home tags events about login

tommy rss

Author of cybsec.network and gopher://secdiary.com | https://secdiary.com.

Micro-messages mirrored at https://secdiary.com/twtxt.txt.

tommy bonked 12 Jul 2020 17:44 +0200
original: vimja@tooting.ch
convoy: tag:tooting.ch,2020-07-10:objectId=9661704:objectType=Conversation

I haven't even shown you the bottom yet! The mnt reform 2 is a pretty device from almost any angle, but the bottom is a truly stunning sight!

tommy honked 12 Jul 2020 14:26 +0200
convoy: data:,electrichonkytonk-Tv5fRrKn133mvW3MXC

One thing that is probably obvious to everyone using OpenBSD (and other open source operating systems), but perhaps not to everyone else, is the difference in Microsoft security advisories and the continuous patch announcements for OpenBSD. Check this out:

https://portal.msrc.microsoft.com/en-us/security-guidance

https://marc.info/?l=openbsd-announce&r=1&b=202006&w=2

In terms of the Microsoft advisories you need to be on every second Tuesday of the month to do a major quantitative batch job, while the OpenBSD advisories are delivered to my mailbox and tagged accordingly in a way that is possible to actually assess. You could use the MSRC API for something similar, but the complexity is just bedazzling - and it has become even worse over the years.

#microsoft #advisories #openbsd #patching #security

tommy bonked 12 Jul 2020 13:48 +0200
original: tejrnz@soc.fglt.nl
convoy: https://soc.fglt.nl/contexts/bb92e62b-2e93-4bbf-9070-c07de7fce651

If you’ve been using NeoMutt, or (worse) if you abandoned Mutt for something like Thunderbird, you may not have realized that Mutt is being much more actively maintained again, by a fellow named Kevin McCarthy. It just had a release for version 1.14.6, fixing a bug that showed up only a few days before. http://mutt.org/

Take a look at some of the features new in v1.14 to get an idea of how far it’s come along: http://mutt.org/relnotes/1.14/

The much-loved sidebar patch, for example, has been merged in for a fair while now—that particular feature is not my cup of tea, hence its absence from this screenshot, but others consider it indispensible.

Come home, li’l doggy!

Screenshot of Mutt v1.14.6.  The release announcement for that same version is being viewed.  It includes a verified PGP signature.

tommy bonked 09 Jul 2020 22:00 +0200
original: zanko@fosstodon.org
convoy: tag:fosstodon.org,2020-07-09:objectId=21092797:objectType=Conversation

Recommend some cool people tooting about #linux #foss #privacy and #technology that I can follow.

Sad to see that some privacy tools like Bitwarden and Standard Notes don't have Mastodon account.

tommy bonked 09 Jul 2020 21:58 +0200
original: andreas@nitro.horse
convoy: tag:nitro.horse,2020-07-08:objectId=9746849:objectType=Conversation

If you use Windows, Hardentools by Security Without Borders is worth a look. A new version was recently released.

“Hardentools is a simple utility designed to disable a number of "features" exposed by Microsoft Windows, and primary consumer applications.”

Security w/o Borders is “a collective of hackers and security professionals working towards a stronger and more secure civil society.”

- https://securitywithoutborders.org/blog/2020/07/06/hardentools-2-is-out.html
- Source code: https://github.com/securitywithoutborders/hardentools

#Privacy

tommy honked 07 Jul 2020 21:05 +0200
convoy: data:,electrichonkytonk-GpRZsC3XCYJ2514864

@tedu re. honk <> inks I seem to have a certificate issue of some sort when subscribing both to my and your server. The results are something like:

successful post: https://inks.cybsec.network/inbox 200
[...]
error decoding https://inks.cybsec.network#key pubkey: no pem data

Seems like the subscription payload arrives, but are then classified as a "bad payload" by honk probably due to the certificate issue.

I'm quite out of solutions here, so any tips would be appreciated.

tommy bonked 07 Jul 2020 08:01 +0200
original: th@social.v.st
convoy: tag:v.st,2020-07-06:objectId=283089:objectType=Conversation

So what's going on with Signal's new architecture that retains all user data? It seems like a total reversal of their previous stance and one that dramatically changes their threat model. Their new security properties rely entirely on SGX, which is barely secure against motivated home users, much less nation state adversaries.

Masa presenting on encrypted tools at 34c3 with a slide that says "Don't always use Signal and use tor"