The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Manage two WoonVeilig or egardia systems from one smartphone / Twee WoonVeilig systemen beheren vanaf 1 telefoon

Posted by jpluimers on 2021/03/19

A while ago, I suggested to WoonVeilig that it would be really great if you could manage multiple of their alarm systems from one smartphone without the need to re-logon.

Use cases for managing two security systems are like:

  • managing home and office security systems
  • managing your own security system, and that of a family member in need
  • managing the systems of both your permanent and vacation home

Right now, this is not possible from the WoonVeilig app, but there is a little trick to manage 2 systems from one phone.

This tricks works because the WoonVeilig system is developed by Egardia and both [WayBack] WoonVeilig and [WayBack] Egardia use the same back-end, despite their management sites being slightly different:

This also means that if you want to fiddle with the systems, searching for egardia will get you far more results than for woonveilig.

So the trick is to install two apps, and use different credentials for each app. This allows you to manage two security systems at once:

Notes:

  • in both apps, you can use userid and password woonveiligdemo , or egardia7 to get into a demo environment
  • the WoonVeilig app is only in Dutch
  • the Egardia app allows you to switch languages (English/Dutch/German/French)
  • there are no apps supporting just English, German or French

–jeroen

Posted in Power User, Security | Leave a Comment »

Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Posted by jpluimers on 2021/03/12

On my reading list, because I saw it suddenly enabled on a domain based Windows network:

[WayBackEnable Block at First Sight to detect malware in seconds | Microsoft Docs

Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.

It seems to have been introduced early 2018: Windows Defender – Wikipedia: Advanced Features

Windows 10’s Anniversary Update introduced Limited Periodic Scanning, which optionally allows Windows Defender to scan a system periodically if another antivirus app is installed.[5] It also introduced Block at First Sight, which uses machine learning to predict whether a file is malicious.[21]

There is a BAFS – Windows Defender Testground for which you need a Microsoft account.

–jeroen

Posted in Power User, Security, Windows, Windows 10 | Leave a Comment »

Evil environment variables….

Posted by jpluimers on 2021/02/11

I totally agree with Nick Craver “I absolutely hate environmental variables for configuration. They’re brittle, they’re ambient, they can be changed and FUBAR any known state underneath you, they’re an attack vector, just…”.

A little event in the early 1990s made me cautious whenever I see environment variables in use.

One of my clients had a network that had to be separated into three logical areas: one for workstations communicating with a certain server and some equipment, and another for a different server and other equipment, and finally a bunch of semi-local workstations that did some peer-to-peer and specialised equipment communication.

For that era, this was a LOT of stuff to manage.

Since users always were working from the same computers, and there was very little overlap between the areas, I created a bunch of login scripts. Since this was Novell NetWare 3.x era, you only had default, system and user login scripts (see [WayBack] NetWare 3 Login Script Fundamentals), of which only system+default or system+user could be combined. No groups scripts yet (:

So I introduced an environment variable NETWORK that would hold the kind of logical network.

Boy was I surprised that a few days later, the head of administration came to me with a problem: one of his administration programs – despite no documentation mentioning anything about such a feature – suddenly asked for a license!

A few hours of phone calls and trying later, we found the culprit: that software had an undocumented feature: when the NETWORK environment variable was set, it assumed a large corporate, with a very special license feature.

That was the day, I started to be wary of environment variables.

The workaround was simple: have the program being started with a batch file, temporarily clean the NETWORK environment variable, then run the application, and finally restore the environment variable.

Inspired by two tweets I got within a few days time:

–jeroen

Read the rest of this entry »

Posted in History, Power User, Security | Leave a Comment »

Deciphering the Messages of Apple’s T2 Coprocessor | Duo Security

Posted by jpluimers on 2021/01/28

Interesting read: [WayBack] Deciphering the Messages of Apple’s T2 Coprocessor | Duo Security.

Via:

–jeroen

Posted in Development, Security, Software Development | Leave a Comment »

NDC 2019 Keynote: Welcome to the Machine – Hadi Hariri – YouTube

Posted by jpluimers on 2021/01/27

I am really glad this keynote got recorded. Still very relevant, it is as much about software development as it is about society.

Go watch it, as it gives you reason to think about your role in the software development process, and in the information fire hose at large.

Back in the days, David Intersimone was right when he created the regular blog post “Sip from the Firehose” (for early materials, see [WayBack] GetPublished – Author Information: Firehose).

The talk main thread is about current and ever growing overload of information which basically makes it disinformation, combined with the abundance of “AI” recording devices around you that basically make you the product.

Basically we reached all the tick marks of these books:

The session is not just about “how bad is the situation” (it is very), but also provides directions on how to get out of it for both people in the development process, as well as consumers, producers and sharers of information.

via:

–jeroen

Read the rest of this entry »

Posted in .NET, Development, Opinions, Power User, Security, Software Development | Leave a Comment »

PassProtect – Chrome Web Store

Posted by jpluimers on 2021/01/25

[Archive.is] PassProtect – Chrome Web Store:

Stop using bad passwords. PassProtect alerts you about breached credentials. Powered by “Have I Been Pwned?”.

Interesting plugin. Will try this soon.

Via:

–jeroen

 

Posted in Authentication, Chrome, Firefox, LifeHacker, Power User, Security, Web Browsers | Leave a Comment »

Ga met een gerust hart op vakantie met WoonVeilig beveiligingsset – CooleSuggesties

Posted by jpluimers on 2021/01/22

Ik had al eerder over woonveilig geschreven (Ik ben wat verward over de @WoonVeilig site. https://t.co/ui8agTkgM9 heeft het bijvoorbeeld over GATE-03 en GATE-02, maar…), nu iets meer over de installatie handleidingen van GATE-03:

De aanmeldprocedure brengt je naar [Archive.isalarmsysteem.woonveilig.nl/nl_NL_woonveilig/registratie, die voor registratie nog verwijst naar:

Een paar tips tijdens de registratie en gebruik:

–jeroen

 

Posted in LifeHacker, Power User, Security | Leave a Comment »

Anyone tried #Telegram to communicate securely?

Posted by jpluimers on 2021/01/22

Below are a few comments from [WayBack] Anyone tried #Telegram to communicate securely? Some nice features there… Looks way more secure than WeChat and all that. Thoughts? https://telegram…. – Jason Mayes – Google+.

The consensus seems to be

  • Signal is the way to go for secure chat. It is open source too.
  • When chatting with groups of people, there is technical security, but not social security.
  • Telegram is easier to use than some other chat platforms, and has a large user base.

The comments:

  • Ryan Ostendorf's profile photo
    Ryan Ostendorf+5
    Telegram is pretty nice, but its security leaves much to be desired. If it’s security and true privacy you want, Signal is the way to go.
  • M.A. Zaki's profile photo
    M.A. Zaki
    Hi+Ryan Ostendorf signal is indeed a way to go but didn’t have big users number compared to Telegram.
  • Wayne Harris's profile photo
    Wayne Harris+2

    I use telegram, discord, slack & hangouts for variousn groups i talk with. Of those, telegeam is my preferred for ease of use etc. One thing i would like to see is a “index” of groups to maybe easier prioritise what i want to read (a-la how discord wokrs with its different servers) but im so used to the flat style of telegram/hangouts that i dont have a huge issue with its current design

    Re security, im not an expert, but it seems ok, with multuple options available. Havent heard of anything being intercepted/hacked, but who really know what our alien overlords – err governments – and other interested parties are up to behind the scenes.

  • oon arfiandwi (OonID)'s profile photo
    oon arfiandwi (OonID)+2
    I use telegram more than whatsapp. I found many technical group discussion (at least for Indonesian) because telegram supports a huge amount of members per group.
    also, the telegram bot and channel give a unique feature for a developer to build an application on top of it.
  • Jason Mayes's profile photo
    Jason Mayes+1
    +Ryan Ostendorf oooh thanks I shall check it out
  • Jason Mayes's profile photo
    Jason Mayes+1
    Thanks everyone for feedback!
  • Leo Turing's profile photo
    Leo Turing+3
    I am using Telegram for 5 years now. Far faster and better than WhatsApp in many ways.
  • Christopher Gaul's profile photo
    Christopher Gaul+1

    It’s security level depends on who you ask. If you take their word at face value it’s great. If you believe the rumors it’s totally bent by U.S. surveillance agencies.

    Feature wise it’s decent otherwise.

    A few of us are on the hunt for a good, secure, multi platform messaging platform to replace Hangouts when they kill that. We’ve narrowed it down to a few that we’re testing.

    Signal was good until they killed their linux and browser clients.

    Retroshare is on the to test list along with…

    Viber.

    Tox.

  • epsi nurwijayadi's profile photo
    epsi nurwijayadi+1

    I have been a telegram user since october 2017.

    And I wonder, how do telegram make profit.

    Who is paying for the server to be alive ?

  • Christopher Gaul's profile photo
    Christopher Gaul+1
    Side note. You can just assume that any product based out of the U.S. or any Five Eyes country is not secure. I wouldn’t trust anything EU based either. What’s that leave you?
  • Christopher Gaul's profile photo
    Christopher Gaul+1
    +epsi nurwijayadi
    The NSA no doubt is footing the bills.
  • x Meta x's profile photo
    x Meta x+2
    For dependable privacy, I use two cans and a string.
  • Jason Mayes's profile photo
    Jason Mayes+4
    +x Meta x I can use a laser pointed at your string to measure the sound being transferred over it though
  • x Meta x's profile photo
    x Meta x+1

    +Jason Mayes …..

    …. Curses! Foiled again!

  • Wayne Harris's profile photo
    Wayne Harris
    I use the postal service. Nobody sends anything via that these days other than birthday cards from Nanna’s, so my most private missives go conpletely un-noticed by the authorities
  • epsi nurwijayadi's profile photo
    epsi nurwijayadi
    +Wayne Harris good idea
  • Jason ON's profile photo
    Jason ON
    I downloaded Telegram yesterday, in fact. Haven’t had a chance to try it out yet as I don’t know anyone using it. I had thought it would be more like BBM, with public groups in a social media-lite feature, but it’s not.
  • M.A. Zaki's profile photo
    M.A. Zaki
    +Jason ON telegram got more than that. The setting let you do much more.
  • epsi nurwijayadi's profile photo
    epsi nurwijayadi
    I remember getting very happy, when I got telegram from my father when I was a kid in about 80s. He had duty in other island faraway from home.
  • Willem Oosting's profile photo
    Willem Oosting+1

    +Jason Mayes Check out Keybase.io they strike a sweet balance between Wire-like security (encrypted group chats), and Telegram-like usability/looks. And I thought it’s FOSS!

    Keybase

    Keybase
    keybase.io
  • Robert Wallis's profile photo
    Robert Wallis

    Telegram has a very tempting feature set for a “messaging” service.

    I have recently started using it. Top reasons I like it so far are the ability to add a username, which means I can be available without giving people my phone number.

    My URL 👉 t.me/qwallis

    Also the ability to have branded public broadcast channels is different. I’ve set one up for London Meet-ups for +Happening London the URL for that is here 👉 t.me/HappeningLondon

    Any public post cam be embedded, so I’m surfacing the next meet-up on the +Happening London web site too 👉 happeninglondon.co.uk

    Those feature (and others) make Telegram interesting.

  • Christopher Gaul's profile photo
    Christopher Gaul+2

    +Robert Wallis I agree. With the caveat that this is as long as you aren’t expecting 100% guaranteed secure communications.

    Of course the question of whether such a thing even exists is valid. But in Telegram’s case, at least expect your local Five Eyes government surveillance state to be “reading” them.

  • Jonas Hellström (shellström)'s profile photo
    Jonas Hellström (shellström)
    I’m giving Matrix/Synapse and riot.im a whirl.
    Mostly because I can selfhost it, and it’s got some good things going for it, like encrypted convos.
    They still got a mile or two on their clients and that’s where I’m holding off on inviting everyone and their dogs until there’s something that can be used by more people without becoming a troubleshooting nightmare/”this isn’t as easy as whatsapp. Can’t we use messenger instead?” kind of deal.

    Riot – Riot – open team collaboration

    Riot – Riot – open team collaboration
    about.riot.im
  • Robert Wallis's profile photo
    Robert Wallis

    +Christopher Gaul yeah, but where aren’t they?

    As far as I understand Telegram has been validated for “secret chats” between two users, where security models are more easily implemented, but for groups of up to 200,00 that’s never going to be “secret” just hidden, and public broadcast channels are … well public.

–jeroen

Posted in Chat, Keybase, LifeHacker, Power User, Security, SocialMedia, Telegram | Leave a Comment »

Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.

Posted by jpluimers on 2021/01/11

Cool: [WayBack] Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.

Their motivation and background: [WayBack] About Internet.nl

–jeroen

Posted in Encryption, HTTPS/TLS security, Power User, Security | Leave a Comment »

GitHub – andOTP/andOTP: Open source two-factor authentication for Android

Posted by jpluimers on 2021/01/05

[WayBack] GitHub – andOTP/andOTP: Open source two-factor authentication for Android.

A few highlights:

  • andOTP is a two-factor authentication App for Android 4.4+.It implements Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). Simply scan the QR code and login with the generated 6-digit code.
  • OpenPGP: OpenPGP can be used to easily decrypt the OpenPGP-encrypted backups on your PC.
  • BroadcastReceivers: AndOTP supports a number of broadcasts to perform automated backups, eg. via Tasker. These will get saved to the defined backup directory. These only work when KeyStore is used as the encryption mechanism
    • org.shadowice.flocke.andotp.broadcast.PLAIN_TEXT_BACKUP: Perform a plain text backup. WARNING: This will save your 2FA tokens onto the disk in an unencrypted manner!
    • org.shadowice.flocke.andotp.broadcast.ENCRYPTED_BACKUP: Perform an encrypted backup of your 2FA database using the selected password in settings.
  • All three versions (Google Play, F-Droid and the APKs) are not compatible (not signed by the same key)! You will have to uninstall one to install the other, which will delete all your data. So make sure you have a current backup before switching!

PlayStore: [WayBack] andOTP – Android OTP Authenticator – Apps on Google Play

•  Free and Open-Source
•  Requires minimal permissions:
•  Camera access for QR code scanning
•  Storage access for import and export of the database
•  Encrypted storage with two backends:
•  Android KeyStore (can cause problems, please only use if you absolutely have to)
•  Password / PIN
•  Multiple backup options:
•  Plain-text
•  Password-protected
•  OpenPGP-encrypted
•  Sleek minimalistic Material Design with three different themes:
•  Light
•  Dark
•  Black (for OLED screens)
•  Great Usability
•  Compatible with Google Authenticator

Via: [WayBack] ‘Aanvallen via ss7-protocol om 2fa-sms’jes te onderscheppen nemen toe’ – Computer – Nieuws – Tweakers

Check out @Jaykul’s Tweet: https://twitter.com/Jaykul/status/1091200778121957377

Instead of Google authenticator and Authy

Via https://twitter.com/martinfowler/status/1091097388201230339

Related :

Nope. It’s just a secret encoded in a QR code.

Here’s the docs on the format of the URI in the QR code: https://t.co/AJhT6PFAzx

The QR code delivers a simple, durable, shared secret.

Use U2F if you can. It is much safer, as it cannot be phished or copied.

Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario.

Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?

 

–jeroen

Posted in Android, Authy, Development, Mobile Development, Security, Software Development | Leave a Comment »

« Previous Entries
Next Entries »