Collaborate Disseminate
Recently an organization I forgot to update credit card details had my renewal payment fail because I forgot to update details. They sent an email as below which had a direct link to a web form without any instructions to check authenticit… Continue reading What is best practise to send credit card details update emails when the details have expired?
Keep in mind that I am not a security specialist or a networking specialist. I am a software developer dealing with this kind of software for the first time.
Our software is used to control user session on Windows computers. Users are assi… Continue reading How can a service securely update an application even when the computer’s current user could be hostile
My understanding is that secure boot works by verifying each stage in the boot process before proceeding. So first, UEFI or booting firmware will validate the signature of the bootloader, then kernel, applications etc. before loading.
When… Continue reading Secure boot after an OTA update confusion
In my decades of using Windows, I’ve never gotten prompted for an administrator password when logging into a non-administrator account after a Windows update. Today, on Windows 10, I did, and the reason was to run two apps. One was "… Continue reading After Windows update, normal to get prompt for Administrator password? [migrated]
When I run apt update on my kali terminal, I get this error –
E: The repository ‘https://http.kali.org/kali sana Release’ does not have a Release file.
When you update a new installation for the first time, or update a long time unmaintained OS, do you just enable a software firewall for all incoming connections (and hope there are no obsolete critical bugs hanging there) or do you take a… Continue reading Security precautions during update
I am well aware that the best approach is to update any dependency, no matter whether it is a development dependency or a runtime/production dependency.
But from a research prospective, I want to know whether a vulnerability in development… Continue reading Are devDependencies in Node.js exploitable?
So I’ve been compiling security advisories for various OSs, including both CentOS and RHEL. What I find confusing is CentOS should be a "similar but different" OS from RHEL counterpart, most notably from support for security patc… Continue reading What’s the difference between CentOS and RHEL security patches? [migrated]
A program A downloads signed executables and other signed configuration files. Configuration files have a signature appended at the end. To verify their integrity and creator, it uses the public key hardcoded in the program A.
In a couple … Continue reading Designing an updater with certificate renewal in mind
I have a completely up-to-date debian bullseye system. However, debsecan tool running on it retrieve more than 800 vulnerable packages.
Does it mean that all of these packages are vulnerable and even if my Debian system is totally up-to-da… Continue reading debsecan still retrieves +800 packages impacted by vulnerabilities on up-to-date bullseye system