Tag security
Reducing Risk of Supply Chain Attacks with Reproducible Builds in Gradle (1 mins read).
How to enable Gradle's reproducible builds functionality to allow others to verify your released libraries don't contain uncommitted, malicious code.
Post details
I'm a tech guy and I can say with confidence I've lost every private key I've ever held within three years or so. Excited to see this important technology go mainstream with no recourse and tied to real assets. Please share your own stories in the comments!
Post details
One of the most significant side-effects of the rise of crypto is we're *finally* giving everyone a public/private key pair What cypherpunks had tried unsuccessfully to do for yrs w/ ideology is happening w/ crypto incentives This has *far* reaching consequences warning long🧵brantly.eth (@BrantlyMillegan)Mon, 03 May 2021 17:26 +0000
Pinboard (@Pinboard)Sun, 28 Nov 2021 01:32 GMT
Post details
What attackers don't want you to know
Brains93 (@Brains933)Fri, 26 Nov 2021 09:25 GMT
A very interesting read about physical and virtual security required to protect the keys to the castle
A very interesting attack - having tested a few editors with colleagues, none of us could've caught it without spotting that there's a slightly wider character in a couple of places!
Why You Should Avoid using Client Secret Authentication for OAuth2 Client Credentials (7 mins read).
Why I recommend against using client secret authentication for OAuth2 and OpenID Connect APIs.
Very interesting read, I can empathise with being the "logs person" 😂
Post details
This is (one of many reasons) why Government websites need proper vulnerability disclosure programmes. We (CDDO) are looking at security.txt github.com/alphagov/open-… It's already deployed on some .gov.uk websites.Post details
A reporter at @stltoday discovered a flaw in a state website that risked exposure of teacher Social Security numbers. He notified the state of the problem and it was fixed. Today, @GovParsonMO labeled the reporter a 'hacker' & vowed criminal prosecution. missouriindependent.com/2021/10/14/mis…Jason Hancock (@J_Hancock)Thu, 14 Oct 2021 15:32 +0000
Terence Eden (@edent)Thu, 14 Oct 2021 17:24 +0000
Post details
Nothing was "converted" or "decoded." You literally open a web page, right click, and select "view source code." The SSNs were plainly visible.
This Is Exhausting (@SHockeyfan)Thu, 14 Oct 2021 17:23 +0000
Post details
Accessing publicly available information is not hacking. By having the information so easily available, the website did implicitly grant permission to view it.
Ryan King (@rexaliquid)Thu, 14 Oct 2021 17:42 +0000
Post details
Oh word? Every time I've accidentally hit F12 I was hacking? I am a master hacker now. Bow before me.Post details
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.
Governor Mike Parson (@GovParsonMO)Thu, 14 Oct 2021 17:10 +0000
High King Pilnokula, An Even Meaner Bisexual 🦇 (@Pilnok)Thu, 14 Oct 2021 17:29 +0000
Post details
Web developers, if you’d like iCloud Keychain, Google Chrome, or 1Password to take your users directly to your site’s change password page when their password manager encourages them to change their password, you can implement one simple URL redirect. web.dev/change-passwor…Ricky Mondello (@rmondello)Fri, 08 Oct 2021 15:55 +0000
Tips for Reducing Dependency Upgrade Toil with WhiteSource Renovate (5 mins read).
Some tips I've picked up while working with WhiteSource Renovate to keep my projects up-to-date.
Post details
Site: Choose a password Me: oGUWi4!N^*5!y7MkiZnr Site: Must be under 13 letters Me: Pye8z#&9F2Ta Site: No symbols Me: TrbqhSVthFoP Site: No pasting Me: 123456Jon Kuperman (@jkup)Sat, 17 Jul 2021 20:22 +0000
Post details
A telco injecting ads into 2FA SMSs feels… wrong (see thread)
Post details
I just received a two factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam. What a shameful money grab.Chris Lacy (@chrismlacy)Tue, 29 Jun 2021 04:18 +0000
Troy Hunt (@troyhunt)Tue, 29 Jun 2021 20:05 +0000
Post details
New emojis in iOS 14.5 means that BILLIONS of security patches will be applied today. Incentives matter.
Ryan Naraine (@ryanaraine)Mon, 26 Apr 2021 15:44 +0000
Post details
Yesterday I announced HACKED - Fixing hacked WordPress site Workshop. For details eventbrite.co.uk/e/hacked-fixin… TLDR; Join me on the 22nd & 29th of April for 2 sessions on identifying & fixing hacked WordPress sites. Early bird tickets on sale now.Tim Nash (@tnash)Wed, 17 Mar 2021 09:33 GMT
Post details
Followed a tutorial and put JWTs in localStorage? If the guy behind UNPKG wanted to, he could inject code to JS requests and collect all of your users JWTs. Same w/ any 3rd party scripts you use. 2B req/mo is a lot of tokens. I put that crap in signed, https, SameSite cookies.Ryan Florence (@ryanflorence)Fri, 12 Mar 2021 18:02 GMT
Post details
Forgotten password reminder, your password is:
Post details
Tell us a cybersecurity horror story in 6 words.
Sophos (@Sophos)Wed, 03 Mar 2021 12:00 GMT
Matt Brunt (@Brunty)Sun, 07 Mar 2021 12:22 GMT
Post details
If it is this difficult to convince people to put a piece of fabric over their faces to prevent the transmission of disease so they don’t die or kill others… the outlook on getting humans to do all of those abstract, fiddly cybersecurity things required to be safe online is ☠️
Jessy Irwin ✨ (@jessysaurusrex)Fri, 05 Mar 2021 21:09 GMT
Encrypting and Decrypting Text with OpenSSL (2 mins read).
How to use openssl
to encrypt text with a shared passphrase.
Post details
If an intern has the access and authority to make a mistake so critical that it pwns your org and all of your users, the fault is with leadership and everyone else upstream from that intern. The intern deserves an apology for being put in that position at all, not public shame.
Post details
Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years. The password in question, "solarwinds123," was discovered in 2019 on the public internet. cnn.it/3pWdZqxCNN (@CNN)Fri, 26 Feb 2021 23:35 GMT
Kat Cosgrove (@Dixie3Flatline)Sat, 27 Feb 2021 05:07 GMT