Skip Navigation

X_Cli

@ X_Cli @lemmy.ml

Posts

28
Comments

50
Joined

4 yr. ago

They/Them
Network Guardian Angel. Infosec.
Antispeciesist.
Anarchist.
Personal Website
You should hide scores on Lemmy. They are bad for you.

4y ago

How secure Signal really is - Mesibo
Jump
X_Cli @lemmy.ml 4y ago
I agree with all of your points :)

4y ago

How secure Signal really is - Mesibo

Jump

X_Cli @lemmy.ml 4y ago

Can you elaborate on how this is FUD, please?

Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

Using phone numbers as identifiers is a well-known Signal flaw.

And while CBC is indeed less robust that GCM regarding certain types of attacks, it is true that "up-to-date" CBC implementation have no known vulnerability. Yet, would you claim that TLS1.3 is FUDing for dropping CBC support as well?

I am not promoting mesibo, which I never heard about before. I am just trying to understand how this criticism of Signal would be invalid, or FUD.

4y ago

Dirty Pipe Vulnerability - Writing on read-only/immutable files

Jump

X_Cli @lemmy.ml 4y ago

4y ago

in which i try (and somehow fail) to convince someone that RCE vulnerabilities are undesirable

Jump

X_Cli @lemmy.ml 4y ago

Yeah, you should ignore that person and their communities. That person is toxic and entirely clueless, based on their response in that thread (and some others) ^_ They are one of those trolls on Lemmy... and the admins seem to tolerate that person for some reasons, even though everybody complains about them.

I had a good laugh reading your write-up :D

4y ago

The right thing for the wrong reasons: FLOSS doesn't imply security

Jump

X_Cli @lemmy.ml 4y ago

Thank you <3

4y ago

The right thing for the wrong reasons: FLOSS doesn't imply security

Jump

X_Cli @lemmy.ml 4y ago

Good article. Thank you. You make some excellent points.

I agree that source access is not sufficient to get a secure software and that the many-eyes argument is often wrong. However, I am convinced that transparency is a requirement for secure software. As a consequence, I disagree with some points and especially that one:

It is certainly possible to notice a vulnerability in source code. Excluding low-hanging fruit, it’s just not the main way they’re found nowadays.

In my experience as a developer, the vast majority of vulnerabilities are caught by linters, source code static analysis, source-wise fuzzers and peer reviews. What is caught by blackbox (dynamic, static, and negative) testing, and scanners is the remaining bugs/vulnerabilities that were not caught during the development process. When using a closed source software, you have no idea if the developers did use these tools (software and internal validation) and so yeah: you may get excellent results with the blackbox testing. But that may just be the sign that they did not accomplish their due diligence during the development phase.

As an ex-pentester, I can assure you that having a blackbox security tools returning no findings is not a sign that the software is secure at all. Those may fail to spot a flawed logic leading to a disaster, for instance.

And yeah, I agree that static analysis has its limits, and that running the damn code is necessarry because UT, integrations tests and load tests can only get you so far. That's why big companies also do blue/green deployments etc.

But I believe this is not an argument for saying that a closed-source software may be secure if tested that way. Dynamic analysis is just one tool in the defense-in-depth strategy. It is a required one, but certainly not a sufficient one.

Again, great article, but I believe that you may not be paranoid enough 😁 Which might be a good thing for you 😆 Working in security is bad for one's mental health 😂

4y ago

SRE deep dive into Linux Page Cache

Jump

X_Cli @lemmy.ml 4y ago

Wow, perfect timing. I am currently struggling with efficient disk usage in my application. Thank you!

Security @lemmy.ml

X_Cli @lemmy.ml

4y ago

NAT Slipstreaming v2.0

samy.pl /slipstream/

4y ago

Signal vs Telegram

Jump

X_Cli @lemmy.ml 4y ago

Thank you. I did not know that the state events were not encrypted. That's very unfortunate. I think I still prefer Element/Matrix over Signal, but slightly less than before your message 👍

4y ago

Signal vs Telegram

Jump

X_Cli @lemmy.ml 4y ago

That's a problem. But federation at least helps by giving you the choice of who will see these metadata leaks.

4y ago

Signal vs Telegram

Jump

X_Cli @lemmy.ml 4y ago

I would not use either of them.

Currently, a better solution, for me, is Element/Matrix, because the crypto is mostly OK and there is federation. And it is quite featureful.

4y ago

Discusstion about the age encryption tool

Jump

X_Cli @lemmy.ml 4y ago

Can you provide a link to that "age signature plugin", please?

4y ago

Discusstion about the age encryption tool

Jump

X_Cli @lemmy.ml 4y ago

Still bossing people around, I see. "You should not answer" "Your post belongs elsewhere". You never change :) Your intimidation attempts are ineffective on me. You should move on.

Age plugins are not Age. Minisign is an excellent tool. It is not a replacement for Age.

4y ago

Discusstion about the age encryption tool

Jump

X_Cli @lemmy.ml 4y ago

Can you explain how you intend to use minisign as a replacement for age, please ? 😂

4y ago

Discusstion about the age encryption tool

Jump

X_Cli @lemmy.ml 4y ago

Filippo Valsorda, the author of Age, is a qualified cryptographer and I can vouch for them, being myself an applied cryptographer. And many of my cryptographer friends do as well.

Age seems good to me BUT. I don't like streaming, and the article that you cite is on point. To me, streaming is unwise precisely because you can have truncation attacks. Or even length extension attacks. One may counter them using counters, but you will need a temporary storage until you know if the input is complete or not. And this defeats streaming.

Your application might be OK with truncation. That's for you to determine. Which is hard. If you can't decide, then you shoud stay away from streaming.

I wrote an article on this myself, a few weeks ago. I use that approach in production to secure some data that may be sent to me anonymously. It was reviewed by some cryptographers in my circles but I do not claim that it is a trusted library.

Privacy @lemmy.ml

X_Cli @lemmy.ml

4y ago

Data privacy during pandemics: a systematic literature review of COVID-19 smartphone applications

peerj.com /articles/cs-826/

4y ago

Desktop Linux Security Review - Linux Mint

Jump

X_Cli @lemmy.ml 4y ago

Does anybody know about a Linux distro that enforces strong firewall rules (that's one of the control points of that linux distro security assessment) by default? I mean other than Tails which I expect does it. RFI vuln, such as log4shell, rely on outgoing connections. A linux distro with a strict firewall by default would have to be purposely poked to let such queries out. Sounds interesting to me.

4y ago

Desktop Linux Security Review - Linux Mint

Jump

X_Cli @lemmy.ml 4y ago

Accept that you are wrong, defending your wrong arguments makes it worse for you, the more you answer the easier it is to humiliate you.

I take note of your explicit intent of humiliating me.

I also take note of your condescending tone:

we are talking about your intolerance accepting valid criticism
Weak argument.
to justify your weak and flawed logic.
Please stop wrongfully interpret more into it

Yelling at people, threatening them, humiliating them is not a civil conduct, and hereby ask for a moderation team intervention for violation of rule 2.

4y ago

Desktop Linux Security Review - Linux Mint

Jump

X_Cli @lemmy.ml 4y ago

I posted that link in my company chat, where some do use Mint but most don't (mix of Ubuntu, Manjaro, Fedora). Many were interested, and we have had a healthy discussion about some of the evaluation points, some of which we did find subjective and not very meaningful, and how Mint compared with the other distro evaluation linked at the top of the article.

Also, you are talking about firewall GUI, but it is not even one of the evaluation points. They just said that there was nothing about a firewall configuration in the configuration wizard.

Linux Mint does ask the user to enable the firewall in the graphical Welcome Wizard though.

However the evaluation points were:

[N] Is the host firewall enabled by default?
[N] Does the host firewall block all incoming/ingress traffic by default?
[N] Does the host firewall filter outgoing/egress traffic by default?

Did you actually read the article? I doubt it. If you did, you would have noticed that the article does mention the methodology, and the results for other distros, with link to them if need be. Someone using yet another distro could be interested in that methodology to improve it or post a review about their favorite distro too. Maybe that is not "Linux enough" for you. In that case, you can move on.

Thank you.

4y ago

Desktop Linux Security Review - Linux Mint

Jump

X_Cli @lemmy.ml 4y ago

Then close other Communities, and bring this under the same argument. otherwise we can close them and put everything under here.

https://en.wikipedia.org/wiki/Faulty_generalization

When I and others post here in this community we get the same comments… post it under xyz.

So your excuse for bullying people is that you got bullied too.

Not sure what my status has to do with anything here

If a link is not to your liking, you can just skip it, or even downvote it. You don't need to tell people what to do. Except of course if you are a mod and the post is against the rules. Then go ahead and thank you. But no.

Have a nice day as well

4y ago

Desktop Linux Security Review - Linux Mint

Jump

X_Cli @lemmy.ml 4y ago

Considering the post also mentions a generic evaluation methodology, and provides pointers to similar studies on other distros, the stuff may actually be of interest for some people interested in Linux. Maybe not you. I am ok with that. I actually don't care.