hanno

hanno, 1 month ago to random

Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes

hanno, 15 days ago to random

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/

hanno, 1 month ago to random

In case anyone from @1password is reading this, you may want to get in touch with me. I have reported a security vulnerability via their bugbounty program, and bugcrowd's staff thinks it's "not applicable", in my view clearly misinterpreting the program's rules. I am pretty sure it's something they want to address. I may consider other means of disclosure if this is "not applicable" for their bugbounty program..

hanno, 1 month ago to random German

Diese ganzen Regelungen für Cannabis-Konsum, z.B. nicht in der Nähe von Schulen verkaufen, nicht in Gegenwart von Kindern und Jugendlichen konsumieren etc., können wir das für Zigaretten und Alkohol auch haben?

hanno, 5 months ago to random

There's a bit of a controversy how SEC Consult handled disclosure of SMTP Smuggling vulns. SEC Consult has not published a test tool to check whether servers are affected. I have hacked together something quickly, please consider it work in progress, but I hope it helps people: https://github.com/hannob/smtpsmug (but please note it does not test the postfix mitigation right now, I may add a check for that later)

hanno, 1 month ago to random

Some proprietary software lobbyists are trying to spin the xz story as an "anti open source" story, and I see demands like "you shall only use opensource software if you have a contract with someone guaranteeing support and security". I'd be curious: Can I see the contract those people have with Microsoft or whatever company you never heard of that wrote the firmware in their wifi card that guarantees the same for the closed source software they're using?

hanno, 5 months ago to random

During a press trip to Iceland last year, I noticed something that looked very strange: Within the country, practically every large electricity consumer would claim that they use renewable energy. Of course: Iceland's grid is entirely powered by hydropower and geothermal energy. But at the same time, green electricity from Iceland is sold in EU countries through certificates called "Guarantees of Origin". It appeared that the same green electricity was sold twice. 🧵

hanno, 1 year ago to random German

Schon bemerkenswert wie viele staatliche Behörden und Firmen Deutschland hat die in der Lage sind Windkraft-Ausbau zu blockieren. Flugsicherung, Bundeswehr, Denkmalschutz, die Bahn, und jetzt auch noch die Autobahn GmbH, die Transportanträge für Windkraftanlagen nicht mehr bearbeitet. https://www.ndr.de/nachrichten/niedersachsen/oldenburg_ostfriesland/Windkraft-Viele-Antraege-fuer-Schwerlast-Transporte-unbearbeitet,windkraft1364.html

hanno, 1 month ago to random German

Zu den grotesken auswüchsen des Wasserstoff-Hypes gehört es, dass es sowohl startups gibt, die aus biomethan wasserstoff machen, als auch solche, die aus grünem wasserstoff e-methan machen. Beides macht in aller Regel sehr wenig Sinn, außer man hat ein absurdes Fördersystem in dem alles wo Wasserstoff draufsteht fördergelder erhalten kann. https://www.fr.de/wirtschaft/in-deutschland-mit-treibstoff-versorgen-energiewende-neue-technologie-kann-den-gesamten-busverkehr-zr-92984712.html

hanno, 1 year ago to random

Today I published this story about double counting of renewable electricity https://industrydecarbonization.com/news/how-iceland-sold-the-same-green-electricity-twice.html a bit of a backstory: Last year I was invited to a press trip about, datacenters powered by renewable energy in iceland. So I started looking into Iceland's use of renewable energy. 🧵

hanno, 7 months ago to random

Anyone using squid? It appears some guy did a security audit in 2021 and reported dozends of security issues, and most haven't been fixed since then. Do people still use squid? If you use it, you should probably stop. https://joshua.hu/squid-security-audit-35-0days-45-exploits

hanno, 7 months ago to random

Infosec-people, I have a question: Is there a level of vulnerability severity and vendor fuckup where your advice changes from "reinstall your stuff" to "stop using it and never buy from that vendor again"? https://mastodon.social/@GossiTheDog@cyberplace.social/111252107872119685

hanno, 6 months ago to random

There is a guy on linkedin claiming that he can break RSA-2048, with some somewhat confusing explanation about quantum computers. If you see that or any claims in the coming days, be assured: It's fake.

hanno, 5 months ago to random German

Sorry, aber wenn ein Landkreis aus dem 49-Euro-Ticket aussteigen kann, dann ist nicht der Landkreis das Problem, sondern dass das überhaupt möglich ist. Es wurde doch als großer Vorteil angepriesen dass das Chaos mit den vielen hyperkomplexen lokalen Tarifen damit abgemildert wird.

hanno, 2 months ago to random German

Da Ihr Euch gerade ja alle für ein paar Tage für die Geschichte der RAF potentiell mehr interessiert als sonst: Es gibt einen Teil der Geschichte der 3. RAF-Generation, der mich eine zeitlang sehr fasziniert hat, der glaube ich nie im detail aufgearbeitet wurde und zu dem ich fast alles gelesen habe was ich finden konnte. Eine Geschichte, in der der Staat, weil er die echten Terroristen nicht finden konnte, falsche Leute verdächtigt hat. 🧵

hanno, 28 days ago to random

Do I know someone or can anyone recommend someone who is a nerd in the EU emission trading system (ETS)?

For two unrelated stories, I have some extremely specific questions.
I'm looking for the kind of person that will not say "oh, I don't know that, sorry", but rather "I don't know that, but I know how to find out, and I will", or "I don't know that, but I know who does".

hanno, 7 months ago to random German

Das hier ist eine superkrasse Geschichte, und man fragt sich warum das nicht mehr Wirbel macht: In der Lausitz ist es offenbar üblich, dass Gemeinden und deren Wasserversorger Vereinbarungen mit dem Kohlekonzern LEAG schließen, die beinhalten, dass die Stadt sich dann nicht mehr kritisch äußern darf... https://correctiv.org/aktuelles/kampf-um-wasser/2023/09/23/wasser-gefaehrdet-leag-erkauft-schweigen/

hanno, 4 months ago to random German

Das ist ja spannend: Während die FDP offenbar in der BuReg eine Förderung der Solarproduktion blockiert, findet die FDP-nahe Friedrich-Naumann-Stiftung, dass es extrem problematisch ist, sich fast ausschließlich von chinesischen Solaranlagen abhängig zu machen. https://www.t-online.de/nachrichten/ausland/internationale-politik/id_100322406/gutachten-zur-solarbranche-in-deutschland-china-ist-ein-risiko.html

hanno, 3 months ago to random

Remember how I recently complained that you find so many less-than-ideal or outright wrong answers if you search for a secure, random password generation function in JavaScript? I ended up writing a blogpost: https://blog.hboeck.de/archives/907-How-to-create-a-Secure,-Random-Password-with-JavaScript.html Code example for a solution is given, and also available on GitHub under a permissive license.

hanno, 4 months ago to random German

Ja, bitte macht das endlich... https://www.spiegel.de/politik/deutschland/karl-lauterbach-will-homoeopathie-als-kassenleistung-streichen-a-dab09eda-6a6e-4432-a343-457d5202f914

hanno, 7 months ago to random

Things like this should have legal consequences for Google. https://arstechnica.com/security/2023/10/google-hosted-malvertising-leads-to-fake-keepass-site-that-looks-genuine/

hanno, 21 days ago to random

For reasons that I cannot disclose right now, but will soon, I recently looked into BIMI. And... I have some concerns. BIMI is a spec built on top of DKIM and DMARC, and allows companies to show a logo beside their emails in supporting frontends (like gmail). It requires purchasing a very expensive certificate, I think the justification for it is dubious, and I am not a fan. But even if we put that aside, it's also very strange on a technical level. 🧵

hanno, 8 months ago to random

Five years ago I was part of a team that published the ROBOT attack, a variation of Bleichenbacher's attack against RSA. We already knew that there were additional timing issue that we hadn't looked at in detail (it's mentioned in our FAQ https://robotattack.org/ ). Now Hubert Kario looked at this in detail, and named it the Marvin attack: https://people.redhat.com/~hkario/marvin/

hanno, 4 months ago to random German

Beobachtung zum Fallout der Correctiv-Recherche: In einigen Medienberichten versuchen gerade die Betreiber des Tagungshauses sich als quasi unschuldige Opfer darzustellen, die ja nichts dafürkönnen wenn jemand ein Treffen bei ihnen veranstaltet, und jetzt sagen ihnen alle möglichen Leute ab und sie stehen finanziell schlecht da. Wichtiger Kontext: Die Zeit hat kurz zuvor schon über dieses Tagungshaus berichtet (paywall). Rechtsextreme sind dort regelmäßig zu Gast. https://www.zeit.de/gesellschaft/zeitgeschehen/2023-12/rechtsextremismus-schloss-rittergut-oberreinsberg-sachsen-grundstueckskauf