Seems like there is another hardware exploit called "RAMbleed".

TL;DR: By using the error correction of bit flips, it's possible to steal secrets our of a systems memory that are not owned by the process which reads the memory.

Just read another article that tries to make a big deal out of missing root passwords in containers.

Did you know you can get rid of all this by simply running your containers with the security option "no-new-privileges"?

This was contributed by project atomic in 2016 and will forbid processes to get more privileges once they are dropped. Including changing their uid.

Oh and it works for the majority of containers straight away.

The Fedora Magazine provided a new article about using the Fedora Account System (FAS) and how to use the desktop integrated Kerberos Login to have SSO enabled for all Fedora services:

And did you know, that the FAS works with CodiMD when you enabled the OpenID login?

Just sign into: https://<your account name> πŸŽ‰

And yes, you can try it on

When you use Bitwarden as a password manager, enable 2FA.

Pro tip: When you setup 2FA with at least two methods/devices, disable the email 2FA that is enabled by default after setting up 2FA.

If you look for a TOTP app, check AndOTP on f-droid as it allows you encrypted backups of the material.

Otherwise, buy a Yubikey and use the U2F-method. which is the most secure option.

It's known, it's creepy and it's still legal in a majority of countries. Please get rid of those devices as soon as possible. Trust your children, and if you don't think they can manage something alone, go with them. Don't put a surveillance clock on their arm that is more likely to attract weirdos and people who may want to harm them, than help them in any way.

Since Matrix reset all logins recently, you may lost some of your E2EE keys. Those were erased when being forcefully logged out.

Those who used the Key Backup mechanism by can recover quite easily, those who didn't bother to set them up, might have a problem.

In we discussed that today and someone provided a detailed guide on how to recover using BTRFS:!boLskYiwabbCQNNhl

After Matrix has restored its major services, they noticed that the GPG keys used for signing packages where compromised.

The key IDs are:

AD0592FE47F0DF61 (synapse)
E019645248E8F4A1 (Riot/Web)

Please make sure to no longer use those keys.

@matrix Turns out that there was a successful compromise of the Matrix infrastructure happening.

Details from Matrix on Twitter:

You may ask how that could happen, but more important: It didn't stay unnoticed and that's a good sign.

Just a thought, but when Mozilla would provide a DoH server that runs in Intel SGX or similar it should be easy to distribute the DNS requests on 3rd parties.

Intel SGX would take care of running the same code as Mozilla provided, which ensure that no privacy violations appear and at the same time, we can run decentralized with DoH by default.

Oh and for latency, we need to add some response time measuring code in FF to select the fasts DoH server.

Looking for opinions on Flatpak isolation for .

Right now we only allow write access to the Downloads directory, which causes problem with drag and drop and sending files in general. We currently considering to give access to the entire home directory, but the big question is: Allow writing or read-only access?

Discussion can be found here:

If someone is into CPP or electron development, please have a look at:

Looks like I did my good deed for today. Reported a security issue to an institute πŸ™‚

When you find a security problem with an institute/company/organisation, be kind, check if they support OpenPGP-encrypted email, if they do, send one, if they don't, call them and ask talk with them.

It's really bad when you sendi security reports to the wrong people or they might end up in a mailbox that is never checked.

During switching to an own organization CodiMD also switched from Docker Hub to as container registry. Major improvement: Security scanning for all images by default.

Disadvantage: You have to prepend to the image.

If you wonder where to find it:

If you wonder about the change in general:

Looks like 0-RTT in TLS1.3 comes with a quite high price: Vulnerability to replay attacks.

If you are one of the early adopter, check that your application is not affected as this is a fundamental problem on protocol level.

"What Application Developers Need To Know About TLS Early Data (0RTT)" by Paul Kehrer:

So when people use "Flexible" in their TLS config on Cloudflare and have an HTTP-to-HTTPS redirect configured, this causes redirect loops (since Cloduflare will connect to the HTTP endpoint).

But instead of switching to "Full" or "Full (Strict)" which would at also provide TLS from the Cloudflare to the origin, they recommend to disable the redirect πŸ€¦β€β™‚οΈ πŸ€¦β€β™€οΈ πŸ€¦β€β™‚οΈ πŸ€¦β€β™€οΈ

There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.

Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:

Putty users, it's time to update! There are some important changes and critical security fixes that came with the latest version 0.71.

Twitter and 2FA nonsense…

Just reviewed my 2FA settings on Twitter. I use TOTP and a hardware/U2F token. Looked fine, so I went to remove my phone number in the mobile section (used SMS 2FA before they supported TOTP). Turns out that by removing your mobile number 2FA is completely turned off without any notification/warning/…. Great Twitter! πŸ€¦β€β™‚οΈ

When you try a different hoster, install CentOS and the first thing you notice is that SELinux is not enabled… πŸ€¦β€β™‚οΈ πŸ€¦β€β™‚οΈ πŸ€¦β€β™‚οΈ πŸ€¦β€β™‚οΈ πŸ€¦β€β™‚οΈ πŸ€¦β€β™‚οΈ

Great, so Signal switched from GCM to FCM. This way Google Analytics code is pulled into the binary, due to Google's design.

The good news: Signal is aware of that and disabled Google Analytics explicitly:

The bad news is: It's up to Google's code if that really matters or not.

Show more
Sheogorath's Microblog

This instance is the microblog to my blog. You'll probably find more recent content here while finding more elaborated content on the blog. Impressum / Datenschutz / Privacy