https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016, posted 2016 by peter in development reference security toread
The Problem: You want people to be able to create a unique user account, with a password, which they will use to access your application. How can you safely implement this feature?
Easiest Solution: Use libsodium, which provides a secure password hashing API in most languages. As of version 1.0.8 it uses the scrypt algorithm, but in the next release (1.0.9) it will also offer Argon2, the most recent, carefully-selected algorithm from the Password Hashing Competition. Libsodium offers bindings for most programming languages.
Antivirus programs need to be able to inspect a lot of data and file types from a variety of sources: the Web, email, the local file system, network shares, USB attached storage devices, etc. They also have a large number of components that implement various layers of protection: drivers for intercepting network traffic, plug-ins that integrate with browsers and email clients, graphical user interfaces, antivirus engines with their subsystems that perform signature-based, behavior-based and cloud-based scanning and more.
This is what security researchers call a very large attack surface, meaning there is a lot of potentially vulnerable code that attackers can reach in a variety of ways. Furthermore, when it comes to antivirus products, much of this code runs with the highest possible privilege, something that researchers argue should be avoided as much as possible.
https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/, posted 2015 by peter in crapification microsoft privacy security toread transparency
As Green puts it, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”
eblog.damia.net/2015/12/03/lets-encrypt-automation-on-debian/, posted 2015 by peter in howto linux security
Free SSL certificates for everyone! the https://letsencrypt.org/ initiative backed by Akamai, Cisco, Mozilla and EFF, is going to offer free certificates. On this post I am going to explain how I have automated the process of creation and renewal of certificates, on a Debian server with a lot of virtualhosts with the minimal modification of the apache conf files.
It’s a wretched yet predictable ritual after each new terrorist attack: Certain politicians and government officials waste no time exploiting the tragedy for their own ends. The remarks on Monday by John Brennan, the director of the Central Intelligence Agency, took that to a new and disgraceful low.
Speaking less than three days after coordinated terrorist attacks in Paris killed 129 and injured hundreds more, Mr. Brennan complained about “a lot of hand-wringing over the government’s role in the effort to try to uncover these terrorists.”
https://blog.filippo.io/the-sad-state-of-smtp-encryption/, posted 2015 by peter in email opinion security
This is a quick recap of why I'm sad about SMTP encryption. It explains how TLS certificate verification in SMTP is useless even if you force it.
Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.
Nobody has ever implemented an OAuth flow for their application and then said, “That was fun. Let’s do it again.”
Don’t believe me? Just go to Twitter and search for “OAuth Sucks”. Or just search “OAuth”. Or best of all just follow the OAuthSucks Twitter account. It’s a sentiment that’s so common, it has it’s own Twitter account. How did I find this account? I tried to register it of course.
But why is OAuth so awful? And does it have to be this way? In this post, we’ll take a look. OAuth (2.0 specifically) has a litany of problems, starting with the fact that the 2.0 spec itself essentially allows anything to be considered “OAuth compliant”.
blog.wercker.com/2015/07/28/Dockerfiles-considered-harmful.html, posted 2015 by peter in deployment docker opinion security
There are some obvious issues with running third-party Dockerfiles. Like most of the Docker ecosystem, Dockerfiles were designed for personal use by an individual with root access. Once you start distributing them, however, you’re essentially giving root to a stranger. This blog post is about why you shouldn’t even be using Dockerfiles for your own projects.