Katakri, SecDevOps, Bugs, TruthSocial, CallAuth, Element
Carefully read and studied latest version of security guidelines Katakri 2020 - Information Security Audit-tool for public authorities - National Security Authority (NSA). Topics covered: Administrative Security, Physical Security, Technical Security. 116 pages, nothing new. But the latest version got much nicer layout compared to the older versions. kw: DevSecOps
Lots of reading and thinking about SecDevOps and software development security (@ Wikipedia) and of course the default secure by design (@ Wikipedia) and of course official documentation like Secure Sofware Development Framework (SSDF) from NIST SSDF v1.1 draft (SP) 800-218 (@ csrc.nist.gov), also read and tought about UC Secure Software Development Standard.
Very nice publication about Bugs in our Pockets: The Risks of Client-Side Scanning (@ arxiv.org) - What are the risks of client side spying, circumventing end-to-end encryption (e2ee) and thus creating a content backdoor.
Just wondering if anyone has ever had the thought about storing information what bottles people are returning to store. As example in Finland, Lidl accepts all bottles. If their return system would record information what's being recorded and link it to the customer information, they would get a good profile what people are buying from Lidl and which products people are buying from other stores than Lidl. That could be used for optimization and targeting purposes. I haven't heard anyone yet doing that, but technically why not?
TruthSocial using Mastodon covertly under covers, without mentioning it was hilarious. It just means that the truth starts with lies. What a really great launch, isn't it?
Some work with... Administrative Security and Risk Management, Business Continuity Plan, Information System Security, Secure Software Development, Personnel Security and Procedures, Premises Physical Security and related security audits. Basic stuff...
Many people seem to miss that sometimes phone calls need to be authenticated as well. TOTP works great with shared secret to authenticating phone call session. Caller provides 3 digits, and then answerer provides next 3 digits. Then you'll wait for the next code and repeat it. Now it's pretty much guaranteed that both of you know the shared secret the authentication was based on. Depending on reliability level needed, there could be more digits, or the process can be done more times. For very basic auth even the first batch would be enough.
Currently based on our monitoring and IP reputation database, 443 ASNs are banned due to bad reputation, constant network abuse and zero legitimate users. List is automatically managed. It's clear that some providers accept abuse or react it to slowly to allow using their systems for persistent abuse. Full list was Tweeted at the time, but because it's old when this comes out, there's no point to post it here. Nothing new in the list I would say. Pretty much assumed outcome.
It seems that the NXP NFC TagWriter application in Google Play Store is lacking support for WiFi WPA3 (WLAN) encryption protocol. It would be really nice to have support. Yet many QR Code generators also lack this vital option.
Staying secure while working online Secure Digital Life (@ dvv.fi, in Finnish). Education and courses, yet naturally nothing new.
Emergency preparedness. One person said, that why anyone should prepare for issues like tap water delivery failures, because you can buy water from grocery store. - Yeah, nice thinking. And if there's a power failure, then just go to store and buy adequate aggregate, and next stop gas station. Right?
Still often wondering what the Element team has been thinking when they've created the login session verification, the user experience is absolutely horrible. Every login is prompted twice, even if only once is required and if the secondary verification is ignored then the application keeps warning about it and so on. They've had months to fix this bleeping feature and it's still very much broken.