I recently blogged about my ProtonMail issues, the weird glitches with their bridge IMAP interface and their apparent lack of care that it might be silently deleting customer data - proton-bridge issue #220
I have now finally gotten around to kicking ProtonMail out of my life and I could not be happier. Gone are the days of having to run some janky Go software just to get an unstable IMAP interface. Gone are randomly changing message UIDs invalidating backups. Gone is the totally batshit way that messages can become orphaned from any folder and not show up anywhere other than "All Mail".
Suddenly I have normal IMAP that works, it even works on iOS (!) and in the webmail I can operate on more than 50 messages at once. I can in fact perform a quick operation on the entire resultset of a search. Try doing that in Proton's webmail. I have lost hours of my life to messing around just try to carry out basic operations on their platform and I'm so glad to be rid of it.
[read more...]
5 Jun 2022 12:16 | email
I was a fan of the ProtonMail email service until I was casually linked to this issue while discussing something else:
proton-bridge issue #220
TL;DR message UIDs returned by proton-bridge are unstable and subject to change without UIDVALIDITY changing. This is not only bad because it violates the RFC but also because it can lead to data loss in at least a couple of scenarios:
[read more...]
I'm a big fan of Patrick Wardle's free mac utilities but I noticed something odd about LuLu recently. It seems that it only filters egress traffic when LuLu.app is running. Since it normally runs as the local user rather than root, this makes it somewhat trivial for malware to defeat as it can simply kill the process and then connect to whatever it wants.
This can be mitigated by running the app as root, but since it's not installed root-owned the first thing to do is change that:
```
$ sudo chown -R root:wheel /Applications/LuLu.app/
[read more...]
After working for some time as an engineer at a very security-obsessed company I decided it would be a good exercise to note down and organise all the things I've learned both at work and in my spare time related to Linux server security. This guide will focus on Linux in a server context but many of the ideas here are applicable to other systems.
The full guide is also available on GitHub: linux-server-hardening-guide
Guiding principles
[read more...]
For some time I've been using a hand-rolled solution for touchID over ssh which I previously blogged about. Up until recently it's been a somewhat loosely-compiled scattering of config that wasn't really in a releasable form but with a pending security talk on the horizon I thought it would be worth tidying it up and making it releasable so I could mention it in my talk.
That code can be found here: touchid-remote
However when I was compiling it I was under the impression that one of the tools it relies on - touch2sudo - was merely a standalone binary for authenticating sudo commands locally. I didn't realise that the author had also noted in the README that it's possible to use it over SSH. The solution presented there involves forwarding the local ssh agent over the SSH connection and then configuring touch2sudo as the askpass agent.
[read more...]
Egress filtering is an immensely powerful security control but it's not so straightforward to do it well. If any malware manages to execute on your system one of the first things it's likely going to try to do is call home and establish a C2 channel. With effective egress filtering you can break this link in the attack chain and stop it dead in its tracks.
There are two well-known products which do egress filtering on macs - Little Snitch and LuLu. LuLu is made available by the awesome Patrick Wardle on his website - objective-see.com - along with a load of other very clever security tools.
This post is mostly going to discuss LuLu but the approach taken here may well work just as well with Little Snitch. LuLu is free and very cleverly made, it even allows you to configure regexes for web urls that applications are allowed to connect to. It does have one major limitation imposed by the operating system though which is mentioned on the website:
[read more...]
10 Feb 2022 05:48 | security
It's been a while since I've blogged so I thought I'd get back into it with some security stuff. My dayjob has had a very heavy security focus for the last 3 years and it's infected my personal life too such that I'm now even more obsessed with security than I was before.
I recently wrote a first draft of a Linux server hardening guide: linux-server-hardening-guide and plan to start a mini-series soon which will go into some of those topics in further detail with example configs etc.
Watch this space!
[read more...]
