Collaborate Disseminate
On 2023-02-02, openSSH 9.2 added EnableEscapeCommandline to the ssh client, defaulting to "no". Explaining as:
This option defaults to "no", disabling the ~C command-line that
was previously enabled by default. Turning… Continue reading What attack vectors are enabled on ssh with the usage of EnableEscapeCommandline?
We created a threat model using the Microsoft Threat Modelling Tool.
We expect the teams to use the threat model before development, so, we want to publish this model as a template.
I cannot find a way or tool which can do that. How do I d… Continue reading Microsoft Threat Model | Converting Threat Model to Threat Template
I was reading the Gentoo guide on Full Disk Encryption and couldn’t help but be triggered by the first line:
True Full Disk Encryption is not something that helps in most threat models, and it requires using separate storage to store all … Continue reading Why is FDE not something that helps in most threat models?
I am exploring the Microsoft Threat Modeling Tool (7.3.31026.3). It is fascinating how it suggests all possible STRIDE threats in the "analysis view", after you built your data flow diagram in the "design view". But are… Continue reading Creating custom threats with Microsoft Threat Modeling Tool?
Let’s say I am interested in using one of Microsoft’s new computers but I have concerns over the massive amount of data, personal behavior, and whatnot being consumed by the machine. Microsoft claims that all of their AI toolings will be … Continue reading How to use one of Microsoft’s new computers without leaking information?
IPsec is said to have "partial" replay protection because if a packet arrives outside the window, we can’t track it, so we have to make a choice: do we risk and accept it, or do we drop it?
If we drop all these outside-window pa… Continue reading Why does IPsec has a "partial" replay protection? If we drop all packets outside the moving window, then where is the threat?
Websockets don’t support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. However, if we create these JWT tokens with… Continue reading Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?
I am aware through hearsay of the threats exposed by certain digital assets. For example, not only should a password be kept secret, but it should not be re-used. Having the scenario unpacked for me, I now understand that password re-use i… Continue reading Is there a foundational threat model for families/domestic users?
I really like macapps.link as it helps me to quickly install a bunch of software after a fresh install. However, it doesn’t have the transparency such Windows alternatives, like ninite or winget have.
Continue reading As a security engineer would you be okay recommending macapps.link?
I am studying some published papers that demonstrate how I can a secure file system been implemented with the assistance of Intel SGX.
However, in each one of these papers, the threat model is not clearly defined. I know that SGX prevents … Continue reading File System with SGX assistance threat model