Disqus to fully support CSP

I already blogged about my problems with Disqus and the Content Security Policy header twice, but recent changes in Disqus made me revisit the whole topic.

Burak Yiğit Kaya, developer at Disqus, made a few changes we discussed about a month ago, that would improve the coexistence of Disqus and CSP on a website. While both could be run together before, these improvements transform the from a dirtily hacked state into a real dream team.

If you ever implemented CSP

Protect Your Data

Are cloud services safe to use, or are you better of creating your own data castle? Let's take a look at the difference between cloud services and self hosted solutions, and why trust is a key part of security.

Cloud services have become widely used over the past years, and it looks like they'll be around for a while. But there are many concerns about the users privacy and the security of the stored data, both by professionals as well

(W)BP#3 - HAProxy SNI, IPython, PostgreSQL and VIM

A new bucket post - I will change them from weekly to "whenever I feel like it". Mainly because I can't find the time to write actual posts between the bucket posts and I don't want this blog to consist solely of bucket posts.

SSL Client Certificate Support for Owncloud - Meanwhile on the interwebs, the support for client certificate authentication in Owncloud's desktop client "Mirall" is progressing. So I didn't do anything and I didn't learn anything... why is

Security vs. Compatibility - Fight!

How do you secure a web page for private use? Easy if you ask me, use client certificates and a secure connection over TLS, preferably with a signed certificate.

So far so great, the website is pretty secure know as only someone with the right certificate can visit it. But what about compatibility with client programs? Well - fuck!

Turns out, most endpoint clients don't really support additional authentication mechanisms. In a best case scenario, one login with a strong

We got hacked! Now what?

Almost a year ago, I experienced my first real security incident. The company's bulletin board was compromised and it was my job to oversee and coordinate the incident response. The teams and I where pretty much thrown into the cold water, as we've never experienced an incident of that size before.

Right after the incident I wrote the following blog post, which I'm now able to publish. Please note that I didn't change anything deliberately, as I wrote it back

Testing for GHOST Vulnerability with Ansible

Yesterday, reports of a critical vulnerability in the GNU C Library (glibc) hit the news. If you have more then just a handful servers to check, this Ansible playbook might be helpful.

You can read all about the vulnerability here.

Usually when I have to check multiple servers, I use Ansible like this.

ansible 'servergroup' -m shell -a 'command to execute'

In the case of GHOST, this wasn't working for me as the test command contained both ' and " chars.

WBP#2 - SHA256, Flask, Safari, Keybase.io and more...

The Weekly Bucket Post goes into the second round. This week we have wrong sha256 hashes, problems with Safari and amongst other things an invitation to keybase.io!

sha256sum creates "wrong" hash - Recently I was wondering, why a SHA256 hash of the string password was listed in neither the Hash Toolkit nor the LeakDB databases. Surely someone must have used password as password somewhere!?

Turns out, password is of course in both those databases, what isn't listed though is

Note

All information provided on this site is for educational purposes only. The site and it's author is in no way responsible for any misuse of the information.