When you run Symantec or Norten AV, Microsoft will not provides security updates for now, because your Anti-malware solution, which at least according to itself, deletes all updates provides by Microsoft, which protect you from real security issues.

I mean, it's not like Microsoft announced months ago, that they will drop SHA-1 signatures this month… And also SHA-1 support is already no longer recommended since years… 🀷 "Security experts"

Things get even better. So I opened a public GitHub issue in order to make sure people are informed and the developer might be even more motivated to fix it. Seems like the opposite is the case:

github.com/blakawk/gitlab-inte

I'll give it another try to convince him, but if not… 🀷 Can't help people who don't want to be helped.

Since the way to the official @fdroidorg repository is still a bit complicated for , they decided to self-host a repository!

Want to get the Bitwarden Android app without Google Play? Here you go:

mobileapp.bitwarden.com/fdroid

And here we go, my new blog article is out:

"Atom plugin "gitlab-integration" leaks your tokens"

shivering-isles.com/Atom-plugi

TL;DR: When you use the Atom plugin gitlab-integration you should either patch it with the mentioned workaround in the article or stop using it. Definitely you should revoke the personal access token you were using with it.

Remember Spectre? It's back! πŸ‘»

Time to patch your systems!

access.redhat.com/articles/432

This time it's called Spectre SWAPGS and has the CVE number: CVE-2019-1125

Have fun! πŸ‘πŸ»

I have to say there are some awesome people out there. Great documentation for synapse (Matrix) <-> Keycloak setup:

edenmal.moe/post/2019/Matrix-S

Yesterday I started to deploy SSO through my private infrastructure using keycloak. And after deploying Nextcloud and CodiMD with it, I start to question this decision.

Because it's nice to have a central place and only a single login for all services, but except of me, no one is using all services and I don't see an easy way, to restrict people from using certain services.

What to do…

Don't forget to update our synapse instance. Version 1.2.1 is a critical security update which can lead to downgrade attacks on rooms, spoofed read recipients, people being pushed out of rooms, and more.

github.com/matrix-org/synapse/

In order to keep rooms and your servers safe, please upgrade.

Seems like the YUM/DNF repositories of "getpagespeed.com" got pwnd.

Check your systems if you have this repository around:

sudo grep -r 'getpagespeed.com' /etc/yum.repos.d/

And if so may reinstall the machine.

serverfault.com/questions/9726

Got the hint from: twitter.com/faker_/status/1143

Do you use `pass` as password manager on your machine?

There is an extension to verify your passwords against the HIBP database of known passwords and make sure that your password wasn't exposed during a data breach. (Of course without telling your password apart)

This extension is packaged on as pass-pwned.

Brian "bex" Exelbierd wrote an article about it, and how to install it on any other distro on opensource.com:

opensource.com/article/19/6/ch

Pro tip: Monitor your LE certificates using Atom feeds:

Just subscribe to: crt.sh/atom?q=<domain you want to watch goes here>

And get all issued certificates for that domain right to your feed reader. Great and useful service with interesting results.

By the way, it might also be a good point to start using the `expect-ct` header:

scotthelme.co.uk/a-new-securit

Seems like there is another hardware exploit called "RAMbleed". rambleed.com/

TL;DR: By using the error correction of bit flips, it's possible to steal secrets our of a systems memory that are not owned by the process which reads the memory.

Just read another article that tries to make a big deal out of missing root passwords in containers.

Did you know you can get rid of all this by simply running your containers with the security option "no-new-privileges"?

This was contributed by project atomic in 2016 and will forbid processes to get more privileges once they are dropped. Including changing their uid.

projectatomic.io/blog/2016/03/

Oh and it works for the majority of containers straight away.

The Fedora Magazine provided a new article about using the Fedora Account System (FAS) and how to use the desktop integrated Kerberos Login to have SSO enabled for all Fedora services:

fedoramagazine.org/getting-set

And did you know, that the FAS works with CodiMD when you enabled the OpenID login?

Just sign into: https://<your account name>.id.fedoraproject.org πŸŽ‰

And yes, you can try it on demo.codimd.org

When you use Bitwarden as a password manager, enable 2FA.

help.bitwarden.com/article/set

Pro tip: When you setup 2FA with at least two methods/devices, disable the email 2FA that is enabled by default after setting up 2FA.

If you look for a TOTP app, check AndOTP on f-droid as it allows you encrypted backups of the material.

Otherwise, buy a Yubikey and use the U2F-method. which is the most secure option.

It's known, it's creepy and it's still legal in a majority of countries. Please get rid of those devices as soon as possible. Trust your children, and if you don't think they can manage something alone, go with them. Don't put a surveillance clock on their arm that is more likely to attract weirdos and people who may want to harm them, than help them in any way.

troyhunt.com/how-to-track-your

Since Matrix reset all logins recently, you may lost some of your E2EE keys. Those were erased when being forcefully logged out.

Those who used the Key Backup mechanism by Matrix.org can recover quite easily, those who didn't bother to set them up, might have a problem.

In :matrix.org we discussed that today and someone provided a detailed guide on how to recover using BTRFS:

matrix.to/#/!boLskYiwabbCQNNhl

After Matrix has restored its major services, they noticed that the GPG keys used for signing packages where compromised.

The key IDs are:

AD0592FE47F0DF61 (synapse)
E019645248E8F4A1 (Riot/Web)

Please make sure to no longer use those keys.

@matrix Turns out that there was a successful compromise of the Matrix infrastructure happening.

Details from Matrix on Twitter: twitter.com/matrixdotorg/statu

You may ask how that could happen, but more important: It didn't stay unnoticed and that's a good sign.

Just a thought, but when Mozilla would provide a DoH server that runs in Intel SGX or similar it should be easy to distribute the DNS requests on 3rd parties.

Intel SGX would take care of running the same code as Mozilla provided, which ensure that no privacy violations appear and at the same time, we can run decentralized with DoH by default.

Oh and for latency, we need to add some response time measuring code in FF to select the fasts DoH server.

Show more
Sheogorath's Microblog

This instance is the microblog to my blog. You'll probably find more recent content here while finding more elaborated content on the blog. Impressum / Datenschutz / Privacy