Notices tagged with security, page 21

Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Wednesday, 25-Mar-2020 22:50:57 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
"Like each month, here comes a report about the work of paid contributors to Debian LTS." https://raphaelhertzog.com/2020/03/25/freexians-report-about-debian-long-term-support-february-2020/ #debian #gnu #linux #security
In conversation Wednesday, 25-Mar-2020 22:50:57 EDT from pleroma.site permalink
Attachments
1. File without filename could not get a thumbnail source.
  
  Freexian’s report about Debian Long Term Support, February 2020
  
  By Raphaël Hertzog from apt-get install debian-wizard
  
  Freexian’s report about Debian Long Term Support, February 2020
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Wednesday, 25-Mar-2020 22:08:08 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
Securing open source through CVE prioritisation
https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation #freesw #security
In conversation Wednesday, 25-Mar-2020 22:08:08 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  Securing open source through CVE prioritisation | Ubuntu
  
  from Ubuntu
  
  According to a recent study, 96% of applications in the enterprise market use open-source software. As the open-source landscape becomes more and more fragmented, the task to assess the impact of potential security vulnerabilities for an organisation can become overwhelming. Ubuntu is known as one of the most secure operating systems, but […]
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Wednesday, 25-Mar-2020 13:27:01 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
How to Run Penetration Test on Android Phone Camera Using Kali Linux https://www.maketecheasier.com/penetrate-test-android-phone-camera-kali-linux/ those things are designed for spying and back doors, not #security
In conversation Wednesday, 25-Mar-2020 13:27:01 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  How to Run Penetration Test on Android Phone Camera Using Kali Linux
  
  By Sayak Boral from Make Tech Easier
  
  How to Run Penetration Test on Android Phone Camera Using Kali Linux
Matrix.org (matrix@mastodon.matrix.org)'s status on Wednesday, 25-Mar-2020 07:30:53 EDT Matrix.org

RT @vivaldibrowser@twitter.com
Slack and Discord have been the golden chat apps for a while, but neither is free from controversy. In their place, our community recommends @mewe@twitter.com, @signalapp@twitter.com, @matrixdotorg@twitter.com, and @RiotChat@twitter.com. 💯
#remotework #privacy #security
🐦🔗: https://twitter.com/vivaldibrowser/status/1242754938670907393

In conversation Wednesday, 25-Mar-2020 07:30:53 EDT from mastodon.matrix.org permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Tuesday, 24-Mar-2020 23:35:00 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
Security: Updates, Cracking and Application Scanning
http://www.tuxmachines.org/node/135582 #security

In conversation Tuesday, 24-Mar-2020 23:35:00 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Tuesday, 24-Mar-2020 21:55:38 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
"In this video, we are looking at Parrot OS 4.8 KDE Home." https://www.youtube.com/watch?v=ldfNoaMYtwQ #parrotsec #gnu #linux #debian #security
In conversation Tuesday, 24-Mar-2020 21:55:38 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  Parrot OS 4.8 KDE Home Run Through
  
  By linux made simple from YouTube
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Tuesday, 24-Mar-2020 03:02:22 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
● NEWS ● #henrikwarne #security #programming #goodpractice ☞ Secure by Design https://henrikwarne.com/2020/03/22/secure-by-design/
In conversation Tuesday, 24-Mar-2020 03:02:22 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  Secure by Design
  
  By Henrik Warne from Henrik Warne's blog
  I really like Secure by Design. The key idea is that there is a big overlap between secure code and good software design. Code that is strict, clear and focused will be easier to reason about, and will have fewer bugs. This in turn makes it less vulnerable to attacks. This is easy to say, but Secure by Design is full of techniques for how to actually do this. Here are the ideas from the book that I liked the most.
  
  Domain Primitives
  
  Domain primitives are similar to value objects in Domain-Driven Design (DDD). They are immutable, defined only by their values, and form a conceptual whole. Any invariants are enforced at the time of creation. This means that if a domain primitive exists, it is valid.
  
  For example, say that you want to represent the number of books ordered. Instead of using an integer for this, define a class called Quantity. It contains an integer, but also ensures that the value is always between 1 and 240 (if that’s the upper limit). Or for a user name, instead of just using a string, define a class called UserName. It contains a string holding the user name, but also enforces all the domain rules for a valid user name. This can include minimum and maximum lengths, allowed characters etc.
  
  The goal is that nothing in the domain should be represented by primitive types in the language (int, float, string etc). Every domain value should instead be represented by a domain primitive. There are several advantages to this approach. All the validation for each domain primitive is in one place. No validation is needed in the state handling business logic – if the value exists, it is automatically valid. This makes the business logic a lot cleaner. There is also less risk of mixing up parameters in method calls – Quantity and DeliveryDays is better than int and int. Furthermore, bugs of the type where a negative amount of books is ordered become impossible.
  
  As they state in a tip in the book: “Any integer between -2 billion and 2 billion is seldom a good representation of anything.”
  
  Validation
  
  External input needs to be validated before it is used in the system. To minimize the risk of denial of service attacks, the validation should be done in the following order:
  
  Origin. Where does the data come from? Can check the IP address, or check an access key in the request.
  
  Size. A payload of one million characters should probably be rejected without further analysis. As well as checking the total size, it is good to check the sizes of the parts.
  
  Lexical content. Only the right type of tokens should be allowed.
  
  Syntax. For example, if the format is XML, this checks that there is a closing tag for each opening tag, and that attributes inside tags are well formed.
  
  Semantics. This is often part of the business logic. Is this a valid product number? The format of the number can be correct, but if there is no product in the product catalog with that number, then it is semantically invalid. Often this step requires a database lookup, which is expensive, which is why this check is performed last.
  
  Entities
  
  In DDD, the business logic typically resides in entities. An entity has an identity, so it can be distinguished from other entities. It can contain other objects, both entities and value objects. To perform the business logic, it needs to mutate state. The entity is responsible for coordinating the objects it owns, including ensuring internal invariants. The following techniques help with this:
  
  Consistent at creation. The entity should always be consistent to the outside world. This means that all parameters necessary for consistency should be provided in the constructor. If there are complicated rules when creating the entity, the builder pattern can be used. Also, using private final fields for values that can’t be changed is good, since the compiler will enforce that they are not changed.
  
  Limited operations. Don’t have methods that can do more than what is allowed by the business logic. For example, if an order entity has a field for whether it is paid or not, it should default to false at creation. Then there should only be a method that is called for example markPaid, that sets the field to true. This is better than a setPaid method that could set the value to either true or false, since that would make it possible to go from paid to not paid, which is not valid (if this is the business rule).
  
  Not sharing mutable objects. For the entity to be able to uphold its internal constraints, it must not leak references to internal objects. Suppose there is a Customer object, and it has a reference to a CreditScore object. Even if the variable holding the CreditScore reference is final, the CreditScore object can still be modified by anybody holding a reference to it. To be sure the CreditScore is set once and never modified, a copy of it must be stored in the Customer object (and the reference to that must never be exposed outside the Customer object). The same problem exists for collections, like lists. They are mutable by default. If an internal collection needs to be exposed outside the entity, a copy of it (using for example a copy constructor) should be returned.
  
  Sometimes, if there are complicated consistency rules that must be upheld, it can be good to define a method called e.g. checkInvariants(). This can be called at the end of regular mutating methods, to make sure the entity is still internally consistent.
  
  The Three R’s
  
  For applications run in the cloud, with a high degree of automation, it is possible to take advantage of the three R’s to increase security:
  
  Rotate secrets automatically every few hours
  
  Repave servers and applications every few hours. This means redeploying the same software – if an attacker has compromised a server, the deploy will wipe out the attacker’s foothold there
  
  Repair vulnerable software as soon as possible (within a few hours) after a patch is available.
  
  Other Topics
  
  There are many other topics covered in the book. Here I will just mention a few of those. There is a chapter on how to include security-focused tests in the automatic tests suites. It also has a good discussion on how to detect changes in default behaviors of external components and frameworks. There is also advice on logging, admin processes and how to refactor legacy systems to use more domain primitives.
  
  Odds and Ends
  
  Consider that domain rules can be exploited too. For example, booking a lot of rooms at a hotel, then cancelling all bookings at the last minute is a form of denial of service attack.
  
  Don’t use exceptions for the control flow. Account not found, or insufficient funds when instructing a money transfer are normal results that should not cause exceptions to be thrown.
  
  I like the way Apache Validate returns the validated object, so you can write code like this: this.name = notNull(name)
  
  The code examples are all in Java, and do a good job of illustrating the points made in the text. I really like the use of arrows that highlight parts of the code – they are quite helpful, and should be used in other books as well.
  
  Conclusion
  
  Secure by Design is quite a practical book, with many ideas that can be used right away. It shows concrete ways of coding that improve security by limiting the ways in which bugs can slip in. There are quite a few code examples that help explaining the concepts. Sometimes the book is too wordy, such as the example in chapter 11, where insurance policies where issued without payment. But overall it is great resource for developers that want to write more secure code.
lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Monday, 23-Mar-2020 18:34:00 EDT lnxw48a1

Oh, wonderful. A #Zero-day with #RCE on #Windows ... currently unpatched.

See: https://freeradical.zone/@tek/103874683857159931

#security #infosec
In conversation Monday, 23-Mar-2020 18:34:00 EDT from nu.federati.net permalink
Attachments
1. File without filename could not get a thumbnail source.
  
  tek: "Windows code-execut
  
  By Lord Tek, Esq. from freeradical.zone
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Monday, 23-Mar-2020 12:06:52 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
#Security Leftovers
http://www.tuxmachines.org/node/135518

In conversation Monday, 23-Mar-2020 12:06:52 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Sunday, 22-Mar-2020 23:53:54 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
#Security 101: Virtual Private Networks (VPNs) https://systemoverlord.com/2020/03/22/security-101-virtual-private-networks-vpns.html #vpn
In conversation Sunday, 22-Mar-2020 23:53:54 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  Security 101: Virtual Private Networks (VPNs) - System Overlord
  
  from System Overlord
  
  I’m trying something new – a “Security 101” series. I hope to make these topics readable for those with no security background. I’m going to pick topics that are either related to my other posts (such as foundational knowledge) or just things that I think are relevant or misunderstood. Today,...
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Sunday, 22-Mar-2020 22:40:33 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
Screencasts/Audiocasts/Shows: #FuryBSD , #OpenSource #Security Podcast and #GNU World Order
http://www.tuxmachines.org/node/135492

In conversation Sunday, 22-Mar-2020 22:40:33 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Sunday, 22-Mar-2020 12:49:10 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
#microsoft spam disguised as #itproportal 'article'. #github works for ICE and #NSA

Only a fool would believe these criminals pursue #security https://www.itproportal.com/features/friends-dont-let-friends-accidentally-drop-zero-days-on-the-projects-they-love/ see http://techrights.org/wiki/index.php/Microsoft_and_the_NSA
In conversation Sunday, 22-Mar-2020 12:49:10 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  Friends don’t let friends accidentally drop zero-days on the projects they love
  
  from ITProPortal
  
  GitHub simplifies responsible vulnerability disclosure for open source community.
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Sunday, 22-Mar-2020 08:32:51 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
Hidden Costs of #Microsoft #Windows
http://www.tuxmachines.org/node/135476 #security #backdoors #ransomware http://techrights.org/wiki/index.php/Microsoft_and_the_NSA

In conversation Sunday, 22-Mar-2020 08:32:51 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Saturday, 21-Mar-2020 08:01:13 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
#Security and #ProprietarySoftware Leftovers
http://www.tuxmachines.org/node/135438

In conversation Saturday, 21-Mar-2020 08:01:13 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Friday, 20-Mar-2020 23:15:17 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
● NEWS ● #eff #coronavirus #security ☞ Phishing in the Time of #COVID19 : How to Recognize Malicious #Coronavirus #Phishing Scams https://www.eff.org/deeplinks/2020/03/phishing-time-covid-19-how-recognize-malicious-coronavirus-phishing-scams
In conversation Friday, 20-Mar-2020 23:15:17 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  Phishing in the Time of COVID-19: How to Recognize Malicious Coronavirus Phishing Scams
  
  from Electronic Frontier Foundation
  
  Update 3-26-20: A new prevalent example of Android Spyware that leverages COVID-19 as a way to deliver their malicious product has been reported by researchers at Lookout. This particular malware, called "corona live 1.1.", comes out of Libya and seems to mostly be targeting Libyan citizens. Like...
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Friday, 20-Mar-2020 23:14:41 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
#Librem Hardware and the Intel CSME Vulnerability https://puri.sm/posts/librem-hardware-and-the-intel-csme-vulnerability/ #security #pureos #gnu #linux
In conversation Friday, 20-Mar-2020 23:14:41 EDT from pleroma.site permalink
Attachments
1. Invalid filename.
  
  Librem Hardware and the Intel CSME Vulnerability – Purism
  
  from Purism
  
  Purism — Private and Secure Hardware, Software, and Services
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Friday, 20-Mar-2020 06:44:36 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
● NEWS ● #joinup ☞ New EC #opensource #security audit poll: Respondents recommend #EC to focus on Linux, OpenSSL and #Firefox http://www.tuxmachines.org/node/135410

In conversation Friday, 20-Mar-2020 06:44:36 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Friday, 20-Mar-2020 06:15:55 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
#Security Leftovers http://www.tuxmachines.org/node/135405

In conversation Friday, 20-Mar-2020 06:15:55 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Wednesday, 18-Mar-2020 15:39:01 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
#Security : Real Cost of #Windows , New #freesw Patches, #NordPass and #GrSecurity
http://www.tuxmachines.org/node/135345

In conversation Wednesday, 18-Mar-2020 15:39:01 EDT from pleroma.site permalink
Dr. Roy Schestowitz (罗伊) (schestowitz@pleroma.site)'s status on Tuesday, 17-Mar-2020 01:57:47 EDT Dr. Roy Schestowitz (罗伊)
- Dr. Roy Schestowitz (罗伊)
● NEWS ● #schneier ☞ #TSA Admits Liquid Ban Is #Security [sic] Theater https://www.schneier.com/blog/archives/2020/03/tsa_admits_liqu.html

In conversation Tuesday, 17-Mar-2020 01:57:47 EDT from pleroma.site permalink

After
Before

Public

Notices tagged with security, page 21