security

Magic links are not great but they are the right choice sometimes

LLM disclaimer: this post was written based on a discussion with claude and drafted by claude. I have edited it heavily but if you’re allergic to LLM’s feel free to skip it. The setup: we’re have a policy compliance system that employees use roughly once per year to check boxes confirming they’ve read our updated policies. The right solution is to integrate this with our existing SSO solution that has proper anomaly detection, brute force protection, and phishing-resistant auth and so on.

Continue reading →

Celebrating defenders

What is the main job of information security? Is it to break things? Or to protect things? I believe that most people would answer something along the lines of defending. So if we agree that the end goal is to defend, why does it seem like infosec is mostly about the offensive side, and is this a problem? This impression that offensive security gets more attention seems to be a common view based on my limited polling.

Continue reading →

Simplest ngrok-like reverse tunnel

Do you need a simple reverse TCP tunnel to a local service (like SSH), but you don’t want to install anything or use a one of the public ones. Warning: There is no authentication, use this only for temporary things or IP allowlisting to limit who can connect. Get the sish binary from github With that out of the way, on the server run ./sish --authentication=false --ssh-address=:9999 -i:9989 --bind-random-ports=false then run on the client

Continue reading →

Usability > Security

Introduction The other day I wanted to use my noscript.it with one of my old iPhone 4S running iOS 6, but I was met with “could not establish a secure connection to the server”. Turns out it was because I had, out of habit, configured the server with a "modern" list of TLS ciphers. And the poor old iOS 6 didn't support any of them. So, I went on a mission to ensure noscript.

Continue reading →

Sandboxed rsync/sftp/scp for secure file uploads

I needed to have someone transfer some files to me securely. But I had a few requirements no third party (e.g. dropbox) handle +150 GiB of files transfer files to a publicly available linux server don’t give access to the destination server the sender only had standard linux utilities (specifically rsync) Previously I have used locked-down ssh-keys and force-command. Both are good solutions. This time I ended up using a small sandboxed ssh environment in a docker container with a mounted folder.

Continue reading →

(Ab)using Slack to detect interesting 1Password events

If you use 1Password Business in your organisation, you might be aware that you can get notifications and alerts for various events pushed to your Slack1. This is quite useful, but I found the notification quickly get overwhelmingly noisy because a notification is generated for every time anyone unlocks 1Password. This is too bad, because mixed in the notification spam about unlock’s are notifications for when someone logs in from a new device or adds a new trusted device.

Continue reading →

Using TouchID as Yubikey

U2F and Webauthn are the two most exciting developments in web authentication in the last 20 years. The most common way to use it is with a hardware dongle like Yubikey, which I never got around doing. Instead, I relied on TOTP for my 2-factor authentication. That was until I found SoftU2F and combined it with Safari-FIDO-U2F to get it working with Safari, which worked, most of the time. With the release of Safari 14, Apple finally brought proper WebAuthN support to Safari1.

Continue reading →