Yulia Startsev from Mozilla’s SpiderMonkey team joins Jerod & Feross to talk compilers, going back to get your Master’s, making decisions as a group, process of shepherding a feature through TC39, how Firefox actually works, and LavaMoats. Yes, LavaMoats.
This episode was recorded live from GopherCon Europe 2021!
Natalie & Mat host three amazing devs who gave talks that showcase using Go in unusual ways: Dr. Joakim Kennedy is tracking Go in malware, Mathilde Raynal is building quantum-resistant cryptography algorithms, and Preslav Rachev is creating digital art.
We hear from our speakers how they got into Go, how they made the choice to use Go for their unusual use case, and how it compares to other languages for their specific needs.
We also chat about conference talks, submissions and public speaking - how to start, good practices, and tips they collected along the way.
We first talked fuzzing with Katie Hockman back in August of 2020. Fast-forward 10 months and native fuzzing in Go is ready for beta testing! Here’s Katie explaining fuzzing, for the uninitiated:
Fuzzing is a type of automated testing which continuously manipulates inputs to a program to find issues such as panics or bugs. These semi-random data mutations can discover new code coverage that existing unit tests may miss, and uncover edge case bugs which would otherwise go unnoticed. Since fuzzing can reach these edge cases, fuzz testing is particularly valuable for finding security exploits and vulnerabilities.
It looks like the feature won’t be landing in Go 1.17, but they’re planning on it sometime after that. Either way, you can use fuzzing today on its development branch.
Open Source Insights is an experimental service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages. The service examines each package, constructs a full, detailed graph of its dependencies and their properties, and makes the results available to anyone who could benefit from them. The goal is to provide developers with a picture of how their software is put together, how that changes as dependencies change, and what the consequences might be.
It currently indexes GitHub, npm, and pkg.go.dev. Plus they recently added a dedicated security advisory page. For an example, check out left-pad’s page which shows 441 direct dependents and 15315 indirect dependents.
Docker images can leak runtime secrets, build secrets, and even just some secret files you have lying around. Learn how to leak them, and (probably more usefully) how to avoid leaks.
In this episode, we will talk about building for Blockchain in Go. We are joined by two of the co-founders of Prysmatic Labs (a company behind the upgrades to the Ethereum network). Raul Jordan and Preston Van Loon tell Angelica how they started the company, as well as what it’s like to build technical infrastructure for the Ethereum blockchain using Go.
WireGuard Easy uses Docker to set up WireGuard VPN along with a web UI for easy management. While this may be the easiest way to get up and running, I’d still advise checking out Algo VPN as well since it’s also pretty easy and has been designed/configured with maximum security in mind. Still, this looks cool and the web admin UI makes it quite approachable as well.
Thibault Meunir writing on Cloudflare’s blog:
Based on our data, it takes a user on average 32 seconds to complete a CAPTCHA challenge. There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days.
This very simple back of the envelope math equates to somewhere in the order of 500 human years wasted every single day — just for us to prove our humanity.
They aren’t just doing napkin math, they’re also trying to fix things:
We want to get rid of CAPTCHAs completely. The idea is rather simple: a real human should be able to touch or look at their device to prove they are human, without revealing their identity. We want you to be able to prove that you are human without revealing which human you are! You may ask if this is even possible? And the answer is: Yes!
I held off on having a CAPTCHA on our site for as long as I could, but the spammers are relentless (did you know they’ll even click on email confirmations now?!) so I finally gave in.
I’d do darn near anything to be rid of ‘em again (any ideas?), but it seems the alternative that Cloudflare is pursuing requires hardware security keys. Interesting stuff, and definitely worth a read, but it’s all experimental for now and I don’t know if/when we’ll be able to put it in practice.
David Cassel, on The New Stack:
Widely-respected security expert Dan Kaminsky passed away on April 23 from diabetic ketoacidosis at the age of 42. His considerable legacy went beyond expertise with a rare and memorable kindness.
I met Dan very briefly at ShmooCon back in 2004. His kindness was memorable, for sure, but the thing I remember most was just how larger-than-life he was to me at the time. The guy contributed so much to the infosec community and yet remained humble and kind despite it all. It was striking.
By the age of 22, he was giving talks at Black Hat himself, as well as at other tech conferences around the world. Kaminsky told the site he was thrilled to be interacting “with the smartest people I’d ever met in my life.”
Oddly enough, that’s how I felt when I interacted with Dan. It’s a tragedy that he died so young.
A solid primer on using
openssl to encrypt all the things, which in this day and age is a skill that shoiuld be taught in secondary school right alongside how to bake a cake and change a tire.
We have to stop insisting that software updates, etc. need to be distributed over HTTPS. Let me tell you why this is not an ideal way of going about it.
Anyone on the inside know why they didn’t shift to GitHub years ago?
We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).
While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.
The memo points to the two malicious commits.
This week we’re talking about big security breaches with Neil Daswani, renowned security expert, best-selling author, and Co-Director of Stanford University’s Advanced CyberSecurity Program. His book, Big Breaches: Cybersecurity Lessons for Everyone helped to guide this conversation. We cover the six common key causes (aka vectors) that lead to breaches, which of these causes are exploited most often, recent breaches such as the Equifax breach (2017), the Capital One breach (2019), and the more recent Solarwinds breach (2020).
A pre-installed and pre-configured set of tools for folks interested in reverse engineering and/or malware analysis on Windows systems.
Obviously, you can download such tools from their own website and install them by yourself in a new VM. But if you download retoolkit, it can probably save you some time. Additionally, the tools come pre-configured so you’ll find things like x64dbg with a few plugins, command-line tools working from any directory, etc. You may like it if you’re setting up a new analysis VM.
Note they say “a new analysis VM”. Do NOT install this on anything but a virtual machine.
The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.
It’s currently an Internet draft that has been submitted for RFC review, which means they’re taking contributions from the public. Seems like a good idea to me.
If you’ve ever been alarmed by how many security vulnerabilities your Docker image has, even after you’ve installed security updates, here’s what’s going on—your image may actually be fine!
Dan Lorenc, from Google’s Infrastructure Security Team:
Software written in unsafe languages often contains hard-to-catch bugs that can result in severe security vulnerabilities, and we take these issues seriously at Google. That’s why we’re expanding our collaboration with the Internet Security Research Group to support the reimplementation of critical open-source software in memory-safe languages.
Notice he said “expanding our collaboration”, which must mean they’ve been doing this for a bit, but I wasn’t aware of the effort? An uplifting trend, regardless. Work is well underway:
The new Rust-based HTTP and TLS backends for curl and now this new TLS library for Apache httpd are an important starting point in this overall effort. These codebases sit at the gateway to the internet and their security is critical in the protection of data for millions of users worldwide.
monsoon is a so-called command-line HTTP enumerator: A tool that iterates over a list of values, for example a word list or a range of integers, and sends one HTTP request per item towards a given server.
The team behind monsoon enumerated some common examples in their introductory blog post.
Terence Eden on 2FA:
Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.
Container security is often overlooked topic, as people assume that containers are secure by default - which is not true. One of the ways to secure container workloads in Docker and Kubernetes is to leverage
seccomp profiles and this advanced feature of container runtimes is explained and shown in this article.
Penetration testing is when you (or someone you authorize) run a security assessment of a computer system by trying to break in to it.
In this repo, Carlos Polop (who is a pentester and cyber security researcher) shares his methodology for pentesting. This is just one piece of a larger collection of Carlos’ HackTricks book.
electron-native-notify - because hey, that’s a malicious package!
Mundane is backed by BoringSSL (Google’s fork of OpenSSL that is used in Chrome, Android, et al) and is built to be “difficult to misuse, ergonomic, and performant (in that order)”.
Not all developers understand what are the risks of command injections in Node.js applications and I see it more often when I triage security vulnerabilities. In this article I’m featuring a practical walk-through of an actual CVE for a Node.js module which has a command injection vulnerability.
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP.