A bit over a month ago, I came down with a nasty cold and things have been slipping since then. It’s taken me quite some to recover. This site, a number of personal projects and just about everything else has been neglected. Today is the first day in weeks I’ve been up to doing anything after work. I’ve finally started catching up on all I’ve missed.
Hopefully there will be more signs of life here in the coming days, as I dig out of the pile of thousands of unread items in my RSS reader. Once I dig through that pile, there are a couple of articles I’ve planned that I believe will be of interest.
During a recent discussion about the DarkMatter CA on a Mozilla mailing list, it was found that their 64-bit serial numbers weren’t actually 64 bits, and it opened a can of worms. It turns out that the serial number was effectively 63 bits, which is a violation of the CA/B Forum Baseline Requirements that state it must contain 64 bits of output from a secure random number generator (CSPRNG). As a result of this finding, 2,000,000 certificates or more may need to be replaced by Google, Apple, GoDaddy and various others.
Much has been said, especially recently, about that mess of dependencies that modern applications have – and for those of us working in application security, there is good reason to be concerned about how these dependencies are being handled. While working on YAWAST, I was adding a new feature, and as a result, I needed a new dependency – ssllabs.rb.
While most Ruby dependencies are delivered via Gems, ssllabs.rb is a little different – it pulls directly from Github:
For the second year I am publishing a year-in-review – something I had generally avoided in the past, as the tone of these posts is typically just cynicism and negativity. Looking back at 2015, it wasn’t all positive (what year is?), but there was certainly some good, and there are great things to look forward to.
In a season filled with empty marketing pitches, worthless predictions, and pointless projections – it’s important to look at the good and avoid the cynicism overload that is all too common.
As it turns out, it’s quite easy to make your Android phone NSA-proof. It’s a simple method, and anyone can do it – all you need is a few ounces of thermite!
Too extreme?
Tools & Tips Let’s shoot for something a little more attainable – spy resistant. We can’t stop every attack, but we can reduce the attack surface a bit. Here are a few tools that I’ve been using recently to do just that.
(Disclaimer: This is something of a rant, and was written at 3AM. My apologies if it doesn’t make sense. Feel free to ignore.)
It’s 3AM, and I’m up reading, again. Is it the latest great novel or one of the classics that I enjoy so much? No, it’s research for my latest hobby. It’s lasers this time, but this pattern is far from new.
I’m starting to think I just try to do too much, I go in too many different directions.
