When you use Bitwarden as a password manager, enable 2FA.

help.bitwarden.com/article/set

Pro tip: When you setup 2FA with at least two methods/devices, disable the email 2FA that is enabled by default after setting up 2FA.

If you look for a TOTP app, check AndOTP on f-droid as it allows you encrypted backups of the material.

Otherwise, buy a Yubikey and use the U2F-method. which is the most secure option.

It's known, it's creepy and it's still legal in a majority of countries. Please get rid of those devices as soon as possible. Trust your children, and if you don't think they can manage something alone, go with them. Don't put a surveillance clock on their arm that is more likely to attract weirdos and people who may want to harm them, than help them in any way.

troyhunt.com/how-to-track-your

Since Matrix reset all logins recently, you may lost some of your E2EE keys. Those were erased when being forcefully logged out.

Those who used the Key Backup mechanism by Matrix.org can recover quite easily, those who didn't bother to set them up, might have a problem.

In :matrix.org we discussed that today and someone provided a detailed guide on how to recover using BTRFS:

matrix.to/#/!boLskYiwabbCQNNhl

After Matrix has restored its major services, they noticed that the GPG keys used for signing packages where compromised.

The key IDs are:

AD0592FE47F0DF61 (synapse)
E019645248E8F4A1 (Riot/Web)

Please make sure to no longer use those keys.

@matrix Turns out that there was a successful compromise of the Matrix infrastructure happening.

Details from Matrix on Twitter: twitter.com/matrixdotorg/statu

You may ask how that could happen, but more important: It didn't stay unnoticed and that's a good sign.

Just a thought, but when Mozilla would provide a DoH server that runs in Intel SGX or similar it should be easy to distribute the DNS requests on 3rd parties.

Intel SGX would take care of running the same code as Mozilla provided, which ensure that no privacy violations appear and at the same time, we can run decentralized with DoH by default.

Oh and for latency, we need to add some response time measuring code in FF to select the fasts DoH server.

Looking for opinions on Flatpak isolation for .

Right now we only allow write access to the Downloads directory, which causes problem with drag and drop and sending files in general. We currently considering to give access to the entire home directory, but the big question is: Allow writing or read-only access?

Discussion can be found here:

github.com/flathub/im.riot.Rio

If someone is into CPP or electron development, please have a look at:
github.com/electron/electron/p

Looks like I did my good deed for today. Reported a security issue to an institute 🙂

When you find a security problem with an institute/company/organisation, be kind, check if they support OpenPGP-encrypted email, if they do, send one, if they don't, call them and ask talk with them.

It's really bad when you sendi security reports to the wrong people or they might end up in a mailbox that is never checked.

During switching to an own organization CodiMD also switched from Docker Hub to quay.io as container registry. Major improvement: Security scanning for all images by default.

Disadvantage: You have to prepend quay.io to the image.

If you wonder where to find it: quay.io/repository/codimd/serv

If you wonder about the change in general:
github.com/codimd/server/issue

Looks like 0-RTT in TLS1.3 comes with a quite high price: Vulnerability to replay attacks.

If you are one of the early adopter, check that your application is not affected as this is a fundamental problem on protocol level.

"What Application Developers Need To Know About TLS Early Data (0RTT)" by Paul Kehrer:

blog.trailofbits.com/2019/03/2

So when people use "Flexible" in their TLS config on Cloudflare and have an HTTP-to-HTTPS redirect configured, this causes redirect loops (since Cloduflare will connect to the HTTP endpoint).

But instead of switching to "Full" or "Full (Strict)" which would at also provide TLS from the Cloudflare to the origin, they recommend to disable the redirect 🤦‍♂️ 🤦‍♀️ 🤦‍♂️ 🤦‍♀️

There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.

Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:

octo.sh/container-library/dns-

Putty users, it's time to update! There are some important changes and critical security fixes that came with the latest version 0.71.

chiark.greenend.org.uk/~sgtath

Twitter and 2FA nonsense…

Just reviewed my 2FA settings on Twitter. I use TOTP and a hardware/U2F token. Looked fine, so I went to remove my phone number in the mobile section (used SMS 2FA before they supported TOTP). Turns out that by removing your mobile number 2FA is completely turned off without any notification/warning/…. Great Twitter! 🤦‍♂️

When you try a different hoster, install CentOS and the first thing you notice is that SELinux is not enabled… 🤦‍♂️ 🤦‍♂️ 🤦‍♂️ 🤦‍♂️ 🤦‍♂️ 🤦‍♂️

stopdisablingselinux.com/

Great, so Signal switched from GCM to FCM. This way Google Analytics code is pulled into the binary, due to Google's design.

reports.exodus-privacy.eu.org/

The good news: Signal is aware of that and disabled Google Analytics explicitly:

github.com/signalapp/Signal-An

The bad news is: It's up to Google's code if that really matters or not.

Have you considered to buy an e-scooter? You probably shouldn't. Especially not when it's a "smart" one.

It's proven that the Xiaomi M365 doesn't check if the device sending it commands is authorized at all. (And similar models are sold under different names). The authentication only happens inside the app for the scooter.

If you own one, put it aside and ask Xiaomi to provide an update.

youtube.com/watch?v=ASygXa8UVY

@.@ Just read the Signal changeset for the URL previews:

Wonderful how they ehhh not document their source code. There are exactly 7 comments in the entire changeset of more than 2600 lines of code. ~2000 of them are added.

I'm not sure that's a good sign…

github.com/signalapp/Signal-An

Show more
Sheogorath's Microblog

This instance is the microblog to my blog. You'll probably find more recent content here while finding more elaborated content on the blog.


Impressum / Datenschutz