli boosted

As such, when should a security advisory be published?

HTTP/2 Denial of Service Advisory


Netflix found a series of DoS on H2 implementations.
Honestly, none are very surprising or particularly tricky, when you have studied the protocol.

I am just sad they had to report them, because that means that many people did not think much about this kind of issue while developping their H2 stack.

It also means that the H2 protocol is really too complex for its own sake. But I already said that back in 2016 *grumble*

X_Cli boosted
X_Cli boosted
X_Cli boosted
X_Cli boosted

Pleroma Releases 1.0!

Pleroma, the Elixir-based fediverse communication platform, has finally pushed out a stable 1.0 release! wedistribute.org/2019/06/plero

You might then understand why using Celery in security sensitive contexts is currently impossible

X_Cli boosted

The contribution to @mobilizon is amazing! They need 8k€ for the last step and 25 days remain. I do trust this project and thanks to @Framasoft for moving edges for our privacy!

If you want to contribute:

X_Cli boosted

"How many TOTP secrets can be stored on YubiKeys and Nitrokeys?":

– Nitrokeys: up to 16
– YubiKeys: up to 32

(Values may differ due to different firmware, or hardware variants.)

In both cases, you need additional software to use TOTP since these tokens don't come with their own internal clock. A clock would require an energy source, but these tokens don't contain batteries.

#securitytoken #yubikey #nitrokey #gpg #pgp

X_Cli boosted

Just to remind my IT affine bubble:

Plan for your death; what passwords should be able to be accessed after your death, which mustn't?
Share a database with the current ones and maybe a splitted password with the right people .

Make contact lists, if your phone is locked

X_Cli boosted

[Appel à la communauté]
On a besoin d'aide pour faire connaître notre projet #Mobilizon. En gros, si vous trouvez que ce n'est pas génial d'utiliser Facebook ou Meetup pour vous rassembler, vous organiser et vous mobiliser, aidez-nous à faire connaître ce projet.

Vous connaissez des personnes susceptibles d'être intéressées (manifestant⋅es, militant⋅es, activistes, etc.) ??? Partagez auprès d'elles ces informations ! On vous remercie beaucoup fort ❤️

➡️ joinmobilizon.org/fr/

De Raadt: "It is such an amazing business-friendly but risk-ignorant pattern to simply restart software that has failed."

When infosec people fail to get that running software is the only satisfying type of software. It is not risk-ignorant. It is called risk management.

In what world is this answer acceptable: "Oh yeah, the website has been down for 3 weeks because we/they are searching the root cause of a crash of the web server."?


X_Cli boosted

So npm Inc is a private entity in control of our commons, and we are not. Does that make it evil? No. It doesn’t. It doesn’t make it good, either.

The question of its benevolence is the wrong question to ask.

npm is not a benevolent institution. It CANNOT be one.

The possibility of it being that ended the day its owner took VC funding instead of putting it into a foundation or some other form of community ownership. That decision turned npm into a financial instrument.

I think Daniel is trying to make a point: 9 email thread titled "Multiple vulnerabilities in [plugins]" in 4 months, on -security. Each time something new.

Eleven effing years after RFC5280, it will require a PKI specialist spending many hours with the Openssl CLI to make some indirect CRLs. WTF! .509

Excellent article. A must read, I would say.

Errata Security: Your threat model is wrong


Only nitpicking I can do is that most 2FA mechanisms won't save you from phishing.

X_Cli boosted

Employees Abused Data Access to Spy on Users.
Multiple sources and emails also describe , an internal tool used by various departments to access Snapchat user data.

X_Cli boosted
Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.