Mhm, I'm kind of tired of talks about container security that chant for "build minimal container images". Does anyone have a case where minimal container images would have prevented a compromise?

And if so: would a minimal "distroful" (e.g. alpine or debian base image) have prevented it, or only a "distroless"/scratch container for static linked builds?

This is a very interesting analysis on patch management across organisations:

Can be resolved on a category level, when moving towards more modern deployment stacks. However it also tells the story of how real adoption of these stacks looks like. Apparently, not great.

The Open Source Security Podcast talked about it in a bit more detail:

Does anyone have some quantitative research about automated updates and their impact on security? Everything I found was usually quite narrow and mainly talks about business impacts due to untested updates.

What I'm more interested in, are larger test sets and how they appear to be infected with malware or alike. (e.g. you have 10000 participants split into two groups, one group updates automatically, the other group manually, and how many of them caught any malware)

For those running Kubernetes it might be worth asking themselves what they do with their credentials.

Today I moved mine into pass, the unix password manager and configure the kubeconfig to query them on demand, which means the certificates are now secured by my Yubikey:

Might be an idea for you as well, so I documented it for myself and others :)

A good implemented zone-based security model (e.g. internal-dmz-external) is usually still more secure than a bad "zero-trust" security model. So if you feel comfortable with zone-based security, go for it, you can build zero-trust on top of it, all the time :)

Uhm, @Fairphone is there any information about how to do firmware upgrades on the "Truely wireless earbuds"?

Just wondering because I couldn't find any and I consider the idea of having not-updated Bluetooth connected devices a bit uncomfortable especially with last years vulnerabilities:

(Yes, yes, not all apply to this kind of product, but there might be one tomorrow that does)

If you ever wondered why you should run a 3-2-1 backup strategy and why the 2 stands for 2 different mediums, well, WD reminded some people about that:

I'm really looking forward at the DWF project:

No long backwards and forwards talk. A form, a review, a CVE. 👍

Since sending out passwords to people still happens to be a daily duty of people out there, it might be worth too look into "Bitwarden Send":

They basically extended their password safe with a functionality to share text as well as files using their platform in a reasonable secure fashion.

Time to upgrade your GitLab :blobfoxcomputerowonotice:

Generally speaking it's recommended to subscribe to the webfeed. If you also want to chat a bit about those updates, feel free to join us in our Git Hosters room:

It's a small matrix room with people hosting their own platforms and talk a out it. Hope to see you around :)

Nice little feature of Bitwarden:

Check what services you are registered to have 2FA options and check the instructions on how to enable them.

I wouldn't recommend to store your 2FA credentials along with te passwords in Bitwarden, but checking once a year, where you can set up new 2FA is definitely recommended!

Oh, Apple added an anti-stalkerware guide to their official manual:

This helps to identify potential abuse of legitimate iOS settings/features. Feel free to share so that those in need can find it.

:blobfox_com: if you run a shared K8s environment you might want to take action to prevent CVE-2020-8554:

"MitM-as-a-service" as anyone with the rights to create a service objecr can take over IP addresses for all namespaces of a cluster.

Fancy, finally an alternative to Let's encrypt!

It's always good to have alternatives around. ZeroSSL appears to be a European company that now provides free TLS certificates using the ACME protocol.

:blobfoxthink: So in order for games to perform better, the new generation game consoles have implemented direct storage access for the graphics cards to load graphic assets without bothering the rest of the system, resulting in better performance. This technology is about to hit PCs as well, soon.

What bothers me about this: I see no way how this will work with properly encrypted disks/storage.

By the way, thanks to the help of @nathand I was able to reproduce the issue earlier today.

I can official say that one shouldn't use the implementation of canarymail for OpenPGP, because it's unaware of how to select the right key. They not only are unable to select the encryption sub key, but also ignore expiry dates and key revocation, making it an actual danger.

Show thread

If you run a macbook or iOS device and use "" as mail client, could you please try to send me and OpenPGP encrypted email? I want to verify if they have a major flaw in their implementation.

As I just got an email that was undecryptable.

Another weekend another evening project. Today: A simple container firewall that runs in user space and therefore doesn't need CAP_NET_ADMIN.

Is it as effective as iptables? By no means. But it's most likely sufficient for the majority of use cases.

Well, who would have expected that a browser that markets itself with the the fact that it sells its user's attention, is doing weird stuff like placing affinity links on random people's websites?

If you are running brave, consider to go back to whatever browser you used before or try out a new one. There are enough browsers out there which display a website as it is, and don't randomly replace links.

Show older
Sheogorath's Microblog

This is my personal microblog. It's filled with my fun, joy and silliness.