VirtualTam's bookmarks

21. OpenGFW - A flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux 2024-03-31

    tags: linux, network/firewall, network/ipv4, network/ipv6, network/packet-capture/wireshark, programming/go, reverse-engineering

    [ permalink ]

    • USENIX Security Symposium 2023 - How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic
22. oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise 2024-03-31

    tags: compression/lzma, compression/xz, linux, programming/c, programming/shell/bash, security, security/backdoor

    [ permalink ]

    • XZ Utils backdoor
    • xz/liblzma: Bash-stage Obfuscation Explained
    • /r/Linux - XZ Utils backdoor
    • Debian Bug report logs - #1068024 revert to version that does not contain changes by bad actor
    • FAQ on the xz-utils backdoor
    • LWN - A backdoor in xz
    • Everything I Know About the Xz Backdoor
23. Comprehensive Rust 🦀 - a free Rust course developed by the Android team at Google 2024-03-28

    tags: embedded, google, mobile/android, programming/rust

    [ permalink ]

    • Rust in Android
    • Rust in Chromium
    • Bare Metal Rust
    • Concurrency in Rust
    • google/comprehensive-rust
    • Scaling Rust Adoption Through Training
24. The Family of Safe Golang Libraries is Growing! 2024-03-25

    tags: compression, programming/go, security, text/formatting

    [ permalink ]

    • google/safetext
    • google/safeopen
    • google/safearchive
25. Standard Webhooks - Open source tools and guidelines to send webhooks easily, securely and reliably 2024-02-28

    tags: network/http, programming/json

    [ permalink ]

    • standard-webhooks/standard-webhooks
    • Specification
26. Have I Been Pwned - Pwned Passwords 2024-02-28

    tags: programming/go, programming/python, programming/ruby, programming/rust, security/credentials, security/password

    [ permalink ]

    • HaveIBeenPwned/PwnedPasswordsDownloader
    • API Clients:
      • mattevans/pwned-passwords - Go API Client
      • lionheart/pwnedpasswords - Python API Client
      • philnash/pwned - Ruby API Client
      • wisespace-io/pwned-rs - Rust API Client
27. AWS Access Key Format 2024-02-28

    tags: cloud-computing/aws, programming/go, programming/python, security, security/credentials, security/token

    [ permalink ]

    • AWS Security Credentials Formats
    • A short note on AWS KEY ID
    • Research Uncovers AWS Account Numbers Hidden in Access Keys
    • TruffleHog Now Detects AWS Canaries without setting them off
28. SOC - System and Organization Controls 2024-02-17

    tags: code-review, infrastructure/automation, observability, security, security/audit, security/authentication, security/authorization, single-sign-on, source-code-management/git, source-code-management/github

    [ permalink ]

    • The SOC2 Starting Seven
    • SOC2: The Screenshots Will Continue Until Security Improves
29. Vulnerability Management for Go 2024-01-15

    tags: programming/go, security, static-analysis

    [ permalink ]

    • Go Vulnerability Database (Go Blog)
    • Go Vulnerability Database
    • govulncheck command
30. Sequoia-PGP - OpenPGP Implementation in Rust 2023-11-09

    tags: command-line, cryptography/encryption, cryptography/pgp, cryptography/pgp/gnupg, linux/debian, linux/fedora, programming/rust, security

    [ permalink ]

    • Sequoia PGP: A Sapling Matures: Meet sq 1.0
    • Talk about OpenPGP interop testing at the IETF 110
    • sequoia-pgp/sequoia - APIs for dealing with OpenPGP data
    • sequoia-pgp/sequoia-sq - the Sequoia-PGP command line tool
    • RpmSequoia
31. Rust Safety Dance - Auditing crates for unsafe code which can be safely replaced 2023-10-01

    tags: memory, programming/assembly, programming/rust, security/audit

    [ permalink ]
32. Firezone - WireGuard-based VPN server and firewall 2023-08-30

    tags: network/udp, network/vpn/wireguard, security

    [ permalink ]

    • https://www.firezone.dev/
33. HAProxy - TLS Termination Setup 2023-07-24

    tags: cryptography/encryption, network/http, network/http-server/haproxy, network/reverse-proxy, network/transport-layer-security, security

    [ permalink ]

    • Traffic Routing - Rewrite Requests
    • Client IP Preservation - X-Forwarded-For
    • HAProxy & HTTP Strict Transport Security (HSTS)
    • Secure Cookies Using HAProxy Enterprise
34. Web Security Cheat Sheet | Mozilla Infosec 2023-07-23

    tags: network/http, network/http/cookie, network/transport-layer-security, programming/html, programming/javascript, security, web

    [ permalink ]
35. How to manage CVE security vulnerabilities with Grafana, MergeStat, and OSV-Scanner 2023-06-12

    tags: database, observability/grafana, security

    [ permalink ]

    • google/osv-scanner
    • OSV - A distributed vulnerability database for Open Source
    • mergestat/mergestat
36. passkeys - Hello passkeys! Goodbye passwords. 2023-06-11

    tags: cryptography/public-key-infrastructure, internet/browser/chrome, internet/browser/firefox, mobile/android, mobile/ios, security/authentication

    [ permalink ]

    Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.

    • https://fidoalliance.org/passkeys/
    • Apple Developer - Passkeys Overview
    • Apple Support - About the security of passkeys
    • Google Identity - Passwordless login with passkeys
    • Google Blog - The beginning of the end of the password
    • Google Security Blog - So long passwords, thanks for all the phish
    • Chromium BLog - Introducing passkeys in Chrome
    • Tailscale doesn't want your password
    • Tailscale - Custom OIDC Providers
    • YubiKeys, passkeys and the future of modern authentication
    • A Yubico FAQ about passkeys
    • Why Passkeys Will Be Simpler and More Secure Than Passwords
    • Passkeys: A shattered dream
37. WebAuthn - An API for accessing Public Key Credentials 2023-06-11

    tags: cryptography/public-key-infrastructure, internet/browser, security/authentication

    [ permalink ]

    The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.

    • Guide to Web Authentication
    • Asynchronous Remote Key Generation: An Analysis of Yubico’s Proposal for W3C WebAuthn [PDF]
    • Issue 664630: Web Authentication API for Chrome
    • Bugzilla - [meta] Update WebAuthn JS API to the L1-REC spec
    • keepassxc#1870 - Feature Request: Integration with the Web Authentication API
38. Legacy Rails: Silently Judging You 2023-06-03

    tags: framework/ruby-on-rails, legacy, programming/ruby, security/audit

    [ permalink ]

    How can you judge the quality of a legacy Rails application?

    • bundler-audit
    • rails-erd
39. OpenSSL Cookbook 2023-05-31

    tags: cryptography/certificate, network/http, network/transport-layer-security, openssl

    [ permalink ]

    The definitive guide to using the OpenSSL command line for configuration and testing.

    Topics covered in this book include:

    • key and certificate management,
    • server configuration,
    • a step by step guide to creating a private CA,
    • testing of online services.
40. authentication - What should be the valid characters in usernames? 2023-02-27

    tags: security/authentication, user

    [ permalink ]