And I catched one!
#Minio was rewriting commits on their master branch. And my mirror bot figured that out by being refused to force-push to the master branch of the mirror.
You may also notice that OpenPGP signature for the commit disappeared.
The rewrite is nothing evil, but one could introduced malicious behavior with such a rewrite. It's always a good idea to keep a mirror of your repositories.
Quite good points! Don't consider scan results the trough because they are created by a computer.
I see it daily that snyk (a security scanner) reports vulnerabilities in dependencies that don't really apply to a project or get a way lowered severity because there are other measures in place to prevent this from happening.
Check the scan results and understand them properly before going crazy. Those tools are helpers, not decision makers.
I think I wrote here about this quite a while ago, but here we go again:
There is something called "USB-Condom". Technically it's a chip that only takes the power from the USB connection, then implements the USB fast charging protocols and provides a socket for your regular USB cable to plug into. Just if you wonder why this pieces cost 6-7€ per piece.
I just blocked qoto.org due to malicious client behaviour. They intentionally circumvent security measures to access content that is not meant for them.
You might want to consider blocking them as well, because they build a Mastodon fork that behaves like malware.
When you run an android phone with an unlocked bootloader one of your main security concerns has to be physical device security.
Even while your data is encrypted, on Android your OS is not and therefore someone with physical access to your device can trivially inject malware that runs with system permissions.
Same is true for the kernel of your notebook and desktop computer when it doesn't run "secureboot" or a comparable security measure.
Good commit messages are in most cases longer than the changes they provide.
They should explain how things are changed, why it's done the way it is, and where one can read more about it.
I guess, I have another example for that:
Mastodon and referrer policies…
Thinking about getting pregnant an track your cycle with an app or tracking your pregnancy status with an app? Just don't.
Most of those apps are neither medical nor helpful for you, but sell your and your babies data to marketing companies and sometimes everyone else on the same network as you are.
⚠️ Keep an eye on your Nextcloud configs. Just had to discover that Nextcloud Talk adds a chat window to all publicly shared links.
This chat global for this file, which means when you share the file with different share links, for example with competing companies, they might end up have a nice little chat, in your shared file.
This is a default settings you have explicitly to opt out from.
Always verify people's identity. At best in person. Or "How to send 1 Million Dollar to scammers". 🤷
Awesome, just configured the Firefox addon "Temporary Containers" to open every non "always open in"-tab as temporary tab.
This prevents a lot of CSRF attacks, even when websites themselves didn't implement proper measures.
To implement it I use those two addons:
Today I learned: While Firefox supports WebAuthn, it doesn't support the full spec.
When you require user verification, firefox will act like no FIDO2 key is attached and ask you to attach one.
This is a rather annoying bug. Chromium asks you to provide setup a PIN and if possible asks you for it.
Definitely needs some work before we can roll it out to the masses.
In order to secure your #Nextcloud from the #NextCry attack, you should keep all writable data on a volume that is mounted with `noexec`. Of course you should also make sure you have your setup up-to-date and check the current security best-practices for nextcloud.
Finally you should also make sure you have very regular backups of your data, don't consider synchronized data as backup.
You might don't want to stay around #Tutanota… I'm sorry for the guys working there, but not only do they have to comply with this court rule which forces them to provide some information in plaintext to the police, it also shows the biggest problem with their system:
Nonstandardized proper end-to-end encryption.
Just use OpenPGP with a generated key *on your device* and a regular IMAP inbox.
[Repost due to dead URL]
There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.
Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:
If you still use #Windows 7, you might want to keep in mind that it's end-of-life at 14th January 2020.
This means you are at latest with the begin of February in significant risk to become part of Botnet that might just attacks other people, but could also steal your data, fool your online banking and delete everything from your computer.
Please talk to your kids, parents, friends, … whoever your local tech support is, for help in order to switch away from Windows 7.
Interesting Twitter Threads about "first start" browser communication:
It's amazing and concerning at the same time to see the amount of data that is transmitted by browsers nowadays. Keep in mind: None of those browser have been used. Just 20 minutes of idling.
This is a very great OIDC overview. If are about to implement an application, you should consider using this for your user backend.
If you are a user and want to know how "Sign-in with Google" or "Sign-in with Facebook" works, this is your chance.
Quick blog post I worked on a few days ago and finally got released:
I'm a professional relationship therapist for programs and their users.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!