By the way, thanks to the help of @nathand I was able to reproduce the issue earlier today.
I can official say that one shouldn't use the implementation of canarymail for OpenPGP, because it's unaware of how to select the right key. They not only are unable to select the encryption sub key, but also ignore expiry dates and key revocation, making it an actual danger.
Another weekend another evening project. Today: A simple container firewall that runs in user space and therefore doesn't need CAP_NET_ADMIN.
Is it as effective as iptables? By no means. But it's most likely sufficient for the majority of use cases.
Well, who would have expected that a browser that markets itself with the the fact that it sells its user's attention, is doing weird stuff like placing affinity links on random people's websites?
If you are running brave, consider to go back to whatever browser you used before or try out a new one. There are enough browsers out there which display a website as it is, and don't randomly replace links.
Hello people, please upgrade your #Riot installations if not already done :)
1.6.3 provides a security fix. Time to run: flatpak update
If you use the #flatpak version.
Enjoy your time, and if you feel bored, may checkout one of the many channels I founded:
Another blog post sneaked out :X
TL;DR: Multiple password managers can help to ensure that you have the option to have very convenient integrations for passwords of low importance and an offline password manager for high-value passwords. Sometimes using just one is not enough. No password manager is perfect, sometimes you need more than one to cover all areas.
If you didn't notice: There is a 1.6.0 release of Riot on its way to Flathub :)
Riot 1.6.0 bring the new and shiny cross-signing features. Means you get TOFU now, can cross-sign your devices and users, which allows easy to transfer trust between all your matrix sessions.
Just make sure you use RiotX on Android in order to have all devices compatible :)
Perfectly on time, two minutes before midnight I made it to publish a new article. Today it's about CSP and how you can use them to prevent unexpected/unwanted leaks of user data.
Maybe not my greatest piece, but it's in the spirit on the situation and therefore 🤷 Enjoy!
Catched another one…
Force pushes to master branches seem way more common that one would like:
Having a mirror of all kinds of repositories really helps to find those and verify that they weren't malicious.
I know a lot of people complain about #container images being insecure because they are not signed and I agree. But looking at what goes into them… how about a few thousand lines of code lying around on a 10 year old FTP server transmitted over the internet in plaintext and no signatures and checksums at all?
Sure, "The binary is unsigned!" is our main problem… it's no wonder all this kind of supply chain attacks happen these days. It seems like no one cares about source integrity.
Firefox is going nuts…
WTF. Just why?
And I catched one!
#Minio was rewriting commits on their master branch. And my mirror bot figured that out by being refused to force-push to the master branch of the mirror.
You may also notice that OpenPGP signature for the commit disappeared.
The rewrite is nothing evil, but one could introduced malicious behavior with such a rewrite. It's always a good idea to keep a mirror of your repositories.
Quite good points! Don't consider scan results the trough because they are created by a computer.
I see it daily that snyk (a security scanner) reports vulnerabilities in dependencies that don't really apply to a project or get a way lowered severity because there are other measures in place to prevent this from happening.
Check the scan results and understand them properly before going crazy. Those tools are helpers, not decision makers.
I think I wrote here about this quite a while ago, but here we go again:
There is something called "USB-Condom". Technically it's a chip that only takes the power from the USB connection, then implements the USB fast charging protocols and provides a socket for your regular USB cable to plug into. Just if you wonder why this pieces cost 6-7€ per piece.
I just blocked qoto.org due to malicious client behaviour. They intentionally circumvent security measures to access content that is not meant for them.
You might want to consider blocking them as well, because they build a Mastodon fork that behaves like malware.
When you run an android phone with an unlocked bootloader one of your main security concerns has to be physical device security.
Even while your data is encrypted, on Android your OS is not and therefore someone with physical access to your device can trivially inject malware that runs with system permissions.
Same is true for the kernel of your notebook and desktop computer when it doesn't run "secureboot" or a comparable security measure.
Good commit messages are in most cases longer than the changes they provide.
They should explain how things are changed, why it's done the way it is, and where one can read more about it.
I guess, I have another example for that:
Mastodon and referrer policies…
Thinking about getting pregnant an track your cycle with an app or tracking your pregnancy status with an app? Just don't.
Most of those apps are neither medical nor helpful for you, but sell your and your babies data to marketing companies and sometimes everyone else on the same network as you are.
I'm a professional relationship therapist for programs and their users.
This is my personal microblog. It's filled with my fun, joy and silliness.