The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,861 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Fork Gist to Repo on GitHub – Stack Overflow

Posted by jpluimers on 2024/01/09

It is not a full fork and misses a few things (including the Gist description), but is the easiest way to clone a gist to a regular GitHub repository.

I needed it because somehow pushing to gists was denied without explanation or real GitHub feedback.

Another reason is that regular GitHub repositories show you way more information about the commits than Gists do.

Thanks [Wayback/Archive] Noitidart for asking and [Wayback/Archive] Bruno Bronosky for answering at [Wayback/Archive] Fork Gist to Repo on GitHub – Stack Overflow:

Read the rest of this entry »

Posted in Authentication, Development, DVCS - Distributed Version Control, gist, git, GitHub, LifeHacker, Power User, Security, Source Code Management | Leave a Comment »

Yet another reason not to use SMS based 2FA: those phone numbers get leaked or sold as Daniel Cuthbert mentioned on Twitter: “@LinkedIn did indeed sell my 2FA phone number”

Posted by jpluimers on 2023/12/06

Many recommend against using SMS for 2FA because of security reasons (SIM swapping, sniffing, etc), but there is another privacy+security reason: these 2FA phone numbers get leaked or sold as [Wayback/Archive] Daniel Cuthbert (@dcuthbert) found out the hard way last year:

–jeroen

Posted in 2FA/MFA, Authentication, GDPR/DS-GVO/AVG, Power User, Privacy, Security | Leave a Comment »

C#/.NET: for personally identifiable information, use Gaev.Blog.Examples/PiiString.cs at 3.1.1 · gaevoy/Gaev.Blog.Examples

Posted by jpluimers on 2023/10/12

A while ago [Wayback/Archive] Vladimir Gaevoy wrote a great blog post which I bumped into through his tweet [Wayback/Archive] “Blogged: .NET type for personally identifiable information (PII). Working with PII with the help of .NET String is painful. Let’s see the benefits of PiiString as explicit .NET type instead of .NET String  #pii #dotnet #gdpr #security “

The tweet does not fully do justice to his blog post [Wayback/Archive] .NET type for personally identifiable information (PII), as the post not only discusses the background (GDPR and other requirements, for instance the [Wayback/Archive] GDPR compliance checklist – GDPR.eu) and the class, but also with examples how to use it for:

  • conversion to/from user interface plain text
  • hashing to pseudonymized/anonymized form
  • encryption for more secure storage

In addition, more examples cover JSON, Entity Framework, [Wayback/Archive] NLog, and [Wayback/Archive] Serilog — simple .NET logging with fully-structured events.

Read the rest of this entry »

Posted in .NET, C#, Development, Power User, Privacy, Security, Software Development | Leave a Comment »

How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst

Posted by jpluimers on 2023/09/18

For my link archive: [Wayback/Archive] How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst

Should work with Authy too.

Via: [Archive] Matthijs ter Woord (@mterwoord) | Twitter

–jeroen

Posted in 2FA/MFA, Authentication, Power User, Security | Leave a Comment »

Some threadreaderapp URLs

Posted by jpluimers on 2023/09/14

For my link archive so I can better automate archiving Tweet threads using bookmarklets written in JavaScript:

The base will likely be this:

javascript:void(open(`https://archive.is/?run=1&url=${encodeURIComponent(document.location)}`))

which for now I have modified into this:

javascript:void(open(`https://threadreaderapp.com/search?q=${document.location}`))

It works perfectly fine without URL encoding and demonstrates the JavaScript backtick feature for template literals for which you can find documentation at [WayBack/Archive] Template literals – JavaScript | MDN.

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Bookmarklet, Communications Development, cURL, Development, HTTP, https, Internet protocol suite, Power User, Scripting, Security, Software Development, TCP, Web Browsers | Leave a Comment »

Fixing a broken xs4all internet connection was a simple as a cold NTU reboot – jpluimers on Twitter

Posted by jpluimers on 2023/09/11

Translation of solving a broken xs4all connection:

Solved. Summary:

  • Liander and UPS functiond, so both Fritz!Box and NTU had power
  • NTU LEDs show Power and Glass, but no Ethernet
  • Fritz!Box has green Power and WLAN LEDs and a red Info LED

Solution was cold reboot of NTU.

I also neatly tucked away the NTU power cord for an additional 8 minutes extra down time: [Wayback/Archive] mwgp ping – wiert.me

Read the rest of this entry »

Posted in Fritz!, Fritz!Box, Hardware, Network-and-equipment, Power User, Security | Leave a Comment »

Help:Two-factor authentication – Wikipedia

Posted by jpluimers on 2023/09/06

For my link archive as this page contains instructions to request 2FA privileges at Wikipedia: [Wayback/Archive] Help:Two-factor authentication – Wikipedia

Checking whether 2FA is enabled

To determine whether your account has 2FA enabled, go to Special:Preferences. Under “Basic information”, check the entry for “Two-factor authentication”, which should be between “Global account” and “Global preferences”:

Viewing m:Steward requests/Global permissions#Requests for 2 Factor Auth tester permissions is possible to do without being logged on at Wikipedia, but for requesting the 2FA permission and accessing Special:Preferences you need to be logged on.

Visit [Wayback/Archive] Steward requests/Global permissions/2018-12 – Meta and look for “OATH tester” for some examples of motivations for requesting.

–jeroen

Posted in 2FA/MFA, Authentication, Power User, Security, SocialMedia, wikipedia | Leave a Comment »

Only 2 weeks left to enable 2FA for your GitHub account

Posted by jpluimers on 2023/08/29

If you haven’t done so already, then enable 2FA for your GitHub account now: This will be a requirement in 2 weeks time.

The 2FA/MFA possibility started about half a year ago with [Wayback/Archive] Raising the bar for software security: GitHub 2FA begins March 13 – The GitHub Blog

You can have various means of 2FA, which al start with a choice between:

After completing either of those those, you can view/download a set of backup codes, and you can add more factors to your Multi-factor authentication setup up to these:

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Development, DVCS - Distributed Version Control, git, GitHub, Power User, Security, Software Development, Source Code Management | Leave a Comment »

5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent

Posted by jpluimers on 2023/07/26

TL;DR is at the bottom (;

5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.

It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.

However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).

Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)

“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”

According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).

The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.

Mitigations for the SSH-Agent Forwarding RCE Vulnerability

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Communications Development, Development, Internet protocol suite, OpenSSH, Power User, PowerShell, Scripting, Security, Software Development, SSH | Leave a Comment »

On repeat: “ask information only once”;  Eenmalige uitvraag – NORA Online

Posted by jpluimers on 2023/07/13

Since the SVB PGB site keeps violating the [Wayback/Archive] AP12: Eenmalige uitvraag – NORA Online principle, some more emphasis on it as the usefulness of the “ask information only once” principle is not limited to government sites or commercial sites providing services for the government.

The principle “ask information only once” is valid for any site and needs to be present at all times, especially in these situations:

  1. when an authentication token is expired and re-authentication is needed
  2. when checking if authentication might have been expired and a page refresh is done during that check

I wrote about 1. in SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise ( wrote it in March 2021, published it in December 2021 when I thought it had been sort of solved).

That was obnoxious and took a very long time to fix (despite the mandatory aspect of the “ask information only once” principle and me pushing for a quick resolving in [Archive.isJeroen Wiert Pluimers on Twitter: “Omdat de @SVB_PGB site hiermee een noodzakelijk NORA archictectuur principe schendt (je raakt bij de logoff/logon de informatie die je op de pagina aan het invullen bent kwijt): kan dit een hoge prirotieit krijgen? Zie: – …”).

In February 2022, I had enough energy to submit the final PGB administration parts to the SVB PGB site. I didn’t get logged out every few minutes for the first hour or so (that only happened after being authenticated more than one hour, then repeating every 15 minutes), but I bumped into 2: loosing a lot of data in an at first unpredictable manner.

An underlying thing is that despite the NORA rules to be mandatory there is no sanction for the SVB (or any other government organisation) to fix this: users have to use the site and take the burden in order to get their payments. Ruurd Pels highlighted in these two answers to my tweets: harsh, but hitting the nail on the head:

The problem is that every each period of 15 minutes session activity , when you submit a form (the whole flow is form based, where the amount of data per form varies: sometimes just a confirmation button, sometimes a full month of data containing the hours worked) you get an intermediate quickly flashing “Redirecting…” on your screen, then loose the data entered in that form:

  1. [Archive] Jeroen Wiert Pluimers on Twitter: “Het NORA principe wat @StOnSoftware een jaar geleden noemde wordt weer door het @SVB_PGB geschonden. Het duurde even om te reproduceren, maar je verliest ongeveer elke 15 minuten je ingevoerde data. 1/” / Twitter
  2. [Archive] Jeroen Wiert Pluimers on Twitter: “Wat je dan ziet tijdens de submit (Verder, Opslaan) is een kort “Redirecting…” scherm op een willekeurige plek in de flow …, …, … In dit voorbeeld verlies je een maand aan invulwerk en is alles weer leeg. 2/ …” / Twitter
    Declaratie insturen - empty declaration showing you just lost a month of input

    Declaratie insturen – empty declaration showing you just lost a month of input

  3. [Archive] Jeroen Wiert Pluimers on Twitter: “Vorig jaar werd je nog elke 15 minuten uitgelogd en was het nog erger, zie … 3/” / Twitter
  4. [Archive] Jeroen Wiert Pluimers on Twitter: “en … Dat probleem zorgde er voor dat ik maar sporadisch declaraties instuurde, maar nu met een hele stapel declaraties is het probleem op een subtielere wijze nog steeds aanwezig. 4/” / Twitter
  5. [Archive] Jeroen Wiert Pluimers on Twitter: “Kunnen jullie dit laten fixen? Dank alvast. 5/5” / Twitter

After more than an hour, I bumped into 1 again:

  1. [Archive] Jeroen Wiert Pluimers on Twitter: “Oh @SVB_PGB: die bug van uitloggen na een kwartier bestaat nog steeds (zie …). Kreeg ik net in een uur tijd 3 keer. Na inloggen kom je wel weer in de flow, maar de data die je daar hebt ingevuld is dan verdwenen. A/ CC @EefvanKoos” / Twitter
  2. [Archive] Jeroen Wiert Pluimers on Twitter: “@SVB_PGB @EefvanKoos Ik vermoed dat beide te maken hebben met de sessie-duur van de active authenticatie van @DigiDwebcare omdat je in beide gevallen het “Redirecting…” stukje heel kort ziet verschijnen ofwel in het form of bij DigiD login beide met verlies aan data. B/B” / Twitter

[Archive] Stephan Eggermont (@StOnSoftware) / Twitter quote retweeted my initial message at [Archive] Stephan Eggermont on Twitter: “🧵 NORA heeft een aantal hele duidelijke principes om de burger niet te frustreren. Niet twee keer naar hetzelfde vragen geldt ook als je een sessie time-out. Dan moet je dus al ingevulde gegevens bewaren” / Twitter, which translated is

🧵 NORA has a number of very clear principles in order not to frustrate citizens. Not asking for the same thing twice also applies if you time out a session. Then you have to save already entered data

An introduction about NORA is at Nederlandse Overheid Referentie Architectuur – Wikipedia:

Nederlandse Overheid Referentie Architectuur of NORA is het interoperabiliteitsraamwerk voor de Nederlandse overheid en vertaalt daartoe wetgeving, beleid en standaarden naar architectuurprincipes, beschrijvingen en modellen. Het is een beschrijving van uitgangspunten voor het inrichten van de informatiehuishouding van de Nederlandse overheid. NORA is relevant voor de uitvoering van alle publieke taken door publieke en private organisaties.

[Wayback/Archive] NORA: Nederlandse Overheid Referentie Architectuur – Bluefrog has a way easier “table of contents” to the principles than the NORA online site (note that some document numbers are intentionally not used):

DE TIEN BASISPRINCIPES VAN NORA

  1. [Wayback/Archive] BP01: Afnemers krijgen de dienstverlening waar ze behoefte aan hebben.
  2. [Wayback/Archive] BP02: Afnemers kunnen de dienst eenvoudig vinden.
  3. [Wayback/Archive] BP03: Afnemers hebben eenvoudig toegang tot de dienst.
  4. [Wayback/Archive] BP04: Afnemers ervaren uniformiteit in de dienstverlening door het gebruik van standaardoplossingen.
  5. [Wayback/Archive] BP05: Afnemers krijgen gerelateerde diensten gebundeld aangeboden.
  6. [Wayback/Archive] BP06: Afnemers hebben inzage in voor hen relevante informatie.
  7. [Wayback/Archive] BP07: Afnemers worden niet geconfronteerd met overbodige vragen.
  8. [Wayback/Archive] BP08: Afnemers kunnen erop vertrouwen dat informatie niet wordt misbruikt.
  9. [Wayback/Archive] BP09: Afnemers kunnen erop vertrouwen dat de dienstverlenerzich aan afspraken houdt.
  10. [Wayback/Archive] BP10: Afnemers kunnen input leveren over de dienstverlening.

DE 38 AFGELEIDE PRINCIPES

  1. [Wayback/Archive] AP01: Diensten zijn herbruikbaar
  2. [Wayback/Archive] AP02: Ontkoppelen met diensten
  3. [Wayback/Archive] AP03: Diensten vullen elkaar aan
  4. [Wayback/Archive] AP04: Positioneer de dienst
  5. [Wayback/Archive] AP05: Nauwkeurige dienstbeschrijving
  6. [Wayback/Archive] AP06: Gebruik standaard oplossingen
  7. [Wayback/Archive] AP07: Gebruik de landelijke bouwstenen
  8. [Wayback/Archive] AP08: Gebruik open standaarden
  9. [Wayback/Archive] AP09: Voorkeurskanaal internet
  10. [Wayback/Archive] AP10: Aanvullend kanaal
  11. [Wayback/Archive] AP11: Gelijkwaardig resultaat ongeacht kanaal
  12. [Wayback/Archive] AP12: Eenmalige uitvraag
  13. [Wayback/Archive] AP13: Bronregistraties zijn leidend
  14. [Wayback/Archive] AP14: Terugmelden aan bronhouder
  15. [Wayback/Archive] AP15: Doelbinding (AP)
  16. (AP16 is intentionally missing: merged into AP17)
  17. [Wayback/Archive] AP17: Informatie-objecten systematisch beschreven
  18. [Wayback/Archive] AP18: Ruimtelijke informatie via locatie
  19. [Wayback/Archive] AP19: Perspectief gebruiker
  20. [Wayback/Archive] AP20: Persoonlijke benadering
  21. [Wayback/Archive] AP21: Bundeling van diensten
  22. [Wayback/Archive] AP22: No wrong door
  23. [Wayback/Archive] AP23: Automatische dienstverlening
  24. [Wayback/Archive] AP24: Proactief aanbieden
  25. [Wayback/Archive] AP25: Transparante dienstverlening
  26. [Wayback/Archive] AP26: Afnemer heeft inzage
  27. [Wayback/Archive] AP27: Een verantwoordelijke organisatie
  28. [Wayback/Archive] AP28: Afspraken vastgelegd
  29. [Wayback/Archive] AP29: De dienstverlener voldoet aan de norm
  30. [Wayback/Archive] AP30: Verantwoording dienstlevering mogelijk
  31. [Wayback/Archive] AP31: PDCA-cyclus in besturing kwaliteit
  32. [Wayback/Archive] AP32: Sturing kwaliteit op het hoogste niveau
  33. [Wayback/Archive] AP33: Baseline kwaliteit diensten
  34. [Wayback/Archive] AP34: Verantwoording besturing kwaliteit
  35. (AP35 is intentionally missing: superseded by AP41)
  36. (AP36 is intentionally missing: superseded by AP41)
  37. (AP37 is intentionally missing: superseded by AP43)
  38. (AP38 is intentionally missing: superseded by AP43 and AP42)
  39. (AP39 is intentionally missing: superseded by AP42)
  40. [Wayback/Archive] AP40: Onweerlegbaarheid (principe)
  41. [Wayback/Archive] AP41: Beschikbaarheid
  42. [Wayback/Archive] AP42: Integriteit
  43. [Wayback/Archive] AP43: Vertrouwelijkheid (principe)
  44. [Wayback/Archive] AP44: Controleerbaarheid

The missing numbers (see also [Wayback/Archive] Betrouwbaarheid – NORA Online, [Wayback/Archive] Vervangen of Vervallen elementen in NORA – NORA Online and [Wayback/Archive] Vervangen of Vervallen uitspraken in NORA – NORA Online):

For a management overview, see [Wayback/Archive] NORA (Nederlandse Overheid Referentie Architectuur) – Digitale Overheid.

–jeroen

Posted in Authentication, Development, DigiD, Power User, Security, Software Development, Web Development | Leave a Comment »

« Previous Entries
Next Entries »