X_Cli @x_cli@infosec.exchange

Things that we don't realize until it's too late in most cases: we can lose everything we write in Facebook, Twitter, or in any other corporation's run social network from night to day because of corporate decisions.

The OpenPGP format was designed in the 90' and never really changed since then. It was documented in RFC4880 in 2008. Unfortunately, in the 90', people had really no good understanding of crypto yet, and the choices made were poor. Envelope design is poor. Some crypto algorithms are clearly outdated. Some default options are plain wrong.

Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG? That's not a surprise: it's a popular crypto solution and it's a relatively easy target, comparatively to some other mainstream crypto implementations. The Go langage maintainer even deprecated the OpenPGP implementation in their crypto standard library because they think OpenPGP is dangerous

Basically, I would say that the only thing that OpenPGP has for itself is the deployed infrastructure. Or has it? Web of trust is mostly dead, since keyservers are out-of-service. And OpenPGP adoption was never really that high to begin with.

SSH keys are much more widely deployed and used that OpenPGP keys. The format is dead simple, and the crypto implementation from OpenSSH is up-to-date.

I am very happy that git made SSH signing possible; it means I can delete my OpenPGP keys for good. I just hope linux distros will make the switch soon, to a more modern crypto approach: ssh signing or minisign.

If you're wondering about the status of the project, it hasn't gone anywhere!

We're having a little discussion about it here, if you're at all interested in helping out: https://github.com/writefreely/writefreely/discussions/550

I'm a computer guy, but I'm very much over fast computers. Most of your computer's resources are wasted loading ads and trackers on webpages. Video games require more and more power to deliver less interesting experiences. Don't get me started on cryptocurrency. Computers are getting increasingly complex, therefore less reliable, nearly impossible to repair, wasteful, and devastating to the environment. We need #slowcomputers and more #retrocomputing

📰 Against #chatcontrol

https://blog.cryptpad.org/2022/05/19/against-chatcontrol/

A feature of email is that my inbox is an immutable copy of everything I received no-one can change.

With email, I can prove I've been harassed, sent malware, wrong links, illegal orders by my employers, the date of an event I've missed because it was wrong and I'm innocent, etc.

With Google AMP, the sender will be able to "update" those emails and deny his mistake, hide proofs, fake the history.

This technology put people at risk.

#SaveEmailFromGoogleAMP

Quand les antivirus vous mettent en danger: https://sebsauvage.net/links/?XGvMPg

Can we fix bearer tokens? - Matthew Garrett

https://mjg59.dreamwidth.org/59704.html

Super-excited to announce the highly anticipated independent audit by @LeastAuthority@twitter.com of vodozemac - our next generation native Rust reference implementation for Matrix E2EE (part funded by @gematik1@twitter.com). Read all about it: https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption

Very good question. Thank you for asking.

To sign documents, I would recommend using signify or minisign.

To encrypt files, I guess one could use age

If you need a cryptolibrary, I would recommand nacl or sodium. In Go, I use nacl a lot. If you need to encrypt or sign very large files, I wrote a small library based on nacl.

Emails are the tricky part. It really depends on your workflow. When I was working for a gov infosec agency, we learned to never use any integrated email crypto solution. Save the blob, decrypt the blob in a secure environment. This helps significantly against leaks and against creating an oracle to the attacker's benefit.

For data containers, I would use dm-crypt and dm-verity + a signed root. But that's just me and I would probably not recommend this to other people :)

OpenPGP is rarely used in messaging protocols, but if it was I would probably advise leveraging a double ratchet library.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

Your Phone May Soon Replace Many of Your Passwords

https://krebsonsecurity.com/2022/05/your-phone-may-soon-replace-many-of-your-passwords/

GitHub will require all code contributors to use two-factor authentication

https://www.theverge.com/2022/5/4/23056799/github-contributors-2fa-two-factor-authentication-2023

~Open Source Security Tool of the Day~

#osstotd

A new standard for signing, verifying and protecting software

https://sigstore.dev