902 Matching Annotations
  1. Dec 2022
  2. Nov 2022
    1. Refresh tokens are bearer tokens. It's impossible for the authorization server to know who is legitimate or malicious when receiving a new access token request. We could then treat all users as potentially malicious.
    2. How could we handle a situation where there is a race condition between a legitimate user and a malicious one?
    1. But what about a Refresh Token flow? When using a refresh token, confidential clients also have to authenticate. Public clients, such as browser-based applications, do not authenticate during the Refresh Token flow. So in a typical frontend application, refresh tokens issued to frontend web applications are bearer tokens.   In practice, this means that if an attacker manages to steal a refresh token from a frontend application, they can use that token in a Refresh Token flow. To counter such attacks, the OAuth 2.0 specifications mandate that browser-based applications apply a security measure known as refresh token rotation.
    1. When public clients (e.g., native and single-page applications) request access tokens, some additional security concerns are posed that are not mitigated by the Authorization Code Flow alone.
    1. Please note - any callback URL that you use with the POST oauth/request_token endpoint will have to be configured within your developer App's settings in the app details page of developer portal.
    1. It would be nice if we could get some official word on whether this repository is affect by the catastrophic CVE-2021-44228 that is currently affecting a considerable percentage of softwares around the globe. From my limited understanding and looking at the refreshingly concise list of dependencies in the pom.xml, I would think this project is not affected, but I and probably others who are not familiar with the projects internals would appreciate an official word.
    2. I understand that typically, it wouldn't make much sense to comment on every CVE that doesn't affect a product, but considering the severity and pervasiveness of this particular issue, maybe an exception is warranted.
    1. As the British prime minister WilliamGladstone put it at the time in the Edinburgh Review, speaking of the remarkablePrussian success in the Franco-Prussian War: ‘Undoubtedly, the conduct of thecampaign, on the German side, has given a marked triumph to the cause ofsystematic popular education.’
    2. it was clear that the European and US competitors werebenefiting from these changes to the curriculum in advances in commerce, inindustry, and even on the battlefield.

      Compulsory education and changes in curriculum in the United States and some of it's competitors in the late 19th century clearly benefitted advances in commerce, industry, and became a factor in national security.

    1. DHS’s mission to fight disinformation, stemming from concerns around Russian influence in the 2016 presidential election, began taking shape during the 2020 election and over efforts to shape discussions around vaccine policy during the coronavirus pandemic. Documents collected by The Intercept from a variety of sources, including current officials and publicly available reports, reveal the evolution of more active measures by DHS. According to a draft copy of DHS’s Quadrennial Homeland Security Review, DHS’s capstone report outlining the department’s strategy and priorities in the coming years, the department plans to target “inaccurate information” on a wide range of topics, including “the origins of the COVID-19 pandemic and the efficacy of COVID-19 vaccines, racial justice, U.S. withdrawal from Afghanistan, and the nature of U.S. support to Ukraine.”

      DHS pivots as "war on terror" winds down

      The U.S. Department of Homeland Security pivots from externally-focused terrorism to domestic social media monitoring.

  3. Oct 2022
    1. How safe are investors’ assets on the KuCoin exchange? At KuCoin, we’re very much vigilant of security and cyber threats, and we ensure that our exchange is safe for trading. KuCoin allows you to trade with confidence, knowing that your digital assets are safe on the exchange. Micro-withdrawal wallets, industry-level multilayer encryption, and dynamic multi-factor authentication are a few of the levels of protection that we employ. KuCoin offers 24/7 customer support via live chat and online ticket on its help center. The supporting staff are very responsive and patient. Also, KuCoin has established about 23 local communities in Europe, SEA and other regions, providing users with highly localized service and support.
    1. BTCM: User funds security has been the Achilles heel of the digital asset industry since its inception. Can you share how KuCoin handles its security infrastructure? Johnny Lyu: As a global exchange, security is one of our top priorities. We developed all the infrastructure and systems on our own to ensure its stability and security. We have plenty of security mechanisms to protect the crypto assets of our users and we are working with many third parties like Chainalysis and white-hats to improve the level of security. It is worth mentioning that we recently reached a strategic cooperation with Onchain Custodian, Singapore’s crypto asset custody platform. Onchain Custodian offers a custody service for the safekeeping of KuCoin crypto assets. The custodial funds are backed by Lockton, the world’s largest private insurance brokerage company, which means users’ assets on KuCoin will be double secured.
    1. Web applications are diverse in functionality today. So, are threats against them. Therefore, you need to be ready to detect and prevent them from the start of development through testing and support.

    1. "I thought WSL ran as root in Windows" ... ABSOLUTELY NOT! Do you think we're crazy? ;) When opened normally, your Bash instances are launched with standard Windows user rights. If you want to edit your Windows hosts file, you must do so from an elevated Bash instance ... though only do this with enormous care - any other script you run in the same elevated Bash Console will also get admin rights to the rest of your machine!!
  4. Sep 2022
    1. To truly alleviate poverty on a large scale, we must fix a system in which normallife experiences such as childbirth can translate into economic insecurity. Mostof the poor are not unexplainable anomalies in an otherwise well-functioningsociety. Instead, they are the normal consequence of structural arrangementsguaranteed to produce economic insecurity.

      This sort of institutionalized economic insecurity seems bound up in institutionalized racism and may have a relationship with recent abortion bans. Can we tease out the ways these ideas are tied together or compounded?

      How can alleviating the perceptions of these effects help create societal changes and greater flexibility and more resiliency?

      These are potential national security issues were the country to come to war with other major powers.

  5. Aug 2022
    1. let's start giving a bit of a recap of all these vulnerabilities that I talked about and be basically aligned to what we defined as intercept for example

      5 areas of vulnerabilities

      1. Intercept calls and texts
      2. Impersonate user identity
      3. Track users
      4. Conduct fraud
      5. DoS users or network

      For each of these types of attacks, vulnerabilities were found in RCS to exploit them.

    1. How do I turn off the requirement to have a lock screen?Today, I'm suddenly unable to use any Google related apps on my phone, because I am now REQUIRED to set up a lock screen on my phone. I get that you want to be super-secure for businesses using enterprise devices. I am not a business. I'm some guy who just happens to have a domain name. My only "employee" is me. I have a two email addresses: My real first name, and the shorter version that most people call me. I do NOT want a lock screen on my phone. I don't want to be forced to give myself permission to use apps on my phone. Why am I now required to add all this bull$%^? Nobody is hacking my interwebs. Give me a f#$%^& break! I don't need a lock screen. I've been using this account for everything (gmail, youtube, etc) for over five years now. I'm not interested in deleting it and going back to my gmail.com account. I'm also not interested in being forced to click multiple times just to use my phone. Let me disable it.So, how do I turn this garbage off?
    1. In a clickjacking attack, the attacker creates a malicious website in which it loads the authorization server URL in a transparent iframe above the attacker’s web page. The attacker’s web page is stacked below the iframe, and has some innocuous-looking buttons or links, placed very carefully to be directly under the authorization server’s confirmation button. When the user clicks the misleading visible button, they are actually clicking the invisible button on the authorization page, thereby granting access to the attacker’s application. This allows the attacker to trick the user into granting access without their knowledge.

      Maybe browsers should prevent transparent iframes?! Most people would never suspect this is even possible.

    1. It was first unveiled during a multimillion dollar heist which led to a hard fork of Ethereum. Reentrancy occurs when external contract calls are allowed to make new calls to the calling contract before the initial execution is complete.

      Reenter attack - The DAO. Basically withdrawal calls before the end of initial execution.

    1. The more community members are free to gain governance power and influence the protocol, the easier it is for attackers to use that same mechanism to make malicious changes. 

      indistinguishability problem and premissionless voting

  6. Jul 2022
    1. Something has shifted online: We’ve arrived at a new era of anonymity, in which it feels natural to be inscrutable and confusing—forget the burden of crafting a coherent, persistent personal brand. There just isn’t any good reason to use your real name anymore. “In the mid 2010s, ambiguity died online—not of natural causes, it was hunted and killed,” the writer and podcast host Biz Sherbert observed recently. Now young people are trying to bring it back. I find this sort of exciting, but also unnerving. What are they going to do with their newfound freedom?
    1. If your security locks you out of your own home just because you changed your trousers, that would be shockingly bad security.If your security permanently locks you out of your accounts because you restored your Chrome settings from backup, how is that any better?
  7. Jun 2022
    1. The goal is to gain “digital sovereignty.”

      the age of borderless data is ending. What we're seeing is a move to digital sovereignty

    1. DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
  8. May 2022
    1. It detects bots/spiders and serves them a clean page

      Seems like a vulnerability of some sort, though I'm not sure what sort...security/liability?

      A user could just set their user agent to be like a bot, and then it would skip the "protections" provided by the cookie consent code?

    1. An Introduction to PLAN E Grand Strategy for the Twenty-First-Century Era of Entangled Security and Hyperthreats

      Planetary Boundary / Doughnut Economic Main Category: SOCIO-ECONOMIC: Culture, Education

      Although culture and education are chosen as the main categories, Plan E applies to all planetary boundaries and all socio-economic categories as it is dealing with whole system change.

      Visit Stop Reset Go on Indyweb for detailed context graph and to begin or engage in discussion on this topic. (Coming soon)

    2. The HRF design intends to operationalize entangled security (figure 8). It provides orchestration logic at ecoregional, nation-state, and local levels and is expected to vary  according to context. It comprises four main task groups: HRF support; planetary security; human security; and state security.

      These are umbrella categories that can allow for the classification of vast numbers of existing transition projects. With the use of disaggregated planetary boundaries, doughnut economics framework, Inner and Outer transformation, and Bend-the-Curve gamification, the impacts of each type of operation can be measured.

    3. The hyperthreat can be outmaneuvered by humans reconfiguring their activities in two ways: security by design and security by dispersal. National security in the Anthropocene is increasingly achieved by designing systems and settlements so that enhanced security is incorporated from the start. For example, it can be imagined that each time a person refuels a car with petrol, this action empowers the hyperthreat. This leads to global warming, which creates ocean acidification and in turn reduced fish stocks, while also creating pressures for resource wars, thereby influencing whether a soldier or civilian dies and how much taxpayer resources are required for material security missions. In contrast, zero-emission transportation technologies can “design out” the slow violence and threats associated with a fossil-fuel-intensive lifestyle. This is similar for plastic use, in which case the “threat” is embodied in the high polluting design of consumable products and lifestyle activities. Likewise, other health threats and longer-term costs are embodied in hidden toxins or sugars in food products. Accordingly, peace, health, and a different form of national prosperity can be created through design, which requires a longer-term and mesh-intervention viewpoint. OP VAK has a role to play in achieving security and safety by design by linking apparently benign activities with their devastating impacts.    

      Linking these many fragmented and long causal chains and tracing them back to the hyperthreat can be a polwerful visualization that brings the hyperthreat to life.

    1. Crop harvests for direct food use insufficient to meet the UN’s food security goal

      Planetary Boundary / Doughnut Economic Main Main Category: SOCIO-ECONOMIC: Food

      Visit Stop Reset Go on Indyweb for detailed context graph and to begin or engage in discussion on this topic. (Coming soon)

    1. Many companies send our passwords via email. Whether these emails come from our IT department, a colleague, a SaaS solution or elsewhere, it's not a good idea to send and receive passwords via email.

      Send passwords via email? A bad idea!

      Many companies send our passwords via email. Whether these emails come from our IT department, a colleague, a SaaS solution or elsewhere, it's not a good idea to send and receive passwords via email.

  9. Apr 2022
    1. You cannot override defaults via query parameters - this is for security reasons. The only defaults that can be overridden are dynamic segments via substitution in the URL path.
    1. > So disabling JS completly via about:config is not a solution. It is. Works for me (yes, no NoScript, the real thing). My main Firefox profile is like that, then I have a secondary profile for the cases I really need it for — that gets used less than once a month. Oh, and no cookies either. Luckily, hackaday works fine like that (even cookieless commenting: big kudos and thanks! That’s why I keep returning here). And LWN (I temporarily enable cookies to post), and more than 95% of the sites I care about. As it turns out, I care less and less for the other 5%: so this number is actually shrinking.
    2. I fully agree the best solution for security is “javascript.enabled = false”
    3. Lets go back to the original “browser as a document” instead of “browser as OS”.

      .

    4. As I said up-thread, it was promised from Day 1 that browsers would always execute client-side Javascript safely. That was central to its acceptance.
    5. You don’t need microsecond timing on a freaking website – except maybe in graphics and sound, and such functionality could be wrapped and secured in an API. So think that browser makers deserve a bigger slice of blame for making their users so vulnerable. User safety needs to become important again.
  10. Mar 2022
  11. Feb 2022
    1. he transitionary approach is advisable when datasecurity plays a vital role.

    Tags

    Annotators

    1. gives the man and his kinship group certain rights of control over the woman
  12. Jan 2022
    1. an accident in which there is a collision with terrain, water, or obstacle during the course of a flight, without indication of loss of control.

      Controlled Flight into Terrain CFIT

    1. For example, suppose your API returns a 401 Unauthorized status code with an error description like The access token is expired. In this case, it gives information about the token itself to a potential attacker. The same happens when your API responds with a 403 Forbidden status code and reports the missing scope or privilege.
    2. Now, assume your client attempts to access a resource that it MUST NOT access at all, for example, because it belongs to another user. What status code should your API return? Should it return a 403 or a 401 status code?You may be tempted to return a 403 status code anyway. But, actually, you can't suggest any missing permission because that client has no way to access that resource. So, the 403 status code gives no actual helpful information. You may think that returning a 401 status code makes sense in this case. After all, the resource belongs to another user, so the request should come from a different user.However, since that resource shouldn't be reached by the current client, the best option is to hide it.
    1. Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource

      eh? instead of 404? I would actually say that:

      • 404 is as good or better at avoiding revealing presence or non-presence of resource; probably better because 401 implies that we found the resource but that they needed to be signed in in order to access
      • normally one would use a 404 instead of a 401/403 (usually instead of a 403) to avoid revealing presence or non-presence of resource.

      I think they know which is the correct, as evidenced by how they said about 404 below: "User/agent known but server will not reveal anything about the resource, does as if it does not exist." — I think this must have just been a typo.

    1. Mabry says if you own a Hyundia or Kia, you better add extra security so you don't become the next target.

      Apparently, there is an issue with key fob security on 2020 Kia Sportage and Hyundai models.

      Also, Columbus Police and 10TV don't know how to spell Hyundai or use spell check.

  13. Dec 2021
    1. Edge computing is an emerging new trend in cloud data storage that improves how we access and process data online. Businesses dealing with high-frequency transactions like banks, social media companies, and online gaming operators may benefit from edge computing.

      Edge Computing: What It Is and Why It Matters0 https://en.itpedia.nl/2021/12/29/edge-computing-what-it-is-and-why-it-matters/ Edge computing is an emerging new trend in cloud data storage that improves how we access and process data online. Businesses dealing with high-frequency transactions like banks, social media companies, and online gaming operators may benefit from edge computing.

    1. ‘Security’ takes manyforms. There is the security of knowing one has a statistically smallerchance of getting shot with an arrow. And then there’s the security ofknowing that there are people in the world who will care deeply if oneis.
  14. Nov 2021
    1. When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
    1. Before we prove this lemma, we explain why such a lemma is useful for proofs in the quantumrandom oracle model.

      one-way-to-hiding lemma

    1. Pretty much anything that can be remembered can be cracked. There’s still one scheme that works. Back in 2008, I described the “Schneier scheme”: So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

      Good advice on creating secure passwords.

    1. A full-featured software TPM is a large and complicated software stack

      To the point of being a security risk. Some TPM had vulnerabilities due to the number of functions and their complexity to implement.

    1. It's all too complex for our little brains to handle. And like any situation of excess complexity, we collapse dimensions until we have a structure we can comprehend. The problem, in this case, is that our simplifications create tunnels large enough for the trucks of hacker to drive through—with ease.
    2. As many have observed, login is a broken system. Until we can be identified by factors that are unique to our personhood (biometrics, etc.) that we don't have to remember or store somewhere, these problems will persist. People have too many passwords for too many accounts.
    1. That's not how flatpack works; the executable is hidden in a container and you need to set up the whole environment to be able to call it. Delivering a well-isolated, not-to-be-run-from-outside environment is the whole point.
    1. Continuous threat and system behaviormonitoring• Management of access rights and privileges• Use of testbeds for assessing new threats in fielded systems• Supply-chain diligence• Certification and accreditation standards • Formal methods for identification of vulnerabilities
  15. Oct 2021
    1. A combination of good cross-site scripting hygiene, a secure HTTP only cookie for authentication and a CSRF token is a good combination for building a secure ecosystem for your PWA and web API.
    1. And at the end of the day, Gates is not accountable to governments or to communities. He was not elected, and there is no mechanism for him to be recalled, challenged, or held responsible for faulty policies. He could suddenly decide that he was no longer interested in supporting agriculture in Africa. In that case, the new food system Gates is importing to the African continent would collapse. Political and economic systems are being drastically altered, all at the whim of one person, one foundation.In fact, the differences between this situation — powerful individuals and institutions deciding to mess with the social, political, and economic realities of countries — and the earlier form of colonialism are thin. It’s still advertised as “good intent” and the desire to “civilize” an “uncivilized” people. The only difference is that neocolonialism is quieter and more covert. By design, it provokes less outrage. But the essential power structures remain the same.

      Concentrating power to one individual is dangerous. Large portions of the food security of African nations should not be so vulnerable to corporatism.

  16. Sep 2021
    1. t's also why it is so annoying to people who actually know what they are doing, when randomly the browser decides to take over a function provided for decades by the OS network stack, and with no notice start bypassing all the infrastructure they set up to their liking (like your hosts file) and funelling all their browsing habits to some shady company (Cloudflare).
    1. This is more secure than simply opening up your server’s firewall to allow connections to port 5901, as that would allow anyone to access your server over VNC. By connecting over an SSH tunnel, you’re limiting VNC access to machines that already have SSH access to the server.
    1. Remote Access is something that we are really excited about because it will allow our support team to give you a seamless and high level of support that is truly unmatched. When you need extra help, you can enable the Remote Access toggle with a single click. This will send a secure token to the Elegant Themes support staff that they can use to log in to your WordPress Dashboard. No passwords are shared and there is no need to send the token to our team yourself. It all works seamlessly in the background. While remote access is enabled, our team will be able to log in to your website and help explore whatever problems you are experiencing. You can even enable it preemptively before chatting with our support team so that we can jump right in if necessary. By default, our support staff will have limited access to your website using a custom WordPress support role. You can also enable full admin access if requested. Remote access is automatically disabled after 4 days, or when you disable Divi. You can also turn it off manually after an issue has been resolved, and of course, Remote Access can only be enabled by you, the website owner, and not by Elegant Themes or anyone else. The Remote Access system is wonderful because it saves tons of time during support chat, and it saves you the hassle of having to debug certain complicated issues yourself. It allows us to take a hands on approach to solving problems quickly, instead of wasting hours or days chatting back and forth.
    1. a class of attacks that were enabled by Privacy Badger’s learning. Essentially, since Privacy Badger adapts its behavior based on the way that sites you visit behave, a dedicated attacker could manipulate the way Privacy Badger acts: what it blocks and what it allows. In theory, this can be used to identify users (a form of fingerprinting) or to extract some kinds of information from the pages they visit
  17. Aug 2021
    1. You cannot break security if you do not understand a system better than the people who made the system, and you cannot defend your organization if you do not understand how those systems work to the same degree.
    2. "Highly complex memorized secrets introduce a new potential vulnerability: They are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets."
    3. Forcing employees to use a complex password with special characters in it means everyone is just going to add an exclamation point at the end of their existing password. This is why your accounts payable clerk has a yellow sticky note on their cubicle wall with their password on it. They just want to get their job done, and you're making it harder for them with no discernible improvement to security.
    1. Zoom told its users that their video calls were end-to-end encrypted when actually they were protected by TLS encryption. Zoom generated and stored the keys to its users’ encrypted information on its servers rather than on its users’ devices, meaning anyone with access to those servers could monitor the unencrypted video and audio content of Zoom meetings. These servers are located around the world, often in countries where companies can be forced to share user data with law enforcement organizations. What’s worse is that, according to the most recent lawsuit, Zoom’s response made it clear that it “knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term ‘end-to-end’ anyway”.
    1. The confession-book, I suppose, has disappeared. It is twenty years since I have seen one. As a boy I told some inquisitive owner what was my favourite food (porridge, I fancy), my favourite hero in real life and in fiction, my favourite virtue in woman, and so forth.

      The form of some of these questions in confession albums is similar to modern day security questions asked by banks and personal accounts as a sort of personal password or shibboleth.

    1. An interesting directory of personal blogs on software and security.

      While it aggregates from various sources and allows people to submit directly to it, it also calculates a quality score/metric by using a total number of Hacker News points earned by the raw URL

      Apparently uses a query like: https://news.ycombinator.com/from?site=example.com to view all posts from HN.

    1. U.S. Senate Subcommittee on Communications, Technology, Innovation, and the Internet, "Optimizing for Engagement: Understanding the Use of Persuasive Technology on Internet Platforms," 25 June 2019, www.commerce.senate.gov/2019/6/optimizing-for-engagement-understanding-the-use-of-persuasive-technology-on-internet-platforms.

      Perhaps we need plurality in the areas for which social data are aggregated?

      What if we didn't optimize for engagement, but optimized for privacy, security, or other axes in the space?

  18. Jul 2021
  19. datatracker.ietf.org datatracker.ietf.org
    1. It is similarly intended to fail to establish a connection when data from other protocols, especially HTTP, is sent to a WebSocket server, for example, as might happen if an HTML "form" were submitted to a WebSocket server. This is primarily achieved by requiring that the server prove that it read the handshake, which it can only do if the handshake contains the appropriate parts, which can only be sent by a WebSocket client. In particular, at the time of writing of this specification, fields starting with |Sec-| cannot be set by an attacker from a web browser using only HTML and JavaScript APIs such as XMLHttpRequest [XMLHttpRequest].
    1. Rodolfo: I'm a victim of sexual abuse in the United States and there was a police report made and everything. And I've also been a victim of gang violence. I was never, you can check my background and everything. I was never into gangs or anything, but around the area I lived in there was a bunch of gangs and... I was beat up two or three times bad just by walking home. And it was all documented, I had police reports and everything. And because of that I was in therapy for while. My mother sought out a help from a psychiatrist because of the sexual abuse I had as a child in California, as a matter of fact.Rodolfo: I took Risperdal and a Ritalin, Risperdal for the anxiety and the Ritalin and for the ADHD. So, we tried everything. The mental health side, the mental health asylum, everything. But it was just going to take longer and longer and longer and I was tired of it. I didn't want to be locked up anymore. So, finally I just told my mom, “You know what man, that's it, I'm done. I don't want to do this anymore.” She asked me, “Is this what you want to do?” And I told her, “Yeah.”Rodolfo: She told me, “You know what? I'd much rather see you over there and be free then not being able to see you here at all.” Because there was a lot of people that went to go visit their loved ones and they used to get picked up. Sometimes they wouldn't even let you see your loved ones and right away ask you for your identification, your social security card, your nationality and everything and they would get picked up.Rodolfo: And I always told my mom, “Don't ever come visit me. Don't ever come visit me because if you do, chances are they're going to take you too.” And you know, that would always break my heart because I would want to see my mom. I'd want to see my dad and everything, but I wasn't able to. So, that experience was just horrible.Sergio: When you were in the detention center what were the conditions? Did you have access the medicine you needed? Did you have access to food and water?Rodolfo: The company that made the jail was called GEO Corp and they were actually, I'm not going to lie to you, they actually were pretty good, health-wise, not so much security-wise. A lot of things would happen in there that definitely shouldn't have ever happened. But with the food and everything, it was good. In my opinion it was because of the company. I feel as though if it was up to the government... Thank God it was an independent company that was hired by DHS as opposed to if DHS were to make their own jail, I feel they would be completely different.Rodolfo: It was [Pause] a pleasantly... there's no way to describe it, it was bad. It was bad, but for what it was I guess it was okay. I don't see there being an in-between or any pretty way to paint that picture as to how good or bad it was in there. Because at the end of the day you're deprived of your freedom. You can't just pick up the phone whenever you want and call your loved ones because you've got to pay for that too. You got pay for that. And if you want to take a shower, you have to buy your soap, right? You've got to buy it yourself, you've got to buy everything. And now you're becoming a liability for your family, you're becoming another bill.Rodolfo: You're becoming another bill and that's what I didn't want. So, that's why I started working. And now, older, I'm becoming another bill. So, I don't get it. You're taking us away from the jobs that we have and everything. You know? So, take us back to our country. And I'm not sure if it this is a fact or not, but I was reading when I first got in here, there was a time where there wasn't enough field workers for, I think, avocado—or, not avocado, I think it was oranges or something like that.Rodolfo: And I remember me saying, “Well, there goes all the deportees. There goes all the people you guys deported. Where are the people that were so outraged because we took your jobs? Go ahead, there you go. There are a lot of vacancies, making these open for those jobs, go ahead, man. All yours buddy, knock yourself out.”Rodolfo: But nobody wants to work those jobs, right? You see what I'm saying though, right?

      Leaving the US, Reason for Return, Deportation, Voluntary departure, Family decision, No hope for a future in the US, Detention, Treatment by; Time in the US, Violence, Sexual Abuse, Gangs, Bullying, Fear of, Jobs/employment/work

    2. Sergio: After your mom told you couldn't go on that trip, how did that affect the way you were involved in school, the things you wanted to do, did that change? Is there anything that you...?Rodolfo: I didn't put as much effort as I did anymore. I knew, at the end of the day, I'm not eligible for scholarships. I don't get any aid, I don't get anything. In my mind I thought, “Man, what's the point of really working hard in school if at the end of the day, I'm not gonna get any help?” My mom is having to work to put me through college. No, I don't want this, so I just thought, you know what, I'm just gonna give her what she wants, my diploma, my high school diploma. From then on, if I want to do something, it'll be by my own hand, out of my own pocket. I didn't want her to... Not that I was a burden or anything, my objective was for her not to work that much. That's it.Rodolfo: After she told me that, I'm like, "Well, okay, what's the point of really working hard and putting your best effort into school if, in my position, I won't be able to surpass US citizens." Then the aspect of financial aid, or any aid at all, I'm not gonna have any of that. I tried it with the fake social, but obviously it didn't go through. Nothing happened. Yeah, it changed a lot. It changed the way I viewed everything around me. Like, spring break all my friends would go certain places out of the country, and I used to get invited and, "No, I can't go man, my family doesn't think..." It would always have to be lie after lie after lie. I didn't want to... for one, I always had that idea of like my mom and my family always told me, "Don't ever tell anybody you're an immigrant. If somebody has that knowledge they can do you harm. They can take you away from here, they can take us away from each other."Rodolfo: I'm seeing it now, with the families going across the border, and them being separated. I didn't understand it at the time, and man, now I do understand it. I didn't know how it really was until I finally got put in handcuffs and got shipped to an immigration facility.Sergio: What do you think you would have wanted or end up being before you found out? What kind of things... Like you were on debate team that was—Rodolfo: I wanted to be a lawyer, man, that's what I wanted to be. That's what I wanted to be, a lawyer. It's funny, because when I was younger I wanted to be a lawyer. Then after that I'm like, "I want to be an immigration lawyer, that's what I want to be now. I want to be an immigration lawyer.” I was already on the right track to being a lawyer, but then when that happened, it really opened my eyes more to, "Okay, let's help my people." I didn't realize... I know individuals over there who are citizens, and they're panhandling because they want to. They're on their own addiction or for whatever reason right? Or people who are just living off the government, but then I see some of my family members, or my friends’ family members and they're not citizens but they have businesses.Rodolfo: They have a business, they have trucks, they have houses, they're great. They're not living off the Government, they're not asking for a handout. They're living better than what a citizen is living. It's all about how much work you put in, right? If you hang around people who don't want to do anything, then you're not gonna do anything. I remember Gerald Ford always told me that. He was like, "If you want to be a millionaire, hang around millionaires. If you want to be successful, hang around people who do successful things, but if you want to keep doing what you're doing, and just be a little caddie or whatever, stay here. Stay here and maybe one day you'll do something else."Rodolfo: He was very blunt in that aspect like, "Always do a good job. I don't care if you're a shit-shoveler, you're gonna be the best shit shoveler there is.” That always stuck to me, that's why whatever I do, it's always been 100%.Sergio: That's good.Anita: Can I speak? I'm Anita, I'm the director of this project.Rodolfo: Okay.Anita: I'm really pleased to meet you—Sergio: Likewise.Anita: I'm amazed at your incredible story. When you talked about the trip to DC, the debate club, and you got very sad—Rodolfo: Yeah.Anita: ... what made you sad, and did it make you feeling... Do you remember what your feelings were as you sort of found that all these options were gone to you?Rodolfo: Well, it was just mixed emotions. I felt sad because I contributed to the team a lot. I wasn't just there, and it made me sad because I wasn't going to be able be with my friends, my teammates. It also made me mad because all my life, all my short period, my whole time here in Chicago or whatever, I don't think I've done anything bad. Why shouldn't I have the privilege to go if I put in the same work as they did? Only because I don't have a social security number or a document that lets me buy a plane ticket and go over there? I think about it in a different—at the same time, I was a little kid too—I just cried a lot. That night I just cried a lot because I knew I wasn't gonna go. My mom spoke to the, I'm not sure what my mom told her, but see, I don't think she told her that we're undocumented, and I can't fly.Rodolfo: Yeah, I just remember that night feeling very sad, very sad, but then it turned into anger. It was like, "Man, why can't I?" It was always just that, "Why can't I? I put in the same work, and just because I wasn't born here, I can't fly?" I even looked into bus routes and everything to DC and stuff like that, but my mom was like, "No, you're crazy, you can't go alone." She worked and everything, I just felt sad, mostly sad.

      Time in the US, Immigration Status, Being secretive, Hiding/lying, In the shadows, lost opportunities; Reflections, The United States, Worst parts of the US, US government and immigration, Growing up undocumented, Dreams; Feelings, Choicelessness, Despair, Legal Status, Disappointment, Discouragement, Frustration, Sadness, Jaded

    3. Anita: Did Gerald Ford know you were undocumented?Rodolfo: No, Gerald Ford didn't know I was undocumented, no. I was still very young at that point. My mother and my family always told me, "Don't let anybody know you're undocumented.” If somebody finds out, for whatever reason, there's some people who just are plain out racist or don't want people like me in the States. Sometimes they just do things to... I don't know. That's what I understood and that's what I took in and that's what I applied to my life. It's like living a secret, it was like living a second life or whatever. It’s like, "Oh shit, why do I have to lie, why?" I guess it's neither here nor there now, right? I'm here in Mexico.Anita: That must have been incredibly difficult. I know personally, because I've had to keep secrets.Rodolfo: Yeah, I guess it's one of those things where you think it's never really gonna affect you, until you're in the back of the DHS, the Department of Homeland Security, van. You're next to a whole bunch of people you never met, and they're also in the same position. Some don't even speak English. You don't really understand how immediately it can affect you until it affects you. I never thought it would affect me. Okay, well I mean, I'm working, I'm going to school—I'm in high school—I'm doing this, this and that. Some of my friends who are students already dropped out. Did everything, they’ve already gone to prison and back and everything, and they haven't even hit their 21st birthday.Rodolfo: And I'm still good, I'm still good. I may not be a straight A student or anything, but hey man, I'm still here! Why can't I have the same privilege as you all do? Why can't I get my license? You know how happy I was when I got my license here, damn. I love to drive, that's one of my passions. Always, always, always I love to drive. I couldn't get my license over there. I remember even in high school in drivers ed, I knew what the answer was, but I asked my mom, “Hey mom, can I apply for drivers ed, so I can get my license? “She was like, "You know you can't get your license." Again, one of the primary things, I’m like damn, I'm just not gonna be able to drive all my life? Or if I do drive and I get pulled over—as a matter of fact, that's the reason why I got deported, driving without a valid drivers license.Rodolfo: I never got why the paper said, "Driving on a suspended license." I would always ask them, "If I don't have a license, why is it suspended?" They just told me, "Because you have a drivers license number, but you don't have a drivers license? I'm like, "Okay, so if I have a drivers license number, why can't I get my drivers license?" "You don't have the proper documentation." I'm like, "But I have my..."Rodolfo: One day I thought, “Well why don't I just grab the driver license number and have somebody make me a fake drivers license, and put the drivers license on there?” But see, if I get caught with it, now I'm in more trouble, and now I'm seen as a real criminal, because now I'm going around the system once again. That's why we don't want you here, because you're gonna do things like that. [Exhale] I haven't talked about this in a while. It just makes me want to…I don’t know.

      Time in the US, Immigration Status, Being secretive, Hiding/lying, In the shadows, Living undocumented; Reflections, The United States, US government and immigration; Feelings, Frustration; Time in the US, Jobs/employment/work, Documents, Driver's license, Social security card/ID

    4. Sergio: Did you ever work in the US?Rodolfo: Yeah, I worked all the time, I never stopped. One of the first jobs I had…My uncle worked at a restaurant called, Baker's Square in Chicago. It was on the corner of Tui and Pratt. I really, really, really wanted—I think I was in fifth or sixth grade—a phone. I wanted a phone, it’s called the Psychic Slide. Phones used to flip, but this one slides. I wasn't gonna ask my mom for it, so I asked my uncle. "Hey man, I know you work at Baker's Square and I know around the holiday season it gets really busy. Can I help you? Can I go?" He's like, "Well, yeah, if you want." I used to wake up like 3:00 in the morning, and I used to go and help him out. After that, I really liked making money and I really liked dressing nice, I liked having my nice haircut or whatever. My very, very first job was in Wilmette, Illinois. I was a caddie. Yeah, and then—Sergio: On the golf course?Rodolfo: On the golf course, yeah. Wilmette Golf Course actually. I remember I was always the first one there. They used to choose us, when everybody got there, "Okay, you come with me, you come with me." I used to always go there and there was a gentleman by the name of... Man, I forgot his name. Like the President, Gerald Ford, that was his name Gerald Ford! The only reason I remembered was because of the President. He used to always get there around the same time I got there. He finally asked me, "Do you want to be my personal caddie? I don't want you working anymore with all these other kids, because nobody wants to work. Do you want to be my personal caddie?" I'm like, "Yeah, absolutely." It was going really, really well and everything.Rodolfo: I got to high school, I had a number of jobs. I worked at Subway, I worked at Chili's, I worked at... What was it? Outback Steak House, but then I finally just got to the Cheesecake Factory, and that's where I stayed the remainder of my time. The remainder of my time I stayed there, and I started from the busboy and I finally ended up being a bartender. One of the head bartenders, one of the head servers, they used to pay-out people and everything. Obviously, I didn't have my social or anything, but I was a little bit older than what I really was. When I first got there, when I first, first started working I think I was like 14. Obviously you can't work that young, I think actually, I was 18, at 14.Rodolfo: I didn't see it as anything bad. I knew that if I got caught with my fake ID and my fake social security card I'd get in trouble, but that's why we're there, that's why we worked. I didn't get a fake ID to go party or go get into clubs or bars or anything. The main purpose of it was for me to be able to get a job, and so my mom wouldn't have to work all those hours that she used to work. She used to work at a Burger King, overnight. I used to barely see her, and I didn't want that anymore. I told her, "You don't have to work that much if I start working. We can help each other out, we can, we're a team.” It was only my mother and I until I turned 14, when she met my stepdad. All throughout that, it was just my mother and I.

      Time in the US, Jobs/employment/work, Documents, Careers, Food services, Athletics

    1. Assuming that people trust your site, abusing redirections like this can help avoid spam filters or other automated filtering on forums/comment forms/etc. by appearing to link to pages on your site. Very few people will click on a link to https://evilphishingsite.example.com, but they might click on https://catphotos.example.com?redirect=https://evilphishingsite.example.com, especially if it was formatted as https://catphotos.example.com to hide the redirection from casual inspection - even if you look in the status bar while hovering over that, it starts with a reasonable looking string.
  20. datatracker.ietf.org datatracker.ietf.org
    1. To meet this goal, the path validation process verifies, among other things, that a prospective certification path (a sequence of n certificates) satisfies the following conditions

      how to validate certificate by trust anchor

  21. Jun 2021
    1. Note that you could skip the https:// if you want a shorter command and you’re feeling adventurous with your HTTP MITM concerns, plus you can use the direct GitHub link as well if you don’t trust my redirect pointing there.
    1. If you want, you can try out what the script would do first, without changing anything. $ sh -c "$(curl -fsSL https://r.viktoradam.net/githooks)" -- --dry-run
    2. To try and make things a little bit more secure, Githooks checks if any new hooks were added we haven't run before, or if any of the existing ones have changed
    1. And from a security standpoint, that'd be really kind of scary - no one should have the ability to force me to execute certain scripts whenever I run certain git commands
    2. Luckily there is not a way to force hooks to people upon clone. If there was, you could write a post-receive hook with rm -rf / in it and wipe people's hard disk on pull
    1. A seeming security advantage of MPLS is that it provides a secured and managed link between branch offices and the data center through the service provider’s internal backbone. Public internet connections do not natively provide that same level of protection. But this comparison is deceptive. MPLS does not provide any sort of analysis of the data that it delivers. That is still the responsibility of the MPLS client. Even when traversing an MPLS connection, traffic still needs to be inspected for malware or other exploits, which requires deploying a firewall and any additional security functions at one end of the connection or the other at a minimum. To be fair, many SD-WAN solutions, however, have the same issue. Other than some basic security functionality, most SD-WAN solutions still require security to be added as an overlay solution. And for those organizations that try to add security to their complex SD-WAN connections as an afterthought, the challenge is often more than they bargained for. Fortinet’s Secure SD-WAN solution is different because connectivity is deployed as an integrated function within an NGFW appliance, so every connection automatically includes dynamic meshed VPN capabilities to secure data in transit, combined with deep inspection of that traffic using the wide array of security tools – including IPS, firewall, WAF, web filtering, anti-virus, and anti-malware – that are already part of every FortiGate NGFW solution that supports SD-WAN. This includes the high-speed inspection of SSL and IPsec VPN connections – a function especially important today as nearly 70% of all internet traffic today is encrypted, with many countries encrypting as much as 85% of all webpages visited.
    1. In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
    2. Therefore, since each method had both an attack vector they opened up to and shut down, I perceived either choice as being equal.
    1. That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
    2. But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
    1. DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc.[1][2] On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.[3]

      Dutch Certificate Authority gets hacked.

    1. The main security property of personal chattel was often not other TTPs as protectors but rather its portability and intimacy.

      The security properties of personal chattel was not a Trusted Third Party (TTP), but their portability and intimacy.

  22. May 2021
    1. the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
    1. iOS itself is a monopoly that should be opened up to third-party stores and side-loaded apps

      Which would be a security issue - for me it would be a bad decision to force opening iOS.

  23. Apr 2021
    1. Separate Clusters. It is probably most common to see multiple clusters being deployed. This is due to different reasons, with security focused network segmentation being only one of them. Security focused. Application workloads with different security protection levels can be separated by Kubernetes clusters. This makes isolating traffic easier by using traditional firewalls or VPCs to prevent cross-cluster communication. If connections between clusters are required then it can be manually allowed but management can become cumbersome and error prone. For example, one cluster runs the application workloads and a separate one running databases, file storage (such as S3/minio) and other persistent storage for the same project because different security profiles are required for each cluster.
    1. Note: Building a container image using docker build on-cluster is very unsafe and is shown here only as a demonstration. Use kaniko instead.

      Why?

    1. highly

      This should be much more clearly defined IMHO. At the moment if there are no formal requirements in place, it is possible for an admin of an authorized lab to start using labs private key to issue "validity certificates on the side e.g. for profit"... Much more specifics should be defined about how the private keys are stored / protected (e.g. HSM requirements or other similar requirements which are defined by standards) and also limitations as to if e.g. cloud based HSMs are allowed. Also the security requirement should be strictly defined in the arrangements between WHO and national level authorities as well as between national level authorities and healthcare providers. For smaller countries or countries with centralized EHR with lab results the issuance of keys might end within national authority (as it would be signing the SVCs with its keys and no keys shall be handed over to labs/healthcare providers)

  24. Mar 2021
    1. It is critical you put better_errors only in the development section of your Gemfile. Do NOT run better_errors in production, or on Internet-facing hosts.
    1. here is my set of best practices.I review libraries before adding them to my project. This involves skimming the code or reading it in its entirety if short, skimming the list of its dependencies, and making some quality judgements on liveliness, reliability, and maintainability in case I need to fix things myself. Note that length isn't a factor on its own, but may figure into some of these other estimates. I have on occasion pasted short modules directly into my code because I didn't think their recursive dependencies were justified.I then pin the library version and all of its dependencies with npm-shrinkwrap.Periodically, or when I need specific changes, I use npm-check to review updates. Here, I actually do look at all the changes since my pinned version, through a combination of change and commit logs. I make the call on whether the fixes and improvements outweigh the risk of updating; usually the changes are trivial and the answer is yes, so I update, shrinkwrap, skim the diff, done.I prefer not to pull in dependencies at deploy time, since I don't need the headache of github or npm being down when I need to deploy, and production machines may not have external internet access, let alone toolchains for compiling binary modules. Npm-pack followed by npm-install of the tarball is your friend here, and gets you pretty close to 100% reproducible deploys and rollbacks.This list intentionally has lots of judgement calls and few absolute rules. I don't follow all of them for all of my projects, but it is what I would consider a reasonable process for things that matter.
  25. Feb 2021
    1. By default, hashes remove any keys that aren't given as nested filters. To allow all hash keys, set strip: false. In general we don't recommend doing this, but it's sometimes necessary.
    1. Using an implicit intent to start a service is a security hazard because you can't be certain what service will respond to the intent, and the user can't see which service starts. Beginning with Android 5.0 (API level 21), the system throws an exception if you call bindService() with an implicit intent.
    1. that's a point, but I would say the opposite, when entering credit card data I would rathre prefer to be entirely in the Verified By Visa (Paypal) webpage (with the url easily visible in the address bar) rather that entring my credit card data in an iframe of someone's website.
    1. hilarious sarcasm

    2. My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.
    3. I have a Content Security Policy!Oh, do you now.And did somebody tell you that this would prevent malicious code from sending data off to some dastardly domain? I hate to be the bearer of bad news, but the following four lines of code will glide right through even the strictest content security policy.
    4. it is very difficult to spot shenanigans in obfuscated code, you’ve got no chance.
    5. But I’m afraid it’s perfectly possible to ship one version of your code to GitHub and a different version to npm.
    6. The point is, just because you don’t see it, doesn’t mean it’s not happening. It’s been more than two years and as far as I know, no one has ever noticed one of my requests. Maybe it’s been in your site this whole time
    7. Also the URL looks a lot like the 300 other requests to ad networks your site makes.
    8. I’d notice the network requests going out!Where would you notice them? My code won’t send anything when the DevTools are open (yes even if un-docked).I call this the Heisenberg Manoeuvre: by trying to observe the behaviour of my code, you change the behaviour of my code.
  26. Jan 2021
    1. When Snap was introduced Canonical promised it would never replace APT. This promise was broken. Some APT packages in the Ubuntu repositories not only install snap as a dependency but also run snap commands as root without your knowledge or consent and connect your computer to the remote proprietary store operated by Canonical.
    1. Some users download the DEB package and install it manually and manage upgrades completely manually. This is useful in situations such as installing Docker on air-gapped systems with no access to the internet.
    2. The scripts require root or sudo privileges to run. Therefore, you should carefully examine and audit the scripts before running them.
    1. Automatic firmware updates can be accessed from your software settings on System76 hardware. These updates help to promptly quash any threat of security risk to your computer.
    1. Why did I put the kdb in the snap file system? Because the app is sandboxed, so I had no choice.
    2. I run a fairly ancient RedHat Enterprise 6 on my 32-bit test machine and if I need something requiring Gtk3 (such as a latest Firefox or Chrome), I just make a chroot and use debootstrap (from EPEL) to get me a Debian 9 userland for that program. Easy. No bizarre "app stores", no conflicting packages. Do people use Snap app-stores because they don't know how to use the chroot command? Or are they just lazy? If it is because they want the added security of a container, substitute chroot with lxc... Shouldn't be necessary though; if you avoid non-ethical software (i.e App-stores), you are very unlikely to need the added security.
    3. By design, snap apps have no access to /etc. They live in their own little world, but instead of a normal chroot, they are splatted all over the standard Linux filesystem layout. With other bits mounted hither and thither. Its a mess, and subject to change with each release.