WildDuck, CRAM, TOTP, IIS, ZeroSSL, YAP!, WPA3, XDR, RDR, Matrix
During email discussion found out a service called wildduck.email (@ wildduck.email). This is something I really love. Great features yet simple. I love it as hacker. As well as they've implemented email addresses correctly. One of the things, I've complained about so so many services. So many email providers don't even know what a valid email address is. Duh!
Designed and implemented a light weight challenge response authentication mechanism / system (CRAM) (@ wikipedia), but can't reveal more details unfortunately. Never ending discussion, if authentication is required, should it actually be used or is it beneficial at all. Now when it's necessary it can be used.
Secure Android communication apps leak. In some situations the smart AI keyboards work as side channel, leaking everything you'll type. Also the clipboard can often leak data, which could get stored into cloud. - As expected "stock phones" aren't great way to achieve secure communication.
Had so much fun, one guy wanted to certificate IIS server. ZeroSSL doesn't provide PFX container. And ... I said the process will take three minutes max. But installing .crt + .key files to IIS on Windows takes forever. Actually I circumvented that using Linux server in between, wrapping the .cer files into .pfx using OpenSSL.
Reported a bug in one YAP! OpenPGP (@ play.google.com) encryption tool for Android to the developer... It took a while, he couldn't repeat the issue. Then I dropped a long long debug email with all the technical details, and then ... A day later, I've got email saying that the issues located and fixed. - Updated from Play Store and now it's working perfectly - Awesome!
Daily system integration fun. Large team wondering why it isn't working out for two weeks. After getting into the real detailed analysis, it all turns out to be ridiculously legendary basic case: snake_case vs CamelCase - case. Everyone was tense and stressed about the situation, and I almost lolled.
Couldn't get Crypt:LE to work with ZeroSSL.com due to external authentication binding (EAB) option missing? Is there a way to pass required information using options or something like that? - Thank you! ref: domainknowledge, do-know.com
While discussing with friends and following generic security tweets about IME related issues... I started to wonder... Is there's a PGP crypt application app tool, which would store data into QRcode or video. Which then could be passed as visual recording. Of course it introduces other potential side channels like reflections shadows, if not immediately decoded. But why? Well, it's obvious that the mobile devices aren't secure. The encryption keys and plaintext can't be handled properly and securely by most of devices today. Doing this, passing the data in QRcode (with or without decoding) depending on situation, would still allow keeping the encryption keys and plaintext completely off-line. - Basically this is exactly what's being done currently with computers, but the isolation layer is just different from what ... is being used currently. - Figured out that there's often way too much data to be embedded in single QRcode with acceptable resolution / scale. But it can be turned into a video / gif, and then it works. - Perfect! - Yet the best defense is just to have nothing to hide at all.
Updated all of my WLAN / WiFi devices to use WPA3 (@ Wikipedia).
Friday hacking fun. Adding a remote home IoT alarm, which wakes me up, if something important is happening and I'm sleeping. It works even if phone would be silent / powered off.
More hot acronyms? Ok. Here u have: XDR (cross-layered detection and response) and RDR (rapid detection and response).
DNSpooq (@ jsof-tech.com) - Yep, pretty basic. So many systems can be abused in several ways, if there's just a will to do it. But it was interesting to see how widely dnsmasq is being used.
Played a bit with Matrix to discord, Telegram, Irc and Discord bridges. All seemed to work well. Good to remember if there's a need for communication groups with diverse users.
Still wishing that the Matrix / Element would have Backward Secrecy feature for encrypted chats, including expiring messages and expiring encryption keys.
Really nice post about Matrix metadata leaks (was @ serpentsec.1337.cx). Yes, it's a a good list what leaks and why. Of course there are protocols which minimize metadata leak and even hide communication patterns / activity / timing information.
Something not so different? Biclique Attack, not metioned yet, so here it is. Sure it helps but doesn't make that radical difference after all. Covert Communication (covcom). - The High Energy Liquid Laser Area Defense System (HELLADS) -. XLUUV / Orca / AUV. (all links @ Wikipedia)