security
Wednesday, September 24, 2025
LLM disclaimer: this post was written based on a discussion with claude and drafted by claude. I have edited it heavily but if you’re allergic to LLM’s feel free to skip it.
The setup: we’re have a policy compliance system that employees use roughly once per year to check boxes confirming they’ve read our updated policies. The right solution is to integrate this with our existing SSO solution that has proper anomaly detection, brute force protection, and phishing-resistant auth and so on.
Continue reading →
Monday, February 24, 2025
What is the main job of information security? Is it to break things? Or to protect things?
I believe that most people would answer something along the lines of defending.
So if we agree that the end goal is to defend, why does it seem like infosec is mostly about the offensive side, and is this a problem?
This impression that offensive security gets more attention seems to be a common view based on my limited polling.
Continue reading →
Wednesday, October 4, 2023
Do you need a simple reverse TCP tunnel to a local service (like SSH), but you don’t want to install anything or use a one of the public ones.
Warning: There is no authentication, use this only for temporary things or IP allowlisting to limit who can connect.
Get the sish binary from github
With that out of the way, on the server run
./sish --authentication=false --ssh-address=:9999 -i:9989 --bind-random-ports=false
then run on the client
Continue reading →
Sunday, February 7, 2021
Introduction The other day I wanted to use my noscript.it with one of my old iPhone 4S running iOS 6, but I was met with “could not establish a secure connection to the server”.
Turns out it was because I had, out of habit, configured the server with a "modern" list of TLS ciphers. And the poor old iOS 6 didn't support any of them. So, I went on a mission to ensure noscript.
Continue reading →
Monday, January 18, 2021
I needed to have someone transfer some files to me securely. But I had a few requirements
no third party (e.g. dropbox) handle +150 GiB of files transfer files to a publicly available linux server don’t give access to the destination server the sender only had standard linux utilities (specifically rsync) Previously I have used locked-down ssh-keys and force-command. Both are good solutions.
This time I ended up using a small sandboxed ssh environment in a docker container with a mounted folder.
Continue reading →
Sunday, November 15, 2020
If you use 1Password Business in your organisation, you might be aware that you can get notifications and alerts for various events pushed to your Slack1.
This is quite useful, but I found the notification quickly get overwhelmingly noisy because a notification is generated for every time anyone unlocks 1Password.
This is too bad, because mixed in the notification spam about unlock’s are notifications for when someone logs in from a new device or adds a new trusted device.
Continue reading →
Thursday, November 12, 2020
U2F and Webauthn are the two most exciting developments in web authentication in the last 20 years.
The most common way to use it is with a hardware dongle like Yubikey, which I never got around doing. Instead, I relied on TOTP for my 2-factor authentication.
That was until I found SoftU2F and combined it with Safari-FIDO-U2F to get it working with Safari, which worked, most of the time.
With the release of Safari 14, Apple finally brought proper WebAuthN support to Safari1.
Continue reading →