Google Engineer Leaks Nearly 1,000 Internal Documents, Alleging Bias, Censorship https://www.theepochtimes.com/google-engineer-leaks-nearly-1000-internal-documents-alleging-bias-censorship_3042234.html di @EpochTimes@twitter.com
HTTP/2 Denial of Service Advisory
Netflix found a series of DoS on H2 implementations.
Honestly, none are very surprising or particularly tricky, when you have studied the protocol.
I am just sad they had to report them, because that means that many people did not think much about this kind of issue while developping their H2 stack.
It also means that the H2 protocol is really too complex for its own sake. But I already said that back in 2016 *grumble*
More on Backdooring (or Not) WhatsApp https://www.schneier.com/blog/archives/2019/08/more_on_backdoo.html
The #PGP Problem. I agree with most of the points in this article. Well-done writeup.
China Is Forcing Tourists to Install Text-Stealing Malware at its Border - VICE
Pleroma Releases 1.0!
Pleroma, the Elixir-based fediverse communication platform, has finally pushed out a stable 1.0 release! https://wedistribute.org/2019/06/pleroma-releases-1-0/
You might then understand why using Celery in security sensitive contexts is currently impossible
"How many TOTP secrets can be stored on YubiKeys and Nitrokeys?":
– Nitrokeys: up to 16
– YubiKeys: up to 32
(Values may differ due to different firmware, or hardware variants.)
In both cases, you need additional software to use TOTP since these tokens don't come with their own internal clock. A clock would require an energy source, but these tokens don't contain batteries.
[Appel à la communauté]
On a besoin d'aide pour faire connaître notre projet #Mobilizon. En gros, si vous trouvez que ce n'est pas génial d'utiliser Facebook ou Meetup pour vous rassembler, vous organiser et vous mobiliser, aidez-nous à faire connaître ce projet.
Vous connaissez des personnes susceptibles d'être intéressées (manifestant⋅es, militant⋅es, activistes, etc.) ??? Partagez auprès d'elles ces informations ! On vous remercie beaucoup fort ❤️
De Raadt: "It is such an amazing business-friendly but risk-ignorant pattern to simply restart software that has failed."
When infosec people fail to get that running software is the only satisfying type of software. It is not risk-ignorant. It is called risk management.
In what world is this answer acceptable: "Oh yeah, the website has been down for 3 weeks because we/they are searching the root cause of a crash of the web server."?
So npm Inc is a private entity in control of our commons, and we are not. Does that make it evil? No. It doesn’t. It doesn’t make it good, either.
The question of its benevolence is the wrong question to ask.
npm is not a benevolent institution. It CANNOT be one.
The possibility of it being that ended the day its owner took VC funding instead of putting it into a foundation or some other form of community ownership. That decision turned npm into a financial instrument.
Eleven effing years after RFC5280, it will require a PKI specialist spending many hours with the Openssl CLI to make some indirect CRLs. WTF! #DeathByX.509
Excellent article. A must read, I would say.
Errata Security: Your threat model is wrong
Only nitpicking I can do is that most 2FA mechanisms won't save you from phishing.
#Snapchat Employees Abused Data Access to Spy on Users.
Multiple sources and emails also describe #SnapLion, an internal tool used by various departments to access Snapchat user data.
"WhatsApp was hacked and attackers installed spyware on people’s phones" - https://www.businessinsider.com/whatsapp-hacked-attackers-installed-spyware-2019-5 #Privacy #Security #WhatsApp