How can one tell if a binary is safe to give sudo permissions for to an...
sudo is sometimes used to give untrusted or "semi-trusted" users the ability to perform certain tasks as root, while not giving them unlimited root access. This is usually done via an entry into...
View ArticleHow to secure backup scripts so I do not have to hardcode passwords?
I have a secure and private aws ec2 environment but I need to do some backups of mongodb, postgresql, so I have a separate ec2 instance for doing backup and occasionally allow 80 and 443 to allow...
View ArticleCan network traffic between Docker containers be sniffed?
On normal networks, it is a security risk to send plaintext data, since attackers can sniff or even manipulate all traffic. Encryption is required for secure communication. When using Docker...
View ArticleIs reading from /dev/urandom on macOS Catalina a safe way to produce...
I'm reading a lot about entropy on macOS...I know it doesn't use Yarrow anymore as per this FIPS 140-02 doc a NIST compliant DRBG.I read a lot: https://github.com/briansmith/ring/pull/398How can I...
View ArticleFile encryption allowing changing password
My app needs to work with encrypted user files on their devices. It should keep the data secret when someone gets hold of the device. For this, I'm thinking about the following schema (which may be...
View ArticlePort-forwarding to a web server on Raspberry Pi
I've recently created a relatively simple smart Christmas tree which is a Raspberry PI Zero W powered LED strip.In order to control it via IFTTT webhooks, I've started a lightweight flask server on the...
View ArticleOCSP invalidation of intermediate CA using OCSP_SIGNING
I'm implementing an OCSP server to answer OCSP requests for my custom CA.I already implemented the invalidation of leaves certificates, with the intermediate CA certificate signing the OCSP response,...
View ArticleWhich tool/key manager to manage people's public keys in organization?
I'm not really an expert on different key types but here it goes. My company never really managed keys. We have an SKS server that was set up to manage GPG keys for a couple of users sending encrypted...
View ArticleHawk vs. API key authentication
For a HTTP(S) API, which is better (/ which is better under which circumstances)?Hawk authentication (a secret key is used to create a signature which is transmitted with the request: similar to AWS...
View ArticleCanadian police mentioned a new line-trapping technique, but what is that?
The police in Canada are saying that there is a new technique ("line-trapping") where the scammers told a lady to call the police to confirm some fraudulent details, but when she hung up and called the...
View Articleesim vs sim card, what is more secure?
I can read many different attack vectors like swapping and porting but not sure if all those attacks are relevant about eSIM, can you please explain what are a security risk and attack vectors that...
View ArticlePossible public/private identity recovery after compromise without a centeral...
I’ve been thinking about P2P systems using asymmetric keys and wondering if there is anyway to recover an identity in the event it was compromised using some kind of web-of-trust. This seems to be a...
View ArticleWhat gpg defaults can be improved, when performance is not an issue?
gpg has some preset default settings, which I assume were selected as a compromise between speed and security. I understand that these are good enough for most people.But, in a situation where speed /...
View ArticleMy email address is being used to enroll for online services. Should I be...
Just before Christmas I received the following message in one of my GMail accounts:Sign-in attempt was blocked ********@gmail.com [redacted by me]Someone just used your password to try to sign into...
View ArticleClik here to view.
Ring -3 exploits and existence of other rings
Concept of RingsRings were introduced in the forerunner of UNIX, Multics, and had 8 rings for reading, writing, executing and calling (I don't quite understand why it needed 8 rings to do this, if...
View ArticleWhy is client-side hashing of a password so uncommon?
There are very few websites that hash the users password before submitting it to the server. Javascript doesn't even have support for SHA or other algorithms.But I can think of quite a few advantages,...
View ArticleStrange HTTP request from binaryedge.ninja
I found the following strange HTTP request apparently emanating from binaryedge.ninja: min-li-ustx-12-13-65991-x-prod.binaryedge.ninja - - [05/Jan/2020:07:18:48 -0500] "GET / HTTP/1.0" 302 212 "-""-"...
View ArticleClik here to view.
Does the "Key Encipherment" key usage make sense when using ECDH P384?
I configured a Windows CA and created a certificate template to issue certificates with ECDH_P384 keys:Then I noticed that it's not possible to set the "Key Encipherment" key usage in the "Extensions"...
View ArticleAccessing user data by a public 'token' - is it a potential vunabilility?
I joined a small project, I noticed that in the project uses something like a token associated with a user journey. So the URL looks something like: https://host.com/sell/:jurneyID. All data entered...
View ArticleIs Signal still more secure than WhatsApp?
WhatsApp has "recently" deployed end-to-end encryption using the Signal protocol, which is of course also being used by Signal itself. The related white paper (PDF).Now this raises the question:Is...
View Article