hanno

hanno, 4 hours ago to random

There's a conference on guarantees of origin (green electricity certificates) in Iceland. Shall I... ? https://landsvirkjun.com/go-conference

hanno, 8 hours ago to random

In case the anonymous person who reported a bug in badkeys via my webpage contact form without leaving any contact info reads this: thanks, it's fixed now. https://github.com/badkeys/badkeys/commit/e5d094a8583418c4c07f365400198c1b81aa5131

hanno, 1 day ago to random

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/

hanno, 7 days ago to random

For reasons that I cannot disclose right now, but will soon, I recently looked into BIMI. And... I have some concerns. BIMI is a spec built on top of DKIM and DMARC, and allows companies to show a logo beside their emails in supporting frontends (like gmail). It requires purchasing a very expensive certificate, I think the justification for it is dubious, and I am not a fan. But even if we put that aside, it's also very strange on a technical level. 🧵

hanno, 11 days ago to random

I gave a talk at this year's Nullcon about a vulnerability I found in HSTS as implemented in Firefox, and also a general overview of HTTP/HTTPS mixing problems. It wasn't recorded at the conf, so I've now re-recorded the talk. You can find it here: https://www.youtube.com/watch?v=JjMb7Z8ak2k

hanno, 14 days ago to random

Does Python really have no DNS functionality built in at all beyond resolving IPs? I have a use case where I need to get a TXT record, and everything I can find recommends dnspython. If possible, I'd like to avoid adding a dependency.

hanno, 14 days ago to random

Do I know someone or can anyone recommend someone who is a nerd in the EU emission trading system (ETS)?

For two unrelated stories, I have some extremely specific questions.
I'm looking for the kind of person that will not say "oh, I don't know that, sorry", but rather "I don't know that, but I know how to find out, and I will", or "I don't know that, but I know who does".

hanno, 15 days ago to random

Is GNU software really free software? I may legally have the freedom to study it, but it is wrapped in so much GNU buildsystem obscurity that studying it is impossible without a PhD in GNU buildsystem crap. So I don't really have the freedom to study it.

hanno, 16 days ago to random German

Was mich ja an diesem erneuten aufwärmen der Atomdebatte so ärgert ist wie irrelevant das ganze ist. Ich meine reden wir doch mal klartext: Die Atompolitik in Deutschland wird sich nicht mehr ändern, und zwar völlig unabhängig davon wer regiert. Es wird ja niemand ernsthaft erwarten dass man die jetzt im Rückbau befindlichen Kraftwerke nochmal anschaltet. 🧵

hanno, 18 days ago to random

I have seen my fair share of strange reactions and rejections by bugbounty plattforms, but this is new: Rejected, because the report mentions a CVE. No, I have no idea what they are thinking. (I can only guess that they get lots of low quality reports from automated tools mentioning CVEs. But the idea that a security report that mentions a CVE is invalid is... whatever...)

hanno, 18 days ago to random

Do I know anyone who knows BIMI from the technical / protocol side? I'm neither interested in the PR pitch nor in people complaining (correctly) that it's a moneymaking scheme. I have some specific questions about details about the protocol implementation that seem very odd to me.

hanno, 19 days ago to random

Some proprietary software lobbyists are trying to spin the xz story as an "anti open source" story, and I see demands like "you shall only use opensource software if you have a contract with someone guaranteeing support and security". I'd be curious: Can I see the contract those people have with Microsoft or whatever company you never heard of that wrote the firmware in their wifi card that guarantees the same for the closed source software they're using?

hanno, 20 days ago to random German

Ich kenn nicht zufällig irgendwen hier der schonmal mit CO2 in der Lebensmittelindustrie zu tun hatte und dazu ein paar Fragen beantworten könnte?

hanno, 21 days ago to random

I have released a new version of badkeys that can detect xz backdoor keys https://github.com/badkeys/badkeys/releases/tag/v0.0.7 badkeys is an opensource tool I created to detect known-vulnerable cryptographic public keys. this new check is a bit unusual compared to the other things the tool does, and I was unsure whether to implement it, but well, here it is. 🧵

hanno, 23 days ago to random

I have an electronic badge from the Nullcon security conference. It has LEDs to play tetris, I don't know if it can do anything else. I don't need it, does anyone collect such things and wants it for free?

hanno, 27 days ago to random German

Diese ganzen Regelungen für Cannabis-Konsum, z.B. nicht in der Nähe von Schulen verkaufen, nicht in Gegenwart von Kindern und Jugendlichen konsumieren etc., können wir das für Zigaretten und Alkohol auch haben?

hanno, 1 month ago to random

In case anyone from @1password is reading this, you may want to get in touch with me. I have reported a security vulnerability via their bugbounty program, and bugcrowd's staff thinks it's "not applicable", in my view clearly misinterpreting the program's rules. I am pretty sure it's something they want to address. I may consider other means of disclosure if this is "not applicable" for their bugbounty program..

hanno, 1 month ago to random German

Zu den grotesken auswüchsen des Wasserstoff-Hypes gehört es, dass es sowohl startups gibt, die aus biomethan wasserstoff machen, als auch solche, die aus grünem wasserstoff e-methan machen. Beides macht in aller Regel sehr wenig Sinn, außer man hat ein absurdes Fördersystem in dem alles wo Wasserstoff draufsteht fördergelder erhalten kann. https://www.fr.de/wirtschaft/in-deutschland-mit-treibstoff-versorgen-energiewende-neue-technologie-kann-den-gesamten-busverkehr-zr-92984712.html

hanno, 1 month ago to random

Ich würde ja denken das ist eine positive nachricht (also besonders der teil mit dem kiffen statt komasaufern), aber ich glaube der meint das garnicht so. (Quelle/paywalled https://www.spiegel.de/panorama/bildung/legalisierung-von-cannabis-wir-werden-wahrscheinlich-mehr-gescheiterte-schulkarrieren-haben-a-a6875d24-5cf1-4765-bf9f-4e6153d171fb )

hanno, 1 month ago to random

I recently needed a script to convert mbox files to maildir, and to my surprise this was a nontrivial problem. I only found one written in perl that didn't work with my mbox files. As I don't speak perl, rather than trying to fix it I wrote one in python. It's very simple, as python's standard library already brings all the functionality, in case anyone needs it: https://github.com/hannob/mbox2maildir

hanno, 1 month ago to random

Wenn es für "deutsche Kryptotechnik" ein Problem ist dass ein Laptop mit selbiger einem Geheimdienst in die Hände fällt dann ist das Problem übrigens in erster Linie die deutsche Kryptotechnik. Dass das Das das @bsi sowas immer noch macht, obwohl man damit schon oft auf die Nase gefallen ist... https://www.spiegel.de/politik/ex-wirecard-manager-jan-marsalek-lieferte-geheim-laptop-an-russische-agenten-a-de9e43d6-77df-4f2c-9b74-483ff14d1174