902 Matching Annotations
  1. Apr 2020
    1. Q. I would like a copy of my data from a breach, can you please send it to me? A. No, I cannot Q. I have a breach I would like to give you in exchange for “your” breach, can you please send it to me? A. No, I cannot Q. I’m a security researcher who wants to do some analysis on the breach, can you please send it to me? A. No, I cannot Q. I’m making a searchable database of breaches; can you please send it to me? A. No, I cannot Q. I have another reason for wanting the data not already covered above, can you please send it to me? A. No, I cannot
    1. This is pretty old now, but it should absolutely be mentioned that you can NOT always fall back to html - I suspect that MOST places that support markdown don't support html.

      Not sure if this is true, though. GitHub and GitLab support HTML, for example.

      Maybe comments on websites wouldn't normally allow it; I don't know. But they should. One can use this filter, for example, to make it safer.

    1. Identity-based policies are attached to an IAM user, group, or role. These policies let you specify what that identity can do (its permissions). For example, you can attach the policy to the IAM user named John, stating that he is allowed to perform the Amazon EC2 RunInstances action. The policy could further state that John is allowed to get items from an Amazon DynamoDB table named MyCompany. You can also allow John to manage his own IAM security credentials. Identity-based policies can be managed or inline. Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys. For a list of services that support resource-based policies, see AWS Services That Work with IAM.

      Identity-Based Policies and Resource-Based Policies

    1. But recent events have made me question the prudence of releasing this information, even for research purposes. The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers.
    2. The fact is that it doesn’t matter if you can see the threat or not, and it doesn’t matter if the flaw ever leads to a vulnerability. You just always follow the core rules and everything else seems to fall into place.
    1. Credential stuffing is a serious attack vector that is underrated because of its unintuitive nature
    2. Download the billions of breached passwords and blacklist them all. Attackers have a copy; so should you.
    3. If you force people to frequently change their passwords, they will use bad passwords.
    4. Stop forcing users to change their passwords every 30, 60, or 90 days, and stop forcing users to include a mixture of uppercase, lowercase, and special charactersForcing users to change their passwords should only happen if there is reason to believe an organization has been breached, or if a new third-party data breach affects employees or users.
    5. Defending against credential stuffing attacks
    1. you could even provide an incentive if the user proactively opts to change a Pwned Password after being prompted, for example the way MailChimp provide an incentive to enabled 2FA:
    2. Perhaps, for example, a Pwned Password is only allowed if multi-step verification is enabled. Maybe there are certain features of the service that are not available if the password has a hit on the pwned list.
    3. A middle ground would be to recommend the user create a new password without necessarily enforcing this action. The obvious risk is that the user clicks through the warning and proceeds with using a compromised password, but at least you've given them the opportunity to improve their security profile.
    1. While KeeFarce is specifically designed to target KeePass password manager, it is possible that developers can create a similar tool that takes advantage of a compromised machine to target virtually every other password manager available today.
    2. KeeFarce obtains passwords by leveraging a technique called DLL (Dynamic Link Library) injection, which allows third-party apps to tamper with the processes of another app by injecting an external DLL code.
    1. Timed clipboard clearing: KeePass can clear the clipboard automatically some time after you've copied one of your passwords into it.
    2. Open Source prevents backdoors. You can have a look at its source code and compile it yourself.
    1. By default: no. The Auto-Type method in KeePass 2.x works the same as the one in 1.x and consequently is not keylogger-safe. However, KeePass features an alternative method called Two-Channel Auto-Type Obfuscation (TCATO), which renders keyloggers useless. This is an opt-in feature (because it doesn't work with all windows) and must be enabled for entries manually. See the TCATO documentation for details.
    1. The time in which the first string part remains in the clipboard is minimal. It is copied to the clipboard, pasted into the target application and immediately cleared. This process usually takes only a few milliseconds at maximum.

      Seems like all a keylogger would need to do is poll/check the clipboard more frequently than that, and (only if it detected a change in value from the last cached clipboard value), save the clipboard contents with a timestamp that can be easily correlated and combined with the keylogger recording.

    1. Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.
    1. One suggestion is to check user's passwords when they log in and you have the plain text password to hand. That way you can also take them through a reset password flow as they log in if their password has been pwned.
    1. In 2017 NIST (National Institute of Standards and Technology) as part of their digital identity guidelines recommended that user passwords are checked against existing public breaches of data. The idea is that if a password has appeared in a data breach before then it is deemed compromised and should not be used. Of course, the recommendations include the use of two factor authentication to protect user accounts too.
    1. When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
    2. trim off a bunch of excessive headers such as the content security policy HIBP uses (that's of no use to a lone API endpoint).
    1. This isn't asking about which of the person's 500 doors was left unlocked, rather it's asking me to put the actual keys for over a billion doors up into a publicly accessible location with nothing other than my own personal best efforts to keep them safe.
    2. So I'd have to encrypt them and the problem with encryption is decryption. If HIBP got comprehensively pwned itself - and that is always a possibility - to the extent where the encryption key was also exposed, it's game over.
    3. So I'd have to encrypt them and the problem with encryption is decryption. If HIBP got comprehensively pwned itself - and that is always a possibility - to the extent where the encryption key was also exposed, it's game over. Or alternatively, if there's a flaw in the process that retrieves and displays the password such that it becomes visible to an unauthorised person, that's also a very serious issue.
    4. Once common practice, websites emailing you your password is now severely frowned upon. You'd often see this happen if you'd forgotten your password: you go to the "forgot password page", plug in your email address and get it delivered to your inbox. In fact, this is such a bad practice that there's even a website dedicated to shaming others that do this.
    5. Email is not considered a secure communications channel. You have no idea if your email is encrypted when it's sent between mail providers nor is it a suitable secure storage facility
    1. So there's a lot of stuff getting hacked and a lot of credentials floating around the place, but then what? I mean what do evil-minded people do with all those email addresses and passwords? Among other things, they attempt to break into accounts on totally unrelated websites
    1. An emerging way to bypass the need for passwords is to use magic links. A magic link is a temporary URL that expires after use, or after a specific interval of time. Magic links can be sent to your email address, an app, or a security device. Clicking the link authorizes you to sign in.

      Magic Links to replace passwords?

    2. Hashing passwords won’t save you or your users. Once a database of passwords has been stolen, hackers aim immense distributed computing power at those password databases. They use parallel GPUs or giant botnets with hundreds of thousands of nodes to try hundreds of billions of password combinations per second in hopes of recovering plaintext username/password pairs.

      What happens when the database is in hacker's hands

    1. Validating CloudTrail Log File Integrity PDF Kindle RSS To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

      use this help you to detect a potential secuirty issue, some one modify the logs.

      avoid tampering

    1. Unfortunately no - it cannot be done without Trusted security devices. There are several reasons for this. All of the below is working on the assumption you have no TPM or other trusted security device in place and are working in a "password only" environment.

      Devices without a TPM module will be always asked for a password (e.g. by BitLocker) on every boot

  2. Mar 2020
  3. www.graphitedocs.com www.graphitedocs.com
    1. Own Your Encryption KeysYou would never trust a company to keep a record of your password for use anytime they want. Why would you do that with your encryption keys? With Graphite, you don't have to. You own and manage your keys so only YOU can decrypt your content.
    1. This is acceptable because the standard security levels are primarily driven by much simpler, symmetric primitives where the security level naturally falls on a power of two. For asymmetric primitives, rigidly adhering to a power-of-two security level would require compromises in other parts of the design, which we reject.
    1. Enligt Polismyndighetens riktlinjer ska en konsekvensbedömning göras innan nya polisiära verktyg införs, om de innebär en känslig personuppgiftbehandling. Någon sådan har inte gjorts för det aktuella verktyget.

      Swedish police have used Clearview AI without any 'consequence judgement' having been performed.

      In other words, Swedish police have used a facial-recognition system without being allowed to do so.

      This is a clear breach of human rights.

      Swedish police has lied about this, as reported by Dagens Nyheter.

    1. The payment provider told MarketWatch that everyone has a unique walk, and it is investigating innovative behavioral biometrics such as gait, face, heartbeat and veins for cutting edge payment systems of the future.

      This is a true invasion into people's lives.

      Remember: this is a credit-card company. We use them to pay for stuff. They shouldn't know what we look like, how we walk, how our hearts beat, nor how our 'vein technology' works.

    1. startup focused on creating transparency in data. All that stuff you keep reading about the shenanigans with companies mishandling people's data? That's what we are working on fixing.
  4. Feb 2020
    1. To add insult to injury I learn that when Cloudflare automatically detects an anomaly with your domain they permanently delete all DNS records. Mine won't be difficult to restore, but I'm not sure why this is necessary. Surely it would be possible for Cloudflare to mark a domain as disabled without irrevocably deleting it? Combined with the hacky audit log, I'm left with the opinion that for some reason Cloudflare decided to completely half-ass the part of their system that is responsible for deleting everything that matters to a user.

      ...and this is why some companies should not grow to become too big for the good of their customers.

    1. When our analysts discovered six vulnerabilities in PayPal – ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system – we were met with non-stop delays, unresponsive staff, and lack of appreciation. Below, we go over each vulnerability in detail and why we believe they’re so dangerous. When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level. This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks. Instead, we got our Reputation scores (which start out at 100) negatively impacted, leaving us worse off than if we’d reported nothing at all.

      Paypal is a bad company in many ways. This is one of them.

    1. Last year, Facebook said it would stop listening to voice notes in messenger to improve its speech recognition technology. Now, the company is starting a new program where it will explicitly ask you to submit your recordings, and earn money in return.

      Given Facebook's history with things like breaking laws that end up with them paying billions of USD in damages (even though it's a joke), sold ads to people who explicitly want to target people who hate jews, and have spent millions of USD every year solely on lobbyism, don't sell your personal experiences and behaviours to them.

      Facebook is nefarious and psychopathic.

    1. The most popular modern secure messaging tool is Signal, which won the Levchin Prize at Real World Cryptography for its cryptographic privacy design. Signal currently requires phone numbers for all its users. It does this not because Signal wants to collect contact information for its users, but rather because Signal is allergic to it: using phone numbers means Signal can piggyback on the contact lists users already have, rather than storing those lists on its servers. A core design goal of the most important secure messenger is to avoid keeping a record of who’s talking to whom. Not every modern secure messenger is as conscientious as Signal. But they’re all better than Internet email, which doesn’t just collect metadata, but actively broadcasts it. Email on the Internet is a collaboration between many different providers; and each hop on its store-and-forward is another point at which metadata is logged. .
  5. Jan 2020
    1. Now, Google has to change its practices and prompt users to choose their own default search engine when setting up a European Android device that has the Google Search app built in. Not all countries will have the same options, however, as the choices included in Google’s new prompt all went to the highest bidders.As it turns out, DuckDuckGo must have bid more aggressively than other Google competitors, as it’s being offered as a choice across all countries in the EU.
    1. A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.

      Wonderful. This, combined with the fact that Skype users can—fairly easily—find out which contacts another person has, is horrifying.

      Then again, most people know that Microsoft have colluded with American authorities to divulge chat/phone history for a long time, right?

    1. maybe the server is getting brute-forced some way. so the ssh connections are in use this way. In this case MaxStartups would only lead to more bandwith usage and higher server load. You should think about a non default port in high port range and something like fail2ban
  6. Dec 2019
    1. greater integration of data, data security, and data sharing through the establishment of a searchable database.

      Would be great to connect these efforts with others who work on this from the data end, e.g. RDA as mentioned above.

      Also, the presentation at http://www.gfbr.global/wp-content/uploads/2018/12/PG4-Alpha-Ahmadou-Diallo.pptx states

      This data will be made available to the public and to scientific and humanitarian health communities to disseminate knowledge about the disease, support the expansion of research in West Africa, and improve patient care and future response to an outbreak.

      but the notion of public access is not clearly articulated in the present article.

    1. I understand that GitHub uses "Not Found" where it means "Forbidden" in some circumstances to prevent inadvertently reveling the existence of a private repository. Requests that require authentication will return 404 Not Found, instead of 403 Forbidden, in some places. This is to prevent the accidental leakage of private repositories to unauthorized users. --GitHub This is a fairly common practice around the web, indeed it is defined: The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists. --6.5.4. 404 Not Found, RFC 7231 HTTP/1.1 Semantics and Content (emphasis mine)
    1. Now using sudo to work around the root account is not only pointless, it's also dangerous: at first glance rsyncuser looks like an ordinary unprivileged account. But as I've already explained, it would be very easy for an attacker to gain full root access if he had already gained rsyncuser access. So essentially, you now have an additional root account that doesn't look like a root account at all, which is not a good thing.
    2. My exploit was to set the setuid bit on the dash binary; it causes Linux to always run that binary with the permissions of the owner, in this case root.
    1. In actuality, most people choose words from a set of 10,000 or more words, bringing the complexity of a 5 word passphrase to 16,405 or more times greater than that of a 8 character password.
    1. Google found 1,494 device identifiers in SensorVault, sending them to the ATF to comb through. In terms of numbers, that’s unprecedented for this form of search. It illustrates how Google can pinpoint a large number of mobile phones in a brief period of time and hand over that information to the government
    2. Google found 1,494 device identifiers in SensorVault, sending them to the ATF to comb through. In terms of numbers, that’s unprecedented for this form of search. It illustrates how Google can pinpoint a large number of mobile phones in a brief period of time and hand over that information to the government
    1. Use a USB-condom. This is a device that plugs in between your normal cable and the computer and blocks the data lines
    2. Use a USB cable with a "data switch". This cable is normally power-only, which is what you want 90% of the time. However there is a button ("Data Transfer Protection On/Off Switch") you can press that will enable data. An LED indicates the mode. This kind of cable is much safer and secure, plus more convenient for the users. It follows the security principle that if you make the defaults what you want users to do, they're more likely to follow your security policy.
    1. As important as it is, we know that worrying about data security and password hygiene is about as much fun as doing your taxes.
    1. В 2017 году количество устройств, подключенных к «интернету вещей», выросло до 8,4 миллиарда. Консалтинговое агентство Forrester прогнозирует, что к концу года более полумиллиона из них взломают. В Университете Иннополис уточняют, что в третьем квартале 2017 года в городской инфраструктуре стали фиксировать на 30 % больше случаев угрозы информационной безопасности. При этом каждый пятый из них оказался критичным. 
  7. Nov 2019
    1. Blocking BEC AttacksAs technology evolves and deep fake AI grows popular, business email compromise (BEC) attacks are growing more common and sophisticated. Payton gave the audience a piece of advice: Do not use your public-facing domain name for moving money. Cybercriminals do their open source intelligence. They know your CEO. They know your CFO. They can figure out who your vendors are and your marketing campaigns. With knowledge gleaned from an Internet search, they have enough to send a social engineering email and transfer money. "Get a domain name that is not your public-facing domain name," Payton said. Get a set of email credentials only for people who are allowed to move money. Tell your bank you're no longer using the public-facing domain name for anything to do with wire transfers and money movement. From there, create a template to be used among employees sending and fulfilling financial requests. Decide on a code word you text to each other that isn't a term shared on social media, Payton advised. This way, a request that doesn't come with a code word will appear suspicious. A large healthcare provider adopted the method, she said – and it has already worked. The same strategy can be used for transferring intellectual property.

      prevention strategies

    1. you probably referred to the positive case where no one overrides anything and so the property returns true, so no need to process further because it is really an automation. Yes, this is true. I just hope that it does not make websites skip the checks if this returns false.
    1. Why can't I keep using script whitelists in CSP? The traditional approach of whitelisting domains from which scripts can be loaded is based on the assumption that all responses coming from a trusted domain are safe, and can be executed as scripts. However, this assumption does not hold for modern applications; some common, benign patterns such exposing JSONP interfaces and hosting copies of the AngularJS library allow attackers to escape the confines of CSP.
    1. However, a broader problem is that your script-src whitelist includes domains that host Javascript which can be used by an attacker who finds a markup injection bug in your application to bypass your CSP. For example, https://cdnjs.cloudflare.com hosts Angular (https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.2/angular.min.js) which can be used by an attacker to convert an HTML injection into arbitrary script execution (here is a paper about this).
  8. Oct 2019
    1. An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the GCP Console and embeds that key in every call to your API as a query parameter
    1. This is useful if just a subset of the operations need the API key

      can we do wildcard paths at all?

    2. PI keys are supposed to be a secret that only the client and server know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL
    1. API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key

      hmmm... what about client-API architectures where there are no username/pwd pairs?

    2. Cloud Endpoints handles both API keys and authentication schemes, such as Firebase or Auth0
    1. Access control for GCP APIs encompasses authentication, authorization, and auditing. Authentication determines who you are, authorization determines what you can do, and auditing logs record what you did
    2. Application credentials provide the required information about the caller making a request to a GCP API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys.
    1. OAuth can be many things. It is most commonly used to allow an application (the consumer) to access data or services that the user (the resource owner) has with another service (the provider), and this is done in a way that prevents the consumer from knowing the login credentials that the user has with the provider
    1. For each call to your API, user should send token with every API request and you should validate the encoded toke and either deny or send back the response.
    1. Cloud IAP enables you to configure Cloud IAP policies for individual resources in a Google Cloud Platform (GCP) project. Multiple apps within a project can each have different access policies
    1. principle of least privilege states that any process, user or program has only the privileges it needs to do its job

      Principle of least privilege

    2. If you really want to impress your security consultant, then casually mention Kerckhoffs Principle which is a more formal way of saying ‘security through obscurity is not sufficient’

      Kerckhoffs Principle

    3. Hashing is the process of turning one set of data into another through a reproducible algorithm

      Hashing

    4. symmetric key is. It’s a key that is ‘the same’ one used on both sides of the communication

      Symmetric key

    5. asymmetric key is one where access to the key used to encrypt the message does not imply access to decrypt the message

      Asymmetric key

    6. Authorization is the process of determining whether you are allowed to do something or not

      Authorisation

    7. Security through obscurity is security through the design of a system. In other words, if the design of your system were to become public then it would be easy to expose

      Security Through Obscurity

    8. Role-Based Access Control gives permission to a more abstract entity called a role. Rather than giving access to that user directly, you give the user access to the role, and then that role has the access permissions set for it

      Role-Based Access Control (RBAC)

    9. This is why it’s important to ‘salt‘ your hash with a secret key so that knowledge of the hash algorithm isn’t enough to crack a lot of passwords

      Improving hashing algorithms

    10. Encryption vs Encoding

      Encoding - converting some data into some other format

      Encryption - involves needing some secret or secure process to get access to the data, like a private 'key' that you store in your ~/.ssh folder

    1. new data provided by the Department of Human Services showed that almost half of all pension applications received last year were not processed within the timeframe set out in their Key Performance Measure standards

      Key Performance Measure for social security processing

  9. Sep 2019
    1. deploying an App Engine standard or flexible environment application and securing it with Cloud Identity-Aware Proxy (Cloud IAP)

      isn't IAP sufficient to secure apps, then?

    1. Endpoints Frameworks is supported only on the App Engine standard Python 2.7 and Java 8 runtime environments

      seems like endpoints frameworks is different from endpoints itself

    1. it's not that there are new vulnerabilities that have been identified in the implicit flow, just that PKCE offers a more secure alternative that you should use if you have the option

      Use PKCE instead of the implicit flow if you have a chance

    2. PKCE (which stands for "Proof Key for Code Exchange" and is pronounced "pixie") was originally developed to solve a problem specific to native mobile apps using OAuth 2.0

      PKCE (Proof Key for Code Exchange) is an extension to OAuth 2.0

    3. While this has worked and continues to work for a wide range of web applications, security experts had (and continue to have) concerns that it leaves open some potential attack vectors

      Implicit flow is still simple and very secure

    4. click a button that says "Sign in with GitHub." I am then sent to GitHub to sign in and, if this is my first time, grant permissions

      The Implicit flow:

      1. The application requests authorization from the user ➡
      2. The user authorizes the request ➡
      3. The authorization server issues an access token via the redirect URI ⬅
      4. The application uses the token to call the API ➡
  10. Aug 2019
    1. JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
  11. Jul 2019
    1. If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number
    1. Fellow student, since you are reading this, you installed Hypothes.is as the instructor's recommended. However, the extension by default has permissions to read all data on all websites you visit. Technically that means email, banking sites, etc. I for one don't want to give random software that authority. The developer did provide a easy way to limit that, and I'll assume he programmed it to work as promised. If you right click on the "h." extension icon, you can change "This can read and write all site data" to only Coursera - which means you can use the extension for the class, but it shouldn't be reading your emails or bank passwords.

      For the course writers and INSEAD - while Hypothesis looks solid and its nice that its non-profit, encouraging all students to install unrestricted extensions which can read all pages and data is a big responsibility, it could easily go wrong. Have you considered how this could be used as malware with the extensive permissions the extension is granted by default?

    1. Authentication (from Greek: αὐθεντικός authentikos, "real, genuine", from αὐθέντης authentes, "author") is the act of proving an assertion, such as the identity of a computer system user.

      The assertion does not need to be about an actor's identity per se?

  12. Jun 2019
  13. May 2019
  14. Apr 2019
    1. “Being able to feel safe with other people is probably the single most important aspect of mental health; safe connections are fundamental to meaningful and satisfying lives.”
    2. Trauma victims cannot recover until they become familiar with and befriend the sensations in their bodies. Being frightened means that you live in a body that is always on guard. Angry people live in angry bodies. The bodies of child-abuse victims are tense and defensive until they find a way to relax and feel safe. In order to change, people need to become aware of their sensations and the way that their bodies interact with the world around them. Physical self-awareness is the first step in releasing the tyranny of the past.
    1. Oops, I think that one might even be exploitable… I think I’m going to stop here. This needs a structured effort, not spending ten minutes every now and then. As I said, the codebase isn’t bad. But there are obvious issues that shouldn’t have been there. As always, spotting the issues is the easy part – proving that they are exploitable is far harder. I’m not going to spend time on that right now, so let’s just file these under “minor quality issues” rather than “security problems.”
    2. LastPass has always been stressing that they cannot access your passwords, so keeping them on their servers is safe. This statement has been proven wrong several times already, and the improvements so far aren’t substantial enough to make it right. LastPass design offers too many loopholes which could be exploited by a malicious server. So far they didn’t make a serious effort to make the extension’s user interface self-contained, meaning that they keep asking you to trust their web server whenever you use LastPass.
    3. Some of these actions will prompt you to re-enter your master password. That’s merely security theater

      "Security theater". I dig that term.

    4. LastPass is run by LogMeIn, Inc. which is based in United States. So let’s say the NSA knocks on their door: “Hey, we need your data on XYZ so we can check their terrorism connections!” As we know by now, NSA does these things and it happens to random people as well, despite not having any ties to terrorism. LastPass data on the server is worthless on its own, but NSA might be able to pressure the company into sending a breach notification to this user.
    5. Should you be concerned about LastPass uploading your passwords to its server?

      TL;DR: Yes, very much.

  15. Mar 2019
    1. Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent. Privacy regulation should emphasise the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.

      Horrific conclusion, which clearly states that "sharing of user data is routine" where the medical profession is concerned.

    2. To investigate whether and how user data are shared by top rated medicines related mobile applications (apps) and to characterise privacy risks to app users, both clinicians and consumers.

      "24 of 821 apps identified by an app store crawling program. Included apps pertained to medicines information, dispensing, administration, prescribing, or use, and were interactive."

    1. Hashicorp Vault: One-Time Password para SSH

      Está aí um assunto sob o qual quero aprender! Não é explicitamente coberto pelos tópicos de certificação DevOps, mas dá uma olhada nos assuntos cobrindo ssh e security (procura também por vault em https://wiki.lpi.org/wiki/DevOps_Tools_Engineer_Objectives_V1).

  16. Jan 2019
    1. Who would have thought crypto investors would be U.S. securities law experts by the end of 2018

      <big>评:</big><br/><br/>《金瓶梅》第四十八回有曰:「常言:『兵来将挡,水来土掩』。事到其间,道在人为,少不的你我打点礼物,早差人上东京,央及老爷那里去」。人生如戏,每个人顾及的都是如何演好自己的戏份。好在如今已不是投机倒把等同犯罪的年代,嗅觉灵敏的市场玩家们逢场作戏也无可厚非,但是谁来「打点礼物」制造惊喜呢?2018年,玩家们反倒收获了不少惊恐。<br/><br/>专业的投资者和政客总是能在自己的地盘上长袖善舞,但是在这个野蛮生长的年代,恐怕他们也得多向口译员们学习快速熟悉陌生领域的技能——共情、抗压、不服输,或许称之为「人格特质」更加合适。

    1. vorsichtig in öffentlichen WLAN-Netzen sein

      bei unverschlüsselten Netzwerken (Zug, Bus, Cafe etc.) VPN benützen. Bspw. Freedome oder NordVPN. Beide speichern keine Daten.

  17. Oct 2018
    1. The NYCLU found nothing in the documents outlining policies for accessing data collected by the cameras, or what faces would be fed to the system in the first place. And based on emails acquired through the same FOIL request, the NYCLU noted, Lockport administrators appeared to have a poor grasp on how to manage access to internal servers, student files, and passwords for programs and email accounts. “The serious lack of familiarity with cybersecurity displayed in the email correspondence we received and complete absence of common sense redactions of sensitive private information speaks volumes about the district’s lack of preparation to safely store and collect biometric data on the students, parents and teachers who pass through its schools every day,” an editor’s note to the NYCLU’s statement on the Lockport documents reads.
    1. As a recap, Chegg discovered on September 19th a data breach dating back to April that "an unauthorized party" accessed a data base with access to "a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password" but no financial information or social security numbers. The company has not disclosed, or is unsure of, how many of the 40 million users had their personal information stolen.

  18. Sep 2018
    1. politicians looking for issues to drum up with have made a whipping boy out of the social networks

      Here, I think the author is just saying that Facebook and Twitter have taken a lot of heat from politicians about the 2016 election, Russian interference, etc. This year, the tech companies are showing that they are "good citizens" by having better security and helping young people register to vote.

    1. When your page links to another page using target="_blank", the new page runs on the same process as your page. If the new page is executing expensive JavaScript, your page's performance may also suffer. See The Performance Benefits of rel=noopener for more information. On top of this, target="_blank" is also a security vulnerability. The new page has access to your window object via window.opener, and it can navigate your page to a different URL using window.opener.location = newURL. See About rel=noopener for a demo and explanation of the vulnerability. Adding a rel="noopener" attribute prevents the new page from being able to access the window.opener property and will ensure it runs in a separate process. The rel="noreferrer" attribute has the same effect, but will also prevent the Referer header from being sent to the new page.
    1. This document outlines Cross-Origin Read Blocking (CORB), an algorithm by which dubious cross-origin resource loads may be identified and blocked by web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
    1. Cross-Origin Read Blocking (CORB) is a new web platform security feature that helps mitigate the threat of side-channel attacks (including Spectre).  It is designed to prevent the browser from delivering certain cross-origin network responses to a web page, when they might contain sensitive information and are not needed for existing web features.  For example, it will block a cross-origin text/html response requested from a <script> or <img> tag, replacing it with an empty response instead.  This is an important part of the protections included with Site Isolation.
    1. I love the voice of their help page. Someone very opinionated (in a good way) is building this product. I particularly like this quote: Your data is a liability to us, not an asset.
  19. Jul 2018
    1. It is clear that the intelligence and law enforcement communities of the United States — adhering to the principles of patriotism enumerated by Deputy Attorney General Rod Rosenstein on Friday — felt that a message needed to be sent to the Russians that we were on to them.

      Typically, the president would deliver such a message, but this president has proven to be the staunchest defender of Putin and the most active advocate of covering up or denying these attacks. He did it again this week even while aware of the indictments.

      ...

      Trump may deny collusion. But given that this the attack continues, denying it is collusion, distracting from it is collusion, obstructing the investigation of it is collusion — because all these things enable it to go on.

  20. Jun 2018
    1. security

      Hi ,<br> All gov websites holding citizens personally identifiable information should hold a valid third party certificate, as I have seen at most of time, government website do not produce a valid certificate or do not produce any certificate at all , a few examples railway recruitment website which collects candidates personal info, apart from that voter id verification website (http://www.nvsp.in/) also not producing any certificate. in such cases lack of secure communication will help hackers to grab the passed data in between.. Certificates should be mandatory in all local/state / national level government websites.

  21. inst-fs-iad-prod.inscloudgate.net inst-fs-iad-prod.inscloudgate.net
    1. we must not place the burden of safety on users in terms of who is responsible and who suffers the consequences
    2. IDEAS FOR TECHNICAL MECHANISMSA technique called differential privacy1 provides a way to measure the likelihood of negative impact and also a way to introduce plausible deniability, which in many cases can dramatically reduce risk exposure for sensitive data.Modern encryption techniques allow a user’s information to be fully encrypted on their device, but using it becomes unwieldy. Balancing the levels of encryption is challenging, but can create strong safety guarantees. Homomorphic encryption2 can allow certain types of processing or aggregation to happen without needing to decrypt the data.Creating falsifiable security claims allows independent analysts to validate those claims, and invalidate them when they are compromised. For example, by using subresource integrity to lock the code on a web page, the browser will refuse to load any compromised code. By then publishing the code’s hash in an immutable location, any compromise of the page is detectable easily (and automatically, with a service worker or external monitor).Taken to their logical conclusion these techniques suggest building our applications in a more decentralized3 way, which not only provides a higher bar for security, but also helps with scaling: if everyone is sharing some of the processing, the servers can do less work. In this model your digital body is no longer spread throughout servers on the internet; instead the applications come to you and you directly control how they interact with your data.
  22. May 2018
  23. Apr 2018
  24. Mar 2018
    1. Introducing Subscribe with Google

      Interesting to see this roll out as Facebook is having some serious data collection problems. This looks a bit like a means for Google to directly link users with content they're consuming online and then leveraging it much the same way that Facebook was with apps and companies like Cambridge Analytica.

  25. Feb 2018
  26. Jan 2018
  27. Dec 2017
    1. Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

  28. Nov 2017
    1. The draft Plan of Implementation for the World Summit on Sustainable Development,recognizes poverty eradication as the greatest global challenge facing the world today andan indispensable requirement for sustainable development.

      Human rights and poverty reduction

    1. The reason that oil reached $117 a barrel last week was less to do with security of supply… than World shortage."
    2. "While the unresolved conflict with Iraq provides the immediate justification" for the US "to play a more permanent role in Gulf regional security," "the need for a substantial American force presence in the Gulf transcends the issue of the regime of Saddam Hussein."
    1. Oil was not the only goal of the Iraq War, but it was certainly the central one, as top U.S. military and political figures have attested to in the years following the invasion
    1. Saddam Hussein deserved to remain in power. But the security vacuum after his fall and the presence of foreign occupiers led to Iraq becoming a breeding ground for jihad and religious extremism.
    2. Saddam Hussein was a nasty, murderous tyrant who brutalized much of his country and was guilty of war crimes
    1. It is widely agreed upon that Iraqi civilian deaths peak in July. But estimates, which hover between 1,000 and 3,500 for that month, vary greatly
    2. Acting on tips from the dictator's bodyguard and family members, U.S. troops find Saddam Hussein hiding out in a one-man hole near his boyhood home of Tikrit.
    3. L. Paul Bremer III, head of the Coalition Provisional Authority in Iraq, signs an order disbanding the Iraqi army and intelligence services, sending hundreds of thousands of well-armed men into the streets
    4. Lawlessness and some skirmishing in the country are written off as the desperate acts of "dead-enders" by Defense Secretary Donald Rumsfeld
    5. U.S., British, and other coalition forces quickly overwhelm the Iraqi Army, though elements loyal to Saddam Hussein who will form the core of a postwar insurgency fight on
    1. We know that there are few sticky security and implementation issues

      Which is probably why @judell’s tate doesn’t show up in Chrome on my system and there’s weirdness with the scrolling once we accept to load unsafe scripts.

    1. the Iraqi government had a difficult time recruiting and training police officers and soldiers to assume domestic security duties. The death of al-Qaeda in Iraq’s leader, Abu Musab al-Zarqawi, in June 2006 did nothing to reduce the violence.
    2. Responsible for countless killings and sabotage, the insurgents targeted coalition forces, new Iraqi security forces and recruitment centres, electrical installations, oil pipelines, and other civilian institutions
    3. Major fighting ended by late April, but acts of common criminality continued, and, as the months passed, a pattern of concerted guerrilla warfare began to unfold. On December 13, 2003, Ṣaddām surrendered to U.S. troops when he was found hiding near Tikrīt, and other major figures from the regime were tracked down and arrested.
    1. when all people, at all times, have physical, social and economic access to sufficient, safe and nutritious food that meets their dietary needs and food preferences for an active and healthy life.
    1. For the last few years, Intel CPUs have Intel Management Engine, which runs its own OS, the Unix-like MINIX. You have no access to it. But it has complete access to your computer.

    1. EFF recommendations for Congress regarding data security and data breaches like the one at Equifax.

      https://www.ftc.gov/datasecurity<br> FTC guide to data security for businesses.

  29. Oct 2017
    1. oston, Newport, New York, Philadelphia, and Charleston were the five largest cities in British North America. Philadelphia, New York, Boston, and Charleston had populations of appr

      Security