Thinking about getting pregnant an track your cycle with an app or tracking your pregnancy status with an app? Just don't.

Most of those apps are neither medical nor helpful for you, but sell your and your babies data to marketing companies and sometimes everyone else on the same network as you are.

⚠️ Keep an eye on your :nextcloud: Nextcloud configs. Just had to discover that Nextcloud Talk adds a chat window to all publicly shared links.

This chat global for this file, which means when you share the file with different share links, for example with competing companies, they might end up have a nice little chat, in your shared file.

This is a default settings you have explicitly to opt out from.

Awesome, just configured the Firefox addon "Temporary Containers" to open every non "always open in"-tab as temporary tab.

This prevents a lot of CSRF attacks, even when websites themselves didn't implement proper measures.

To implement it I use those two addons:


Today I learned: While Firefox supports WebAuthn, it doesn't support the full spec.

When you require user verification, firefox will act like no FIDO2 key is attached and ask you to attach one.

This is a rather annoying bug. Chromium asks you to provide setup a PIN and if possible asks you for it.

Definitely needs some work before we can roll it out to the masses.

In order to secure your from the attack, you should keep all writable data on a volume that is mounted with `noexec`. Of course you should also make sure you have your setup up-to-date and check the current security best-practices for nextcloud.

Finally you should also make sure you have very regular backups of your data, don't consider synchronized data as backup.

You might don't want to stay around … I'm sorry for the guys working there, but not only do they have to comply with this court rule which forces them to provide some information in plaintext to the police, it also shows the biggest problem with their system:

Nonstandardized proper end-to-end encryption.

Just use OpenPGP with a generated key *on your device* and a regular IMAP inbox.

[Repost due to dead URL]

There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.

Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:

If you still use 7, you might want to keep in mind that it's end-of-life at 14th January 2020.

This means you are at latest with the begin of February in significant risk to become part of Botnet that might just attacks other people, but could also steal your data, fool your online banking and delete everything from your computer.

Please talk to your kids, parents, friends, … whoever your local tech support is, for help in order to switch away from Windows 7.

Interesting Twitter Threads about "first start" browser communication:





It's amazing and concerning at the same time to see the amount of data that is transmitted by browsers nowadays. Keep in mind: None of those browser have been used. Just 20 minutes of idling.

This is a very great OIDC overview. If are about to implement an application, you should consider using this for your user backend.

If you are a user and want to know how "Sign-in with Google" or "Sign-in with Facebook" works, this is your chance.

Quick blog post I worked on a few days ago and finally got released:

TL;DR: Due to 's current architecture for using TOFU would be to dangerous. But with Cross-signing up coming, things will get better.

I spend some time of my evening tinkering with my notebook's settings and a UEFI update. In order to make it easier for you, I wrote a little summary on how I did it and how maybe your next firmware update looks like:

Make the makeup industry wonder about what happened to their customer base:

Why not go and buy some nice nail polish tomorrow in order to make sure hardware temper proven?


1. Put stickers on the screw of your notebook
2. Mark them out with nail polish
3. Take high-respolution pictures of the setup
4. Verify changes over time
5. Refresh before entering potential temper situations

Realy great article about Hardware security tokens:

It contains a ton of information for people who want to learn a bit about modern security tools :)

Some "lessons learned" from the whole disaster:

1. Revoke keys when you notice the private key was compromised
2. Use HSMs to prevent private keys from getting compromised
3. Inform your customers about breaches
4. Do proper audit logging of your systems' user accounts
5. Use your own OS images, when installing machines
6. Run an IDS to get informed when your production systems act unusual
7. Spend more money on infrastructure security, less on marketing it

If you look for a hardening guide for your linux system, I can recommend "The practical linux hardening Guide" by trimstray.


1. It's based on SCAP policies.
2. It uses standards
3. It provides you with references and rationals, not just actions

This will allow you to consider whenever or not you should apply this configuration to your setup.

Ouch… There are good reasons why you want to keep data within your infrastructure.

Every thirdparty can leak your data and then you have to clean the mess with your customers:

Example: Hosted was breached… Hello fancy companies who have to tell me my data were exposed?

I wonder how many companies now bother to inform their customers.

So the Comodo forum was breached due to the vBulletin vulnerability that goes around recently.

They started their statement with:
“At Comodo we take security very seriously and it is our highest priority.”

I imagine the conversation like this: "We screwed up, …" *lawyer checks the text* "We can't write this, we would make us liable in some way for this problem"

Why does our legal system (create the illusion to) punish those who tell the truth?

Mhm, I just decided to disable in my setup, but I neither consider it usable, nor safe to use.

1. I have no idea where the keys reside (and therefore how to make proper backups)
2. It turns of all indicators for signed and/or encrypted emails that enigmail provides, off and states that there is a recipient rule (which isn't shown in the UI…)
3. I don't think people care enough about their autocrypt keys.


Show more

Sheogorath 🦊's choices:

Sheogorath's Microblog

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!