kravietz 🦇 @kravietz@social.privacytools.io
- OpenPGP
- 6F7B6BB9A9B632555E1A03C132AF1F39C4EE03F2
- Website
- https://krvtz.net
- Matrix
- @kravietz:krvtz.net
Polish expat into UK. Information security engineer. Caver & cave rescuer (thus the bat). NHS volunteer & blood donor.
Joined May 2019
kravietz 🦇
boosted
Trusted Types are an emerging DOM API specification that attempt to prevent a whole range of attacks resulting from web browsers being tricked into execution of untrusted content, for example XSS.
https://webcookies.org/articles/88/practical-trusted-types-implementation
By the way, the next level after CSP is the Trusted Policy which I have just recently rolled out:
https://webcookies.org/articles/88/practical-trusted-types-implementation
For practical operational security you definitely don't want to rely on HTTP headers because it's just the outer layer. Behind the Nginx you can have a whole bunch of other reverse-proxies, caches and microservices that can be vulnerable too.
You want to look at operating system package versions for things like Nginx and at all the dependencies of your application stack, such as Python packages in my case.
You're right about CSP and SRI, this is due to the fact how rules are implemented currently and is on my TODO list.
And regarding ads for my services... yes, the service is available 100% for free and the infrastructure only costs 200 GBP/per month not counting my work, so I'm definitely not going to hide the fact that I'm also available for hire.
I disagree here.
It's a simple service admin maturity metric. Lack of version details doesn't guarantee they're using up-to-date version, but in 99% cases exposing detailed version in the header is equivalent to a big banner "hey come and hack me because I have not touched any server hardening guidelines".
The remaining 1% is reserved for honeypots...
What do you mean by "ads for their own service"?
P.S. I'm the one developing this scanner so happy to accept any criticism!
Some CSP design guidelines here too
https://webcookies.org/articles/11/typical-content-security-policy-mistakes-and-omissions
There's also CSP checker https://webcookies.org/cookies/shivering-isles.com/30386338?531471#csp
#Facebook financial report: 2'360'000'000 people *daily* active on FB, Instagram, WhatsApp
Interesting. Ubuntu leads both in number of high-risk vulns (low) and percentage of closed (high), especially when compared to Redhat or Windows. Interesting also because Linux and RedHat mostly share the same GNU toolkit, daemons etc, so why 5x more in RedHat?
Source: Cyentia Institute
If you want to play with a viral infection model yourself, open-source Netlogo had this for the last decade or so - click Setup and then Go
I mention this because Washington Post has just published such simulation and everyone is like "OMG it's so innovative"...
kravietz 🦇
boosted
kravietz 🦇
boosted
Der Standard covered Nextcloud Talk, Jitsi and Signal as video chat solutions that don't let others listen in!
https://www.derstandard.at/story/2000116203521/videochat-ohne-datenspionage-freie-software-macht-es-moeglich
That looks absolutely... delicious... 🤢 😂
kravietz 🦇
boosted
Fairphone and /e/ OS have teamed up to introduce the first privacy conscious and sustainable smartphone on the market. Listen in as we chat to @gael_duval@twitter.com, the founder of /e/ foundation: https://frphn.co/ePzbn
kravietz 🦇
boosted
Welcome #Fairphone3 to our range of #deGoogled phones!
This is probably the 1st privacy conscious and sustainable phone, fair for the planet and your personal data.
Preorder your /e/-Fairphone 3 today!
https://e.foundation/e-fp3
@Fairphone @WeAreFairphone #privacy #smartphone #yourdataisyourdata
Let's bring back this absolutely lovely quote from 2014:
The government believes that, even when privacy violations happen, it is not an “active intrusion” because the analyst reading or listening to an individual’s communication will inevitably forget about it anyway.
The best introduction into #Marxism materialist dialectics https://youtu.be/H6GUl7qia_I?t=182
1 (English subtitles)
kravietz 🦇
boosted
Joe Sandbox executed the malware and presented me with a lovely report showing that it was a dropper for a second stage download from three other compromised websites. Joe Sandbox then automatically sends the classification to VirusTotal which now has a signature to detect this malware, which I got to test when the shitheads sent a similar phishing email with a variation of the Excel file. INFOSEC folks, please take the time to help classify this stuff and help save some poor target. 2/2
Periodic reminder: people, donate to the open-source projects you use and like. Whatever you can afford. Help fund your FOSS social media, messenger, app etc. Otherwise you'll be left with ad-driven web where you're being traded like cattle.
- OpenPGP
- 6F7B6BB9A9B632555E1A03C132AF1F39C4EE03F2
- Website
- https://krvtz.net
- Matrix
- @kravietz:krvtz.net
Polish expat into UK. Information security engineer. Caver & cave rescuer (thus the bat). NHS volunteer & blood donor.
Joined May 2019
kravietz 🦇's choices:
