Collaborate Disseminate
Consider the following DNS setup of example.com:
A 89.41.169.49 # this is for redirect.pizza
CAA 0 issue "letsencrypt.org"
www CNAME ghs.googlehosted.com
If I have understood correctly… Continue reading Are problems expected when a subdomain CNAME target has no CAA record?
Imagine you get hold of someone’s private SSH key, which is encrypted. Now imagine you also get hold of the unencrypted key (e.g., because some SSH client stores it after decryption).
Can you determine the encryption passphrase using this … Continue reading Can you obtain the passphrase of an encrypted SSH key, given the unencrypted key?
Why is it considered insecure for an NFS export to allow connections originating from high ports? Compare the manual:
exportfs understands the following export options:
secure
This option requires that requests originate on an Internet po… Continue reading What is insecure about the "insecure" option of NFS exports?
Let’s assume you stumble across a vulnerability in some online system, which is a commercial product by a small US company (1 to 50 employees according to Glassdoor). That online system shall be hosted for some clients and so… Continue reading What are good, safe, not necessarily anonymous ways to disclose vulnerabilities?
For my own domain (mydomain.com, hosted with a free G Suite), I have setup DMARC in testing mode:
v=DMARC1; p=none; sp=reject; aspf=s; adkim=s; rua=mailto:dmarc@mydomain.com
I have sent out test emails to a bunch of email … Continue reading How should I configure DMARC (or DKIM?) to deal with OWA forwarding changing email bodies?
For my own domain (mydomain.com, hosted with a free G Suite), I have setup DMARC in testing mode:
v=DMARC1; p=none; sp=reject; aspf=s; adkim=s; rua=mailto:dmarc@mydomain.com
I have sent out test emails to a bunch of email … Continue reading How should I configure DMARC (or DKIM?) to deal with OWA forwarding changing email bodies?
I have read Sequential password updates and I am aware of a number of techniques to prevent users from using password variants. My question is, which of these techniques are actually used in user authentication in a Microsoft… Continue reading How does "Microsoft domain authentication" prevent me from using passwort variants?
I want to know if there is a way to design a second sandbox inside the original android sandbox, and (re)install the main android apps (like play Store, in the new sandbox, so all new installed app will be in this (second) sa… Continue reading Is it possible to design a sandbox inside the original android sandbox and give it root privileges?
I found in a published paper talks in a part of it about an algorithm of managing permissions and the description contains this statement:
“If the request from app is accessing for hardware, we set the permission being autho… Continue reading Is there a risk on user’s private data when android App got permission to access hardware without accessing user’s data?
I am looking for a way to replace my phone as a 2FA method. U2F is not universally supported. Most services that I use support TOTP (Google Authenticator), and so I thought the Yubikey would support loading the TOTP secret an… Continue reading Are there Yubikey-like TOTP hardware tokens without additional software?