Collaborate Disseminate
Google has been working on mitigations for the Spectre attack, and has made available a Proof of Concept that you can run in your browser right now. Spectre is one …read more Continue reading This Week in Security: Spectre in the Browser, Be Careful What you Clone, and Hackintosh
As a security in-charge, I just noticed that one of our production web apps was attacked by some hackers. The attacker accessed the .git/objects/ files.
I already modified .htaccess to make .git and its content inaccessible.
The attacker … Continue reading Security implications of stolen .git/objects/ files
A former employer of mine has reached out to me to assist them with PCI certification (I guess I’ll be getting a 1099-NEC from them next year as a result). Here’s the point I’m at in the questionnaire:
File-integrity monitoring tools are … Continue reading file-integrity monitoring tools for PCI compliance
I’m curious about what data actually gets signed when I sign a git commit or tag? Is it simply the commit message and metadata?
How could I manually duplicate the signature, use gpg instead of git?
Continue reading When I sign a git commit, what is my signature actually based on?
Back when I was a Java developer, we used to use build.properties or build.xml to store sensitive information outside of the VCS and just add the file with whatever passwords would go in it after check out.
But that’s pretty language speci… Continue reading How does one tighten up their git repo security for Powershell?
Seems like every few months there is another ‘cloning a malicious repo’ type vulnerability. What is it about the way GIT works or was designed that makes it have so many security bugs?
Continue reading Why does GIT have so many vulnerabilities? [closed]
A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker&#… Continue reading Git LFS vulnerability allows attackers to compromise targets’ Windows systems (CVE-2020-27955)
To help ensure authenticity of packages some projects on GitHub and on GitLab add hashsums to the descriptions of the release on the Releases page.
Sometimes, at least here, the hashsum are made part of the release’s filename. Sometimes, a… Continue reading How can the authenticity of releases on GitHub and GitLab be ensured? Can their hashsums change?
I have been using a YubiKey 4 to sign git commits for a few years on Ubuntu.
I am setting up a new Windows10 machine and want to use the same signing key from Windows; however I cannot seem to point gpg at the YubiKey private signing key.
… Continue reading New Win10 and Old YubiKey4; trying to configure GPG Sign for existing key
For a challenge I found that I was able to download files off of /.git/ After using the tools from GitTools I soon realised that my goal was to get to read config.inc.php file. But the problem is, I got index.php extracted but not config.i… Continue reading How to find a specific file’s code in a website with a broken git commit? [migrated]