Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
184 Stories
All Topics

Go Time Go Time #183

Using Go in unusual ways

This episode was recorded live from GopherCon Europe 2021!

Natalie & Mat host three amazing devs who gave talks that showcase using Go in unusual ways: Dr. Joakim Kennedy is tracking Go in malware, Mathilde Raynal is building quantum-resistant cryptography algorithms, and Preslav Rachev is creating digital art.

We hear from our speakers how they got into Go, how they made the choice to use Go for their unusual use case, and how it compares to other languages for their specific needs.

We also chat about conference talks, submissions and public speaking - how to start, good practices, and tips they collected along the way.

Katie Hockman blog.golang.org

Go's fuzzing effort now in beta

We first talked fuzzing with Katie Hockman back in August of 2020. Fast-forward 10 months and native fuzzing in Go is ready for beta testing! Here’s Katie explaining fuzzing, for the uninitiated:

Fuzzing is a type of automated testing which continuously manipulates inputs to a program to find issues such as panics or bugs. These semi-random data mutations can discover new code coverage that existing unit tests may miss, and uncover edge case bugs which would otherwise go unnoticed. Since fuzzing can reach these edge cases, fuzz testing is particularly valuable for finding security exploits and vulnerabilities.

It looks like the feature won’t be landing in Go 1.17, but they’re planning on it sometime after that. Either way, you can use fuzzing today on its development branch.

Google deps.dev

Google's experimental Open Source Insights project

Open Source Insights is an experimental service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages. The service examines each package, constructs a full, detailed graph of its dependencies and their properties, and makes the results available to anyone who could benefit from them. The goal is to provide developers with a picture of how their software is put together, how that changes as dependencies change, and what the consequences might be.

It currently indexes GitHub, npm, and pkg.go.dev. Plus they recently added a dedicated security advisory page. For an example, check out left-pad’s page which shows 441 direct dependents and 15315 indirect dependents.

Docker github.com

The easiest way to install & manage WireGuard on any Linux host

WireGuard Easy uses Docker to set up WireGuard VPN along with a web UI for easy management. While this may be the easiest way to get up and running, I’d still advise checking out Algo VPN as well since it’s also pretty easy and has been designed/configured with maximum security in mind. Still, this looks cool and the web admin UI makes it quite approachable as well.

The easiest way to install & manage WireGuard on any Linux host

Cloudflare Icon Cloudflare

Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness

Thibault Meunir writing on Cloudflare’s blog:

Based on our data, it takes a user on average 32 seconds to complete a CAPTCHA challenge. There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days.

This very simple back of the envelope math equates to somewhere in the order of 500 human years wasted every single day — just for us to prove our humanity.

They aren’t just doing napkin math, they’re also trying to fix things:

We want to get rid of CAPTCHAs completely. The idea is rather simple: a real human should be able to touch or look at their device to prove they are human, without revealing their identity. We want you to be able to prove that you are human without revealing which human you are! You may ask if this is even possible? And the answer is: Yes!

I held off on having a CAPTCHA on our site for as long as I could, but the spammers are relentless (did you know they’ll even click on email confirmations now?!) so I finally gave in.

I’d do darn near anything to be rid of ‘em again (any ideas?), but it seems the alternative that Cloudflare is pursuing requires hardware security keys. Interesting stuff, and definitely worth a read, but it’s all experimental for now and I don’t know if/when we’ll be able to put it in practice.

The New Stack Icon The New Stack

Remembering Dan Kaminsky

David Cassel, on The New Stack:

Widely-respected security expert Dan Kaminsky passed away on April 23 from diabetic ketoacidosis at the age of 42. His considerable legacy went beyond expertise with a rare and memorable kindness.

I met Dan very briefly at ShmooCon back in 2004. His kindness was memorable, for sure, but the thing I remember most was just how larger-than-life he was to me at the time. The guy contributed so much to the infosec community and yet remained humble and kind despite it all. It was striking.

By the age of 22, he was giving talks at Black Hat himself, as well as at other tech conferences around the world. Kaminsky told the site he was thrilled to be interacting “with the smartest people I’d ever met in my life.”

Oddly enough, that’s how I felt when I interacted with Dan. It’s a tragedy that he died so young.

Remembering Dan Kaminsky

Nikita Popov news-web.php.net

PHP's git server was compromised (👋 GitHub)

Anyone on the inside know why they didn’t shift to GitHub years ago?

We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.

The memo points to the two malicious commits.

The Changelog The Changelog #432

Big breaches (and how to avoid them)

This week we’re talking about big security breaches with Neil Daswani, renowned security expert, best-selling author, and Co-Director of Stanford University’s Advanced CyberSecurity Program. His book, Big Breaches: Cybersecurity Lessons for Everyone helped to guide this conversation. We cover the six common key causes (aka vectors) that lead to breaches, which of these causes are exploited most often, recent breaches such as the Equifax breach (2017), the Capital One breach (2019), and the more recent Solarwinds breach (2020).

Tooling github.com

The reverse engineer's toolkit

A pre-installed and pre-configured set of tools for folks interested in reverse engineering and/or malware analysis on Windows systems.

Obviously, you can download such tools from their own website and install them by yourself in a new VM. But if you download retoolkit, it can probably save you some time. Additionally, the tools come pre-configured so you’ll find things like x64dbg with a few plugins, command-line tools working from any directory, etc. You may like it if you’re setting up a new analysis VM.

Note they say “a new analysis VM”. Do NOT install this on anything but a virtual machine.

Security securitytxt.org

security.txt – a proposed standard for defining security policies

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

It’s currently an Internet draft that has been submitted for RFC review, which means they’re taking contributions from the public. Seems like a good idea to me.

security.txt – a proposed standard for defining security policies

Google Icon Google

Google is funding rewrites of critical OSS projects in memory-safe languages

Dan Lorenc, from Google’s Infrastructure Security Team:

Software written in unsafe languages often contains hard-to-catch bugs that can result in severe security vulnerabilities, and we take these issues seriously at Google. That’s why we’re expanding our collaboration with the Internet Security Research Group to support the reimplementation of critical open-source software in memory-safe languages.

Notice he said “expanding our collaboration”, which must mean they’ve been doing this for a bit, but I wasn’t aware of the effort? An uplifting trend, regardless. Work is well underway:

The new Rust-based HTTP and TLS backends for curl and now this new TLS library for Apache httpd are an important starting point in this overall effort. These codebases sit at the gateway to the internet and their security is critical in the protection of data for millions of users worldwide.

0:00 / 0:00