There’s a theme going around that you should create secure products, not buy security products. And, as far as it goes, this is…
Well, actually it’s not good.
My initial response was “Why not both?” We need to secure the products we develop. There’s no doubt about that. And we need to mitigate mistakes. How do we do this? Spoiler… security products :-)
In response to this I got a message “If you have secure products, you do not need security products.
One thing I’ve noticed, over the years, is the habit of people blaming technology for the problems rather than taking a look at the processes behind the problem.
A personal example A big example, for me, was when I was part of the Unix enterprise authentication team. The technology worked, and it worked well. It was resilient, reliable, fast. We literally turned off the infrastructure in one datacenter and all the clients correctly failed over to the next nearest one.
Google has been threatening this for a while, but now they’re finally getting around to it; they’re starting to remove Manifest v2 (MV2) from Chromium (and thus Chrome, and likely many browsers based on chromium, which is the majority of the browser space, these days!).
What does this mean? Chrome extensions use a set of APIs to talk to the browser engine. The main version that’s been in use for a number of years is “Manifest v2”.
For some reason this year a lot more 9/​11 denialism has come across my social media feeds. I wonder if it’s because of the upcoming election.
And I just can’t…
I’d had enough a decade ago and wrote something then; I’m repurposing it here.
I was working on Wall Street the day it happened, just half a mile away. I’d only moved to the US 2 months earlier.
I spoke to people who were at WTC as it happened.
I’d previously written about the Yubikey 5 and how we could use it to solve various use cases and when to trust it. Personally, I think it’s a great device for corporate authentication solutions.
But…
This week, Yubico released an advisory that stated that ECDSA private keys could be stolen from a Yubikey 5 that’s running firmware older than 5.7.0 (or 2.4.0 for the YubiHSM). This is due to a flaw in the cryptographic libraries written by Infineon and discovered by NinjaLab.
I was asked about today’s Crowdstrike issues on Windows.
Naturally I have some thoughts…
What went wrong? What I know. Crowdstrike is an EDR (Endpoint Detection and Response) tool. (Well, they claim “XDR”, but that’s marketing). It has an agent component and a set of rule sets (called “channel file”). The agent has both user space and kernel space components to better give visibility into what is happening on the machine, and to be able to block bad things.
WARNING: technical content ahead! There’s also a tonne of config files, which make this page look longer than it really is, but hopefully they’ll help other people who want to do similar work.
Back in 2017 I described how to build a home router based on CentOS 7.
C7 is now out of date, so I figured it was time to rebuild it, this time using Rocky Linux 9.
This isn’t my normal tech-ish posting; this is a more personal view at how Corporate America and tech startups and the like are abusing their workforce. I don’t mean the sort of abuse seen in the service industry (below minimum wages needing to be supplemented with tips; excessive overtime; all that stuff). I’m talking about white collar tech jobs. The sort of jobs I did; likely the sort of jobs you’re doing (if you’re reading this blog); office workers…
When it comes to talking about API Security there are many facets and paths the conversation can take.
We might want to talk about from an AppDev security perspective; after all, an API is just code, so your SAST/DAST type processes apply.
We might want to talk about it in terms of authentication; after all, you need credentials to access an API and there’s many different ways this can be done (Basic Auth, mutual TLS, Oauth, HMAC…); this would also include when anonymous APIs are OK!
We all know what imposter syndrome is. We may all have suffered from it at some point. I know I did.
We may even know, rationally, that this isn’t a sensible thing. One good representation of this was from David Whittaker
Yet despite this whenever I started a new job I was always worried that I wasn’t the right person for it; that I’d fail to deliver.