Pinned toot

InfoSec Handbook introduces experimental P2P support via Dat protocol:


(The URL may change during testing.)

About the Dat Project:

146 Android Firmware Vulnerabilities:

– "found using automatic tools, and it is extremely likely that many of the vulnerabilities are not exploitable"
– "since they're firmware bugs, in many cases there is no ability to patch them"
– Comment by B. Schneier:

The maker of Magic: The Gathering leaks 450,000 data sets of players:

– Source of the leak was a publicly-accessible database backup file.
– The file contains user names, date and time of account creation and last access, e-mail addresses, and hashed+salted passwords.
– This leak again shows that you need more than only some HTTPS and HTTP headers for security.

Some news regarding our blog (

– We now cryptographically sign all Git commits to using a dedicated key that is linked to the account. So the open padlock is now locked and green for people who like this. πŸ˜‰
– We added information on how to support us: As before, we don't accept financial attributions or sponsoring to remain 100% independent.

TPM-FAIL – security vulnerabilities in Trusted Platform Modules: (PDF file)

– Affected are Platform Trust Technology (Intel), and ST33 TPM chip (STMicroelectronics). TPMs from Nuvoton/Infineon aren't affected.
– A remote attacker could retrieve certain private keys (e.g., as used by ECDSA).
– Intel provides a firmware update; vulnerable ST33 chips can't be patched.

Regarding "IP leaks everywhere" posts:

IP addresses aren't secrets. IP addresses are essential to route network traffic.

Some people/companies write their marketing lingo like you have to hide your IP address from the world. However, there is always another computer/device that learns about your IP address, even if you are using VPNs or Tor.

(The same is true for MAC addresses and ports.)

We sometimes read "My blog is super secure since it uses TLS 1.2+/AEAD/PFS/CSP/OCSP/CAA…". At the same time, such blogs use CMS like WordPress (with a large attack surface), and need database servers, PHP etc.

However, these features don't protect databases – the valuable thing for bad guys. They don't keep software up-to-date, or configure software properly. They only protect data in transit – if supported by clients.

So it is all about self-promotion, not about actual security.

Tor Browser :tor: 9.0.1 released, the first bugfix release in the 9.0 series:

– updates for NoScript, and Tor Launcher
– fixes 20 bugs

An example of how not to remove personal data in documents. (We removed the name here.)

You can easily copy the blackened line, and paste it somewhere else with data that shouldn't be there.

If you want to avoid something like this, black out lines, print out the file, and scan it afterwards.

Falsehoods Computer Science Students (Still) Believe Upon Graduating:

Security-related myths:

– Open Source means it has fewer bugs and is more secure.
– 'Privacy' and 'Confidentiality' are synonymous.
– 'Encryption' and 'Security' are synonymous.

(And no, most CS students neither are good programmers nor security specialists upon graduating.)

Monthly review, October 2019:

– news: Simjacker (again), web browser support for TLS, important security updates
– tool: MinTOTP
– tip: processes/organization as an important part of InfoSec
– 3 questions/answers

ECSM 2019 – Securing emerging technology (IoT) at home:

Nowadays, there are dozens of IoT devices available for private users/consumers. We present several problems with IoT devices, and ways to secure them.

GitLab tracking – GitLab says it "will commit to not implementing telemetry […] that sends usage data to a third-party product analytics service":

– On October 23, GitLab announced to implement product usage tracking.
– On October 29, they apologized and reverted the announced changes.
– Currently, they are collecting feedback from customers (see the linked issue above).

CVE-2019-11043 – vulnerability in PHP-FPM that might also affect nginx web servers in some cases:

– Your nginx web server is only vulnerable if you use PHP-FPM, and certain configuration.
– Our nginx web servers aren't affected since we don't use any PHP (or CMS) at all.
– Update to PHP 7.3.11 or 7.2.24.

Tor-focussed :tor: operating system Tails 4.0 released:

– updates for Linux kernel (5.3.2), Tor Browser (9.0), Tor, and many other packages
– KeePassX is replaced by KeePassXC
– Tails 4.0 should be more user-friendly, faster, and require less space
– Thunderbolt devices are supported now

Show more
Mastodon is a microblogging site that federates with most instances on the Fediverse.