Tag Archives: security

June 5, 2015

Passpie

Passpie lets you manage login credentials from the terminal with a coloroful/configurable cli interface. Password files are saved into yaml text files with passwords as GnuPG encrypted strings. Use your master passphrase to decrypt login credentials, copy passwords to clipboard and more…

Nice if you’re like me and don’t want or need a graphical interface for this kind of stuff.

May 15, 2015

The Trojan Emoji

Andrew Nacin, lead developer of WordPress, just finished a talk at Loopconf, where he talked about a series of related WordPress security fixes that spanned two years, with the final fix included into WordPress core under the guise of Emoji support.

The code has been in trunk since January, months before the release of 4.2. But it was there under the guise of Emoji support, as “noone had any idea what it did because it was 1,000 lines of the database abstraction layer to just remove invalid characters.”

Because of how opaque the vulnerability and the corresponding fix were, the team was able to spend a very long time working on and fixing the issue, all without exposing the vulnerability to the general public.

Beautiful. (via ma.tt)

October 30, 2014

osquery

With osquery, you can use SQL to query low-level operating system information. Under the hood, instead of querying static tables, these queries dynamically execute high-performance native code. The results of the SQL query are transparently returned to you quickly and easily.

A really neat concept for monitoring and security auditing.

June 12, 2012

Security flaw in MySQL, MariaDB allows access with any password–just keep submitting it

A great writeup on the extreme security flaw found (and subsequently patched) in MySQL and MariaDB. Given a valid username, any database could be accessed simply by entering a false password enough times.

Because of the random key strings used, Golubchik said the probability of exploiting the flaw on any given attempt “is about 1/256”; with enough attempts, even using the same password over and over again, an attacker could gain access just by knowing a valid account name (such as “root”). Given that it takes less than a second to submit hundreds of login attempts, the hole essentially renders password protection worthless.

July 22, 2011
May 19, 2010

ReclaimPrivacy.org

That a tool such as this not only exists, but is useful to boot should be a source of concern for Facebook.