• chevron_right

    Deepfence ThreatMapper: Open source platform for scanning runtime environments

    Danie van der Merwe · / gadgeteerza-tech-blog · Friday, 15 October - 17:50

Deepfence announced open source availability of ThreatMapper, a signature offering that automatically scans, maps and ranks application vulnerabilities across serverless, Kubernetes, container and multi-cloud environments.

ThreatMapper is an open source platform for scanning runtime environments for software supply chain vulnerabilities and contextualizing threats to help organizations determine which to address and when. Taking threat feeds from more than 50 different sources, the comprehensive suite of ThreatMapper capabilities and features are available on GitHub.


#technology #security #threats #opensource #vulnerabilities

  • chevron_right

    Fourteen of the world's leading computer security and cryptography experts have released a paper arguing against the use of client-side scanning because it creates security and privacy risks

    Danie van der Merwe · / gadgeteerza-tech-blog · Friday, 15 October - 16:47

Client-side scanning (CSS, not to be confused with Cascading Style Sheets) involves analysing data on a mobile device or personal computer prior to the application of encryption for secure network transit or remote storage. CSS in theory provides a way to look for unlawful content while also allowing data to be protected off-device.

Apple in August proposed a CSS system by which it would analyse photos destined for iCloud backup on customers' devices to look for child sexual abuse material (CSAM), only to backtrack in the face of objections from the security community and many advocacy organizations.

The paper, "Bugs in our Pockets: The Risks of Client-Side Scanning," elaborates on the concerns raised immediately following Apple's CSAM scanning announcement with an extensive analysis of the technology.

"In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance," the paper says.


#technology #security #privacy #clientsidescanning #apple

  • Ar chevron_right

    Researcher refuses Telegram’s bounty award, discloses auto-delete bug / ArsTechnica · Monday, 4 October - 14:12

Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Enlarge (credit: Joshua Sortino )

Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019 . But the researcher who reported the bug isn't pleased with Telegram's months-long turnaround time—and an offered $1,159 (€1,000) bounty award in exchange for his silence.

Self-destructed images remained on the device

Like other messaging apps, Telegram allows senders to set communications to "self-destruct," such that messages and any media attachments are automatically deleted from the device after a set period of time. Such a feature offers extended privacy to both the senders and the recipients intending to communicate discreetly.

In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release:

Read 12 remaining paragraphs | Comments

  • Ar chevron_right

    Facebook’s latest “apology” reveals security and safety disarray / ArsTechnica · Tuesday, 21 September - 18:32

A person in a Hazmat suit covers the Facebook logo with warning tape.

Enlarge (credit: Aurich Lawson / Getty Images )

Facebook had it rough last week. Leaked documents— many leaked documents—formed the backbone of a string of reports published in The Wall Street Journal. Together, the stories paint the picture of a company barely in control of its own creation. The revelations run the gamut: Facebook had created special rules for VIPs that largely exempted 5.8 million users from moderation, forced troll farm content on 40 percent of America, created toxic conditions for teen girls, ignored cartels and human traffickers, and even undermined CEO Mark Zuckerberg’s own desire to promote vaccination against COVID.

Now, Facebook wants you to know it’s sorry and that it’s trying to do better.

“In the past, we didn’t address safety and security challenges early enough in the product development process,” the company said in an unsigned press release today. “Instead, we made improvements reactively in response to a specific abuse. But we have fundamentally changed that approach.”

Read 10 remaining paragraphs | Comments

  • Ar chevron_right

    Apple fixes iMessage zero-day exploited by Pegasus spyware / ArsTechnica · Tuesday, 14 September - 15:44

Apple fixes iMessage zero-day exploited by Pegasus spyware

Enlarge (credit: Aurich Lawson | Getty Images)

Apple has released several security updates this week to patch a "FORCEDENTRY" vulnerability on iOS devices. The "zero-click, zero-day" vulnerability has been actively exploited by Pegasus, a spyware app developed by the Israeli company NSO Group, which has been known to target activists, journalists, and prominent people around the world.

Tracked as CVE-2021-30860, the vulnerability needs little to no interaction by an iPhone user to be exploited—hence the name "FORCEDENTRY."

Discovered on a Saudi activist’s iPhone

In March, researchers at The Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist who was targeted by NSO Group's Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of a mysterious GIF file in various places—except the files were not images.

Read 11 remaining paragraphs | Comments

  • chevron_right

    3 years, 17 alphas, 2 betas, and over 7,500 commits later, OpenSSL version 3 is here - But it's not fully backward compatible

    Danie van der Merwe · / gadgeteerza-tech-blog · Wednesday, 8 September - 21:22

"OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release," explained Matt Caswell of the OpenSSL Management Committee.

FIPS-validated cryptographic algorithms are important to have for users seeking US government work, and its omission from version 1.1.1 of OpenSSL (having been present in 1.0.2) has caused the odd headache.


#technology #opensource #openssl #security

  • chevron_right

    Nebula is an open source cross-platform scalable overlay networking tool with a focus on performance, simplicity and security

    Danie van der Merwe · / gadgeteerza-tech-blog · Monday, 30 August - 12:19

It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, Windows, iOS, and Android. It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.

Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling, and each of those individual pieces existed before Nebula in various forms. What makes Nebula different to existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.

Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework. Nebula uses elliptic curve Diffie-Hellman key exchange, and AES-256-GCM in its default configuration. Nebula was created to provide a mechanism for groups hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.

It was developed by Slack and powers their networking worldwide.


#technology #networks #security #nebula #slack

  • chevron_right

    Matrix - An Open Network for Secure, Decentralised Communication

    Danie van der Merwe · / gadgeteerza-tech-blog · Friday, 27 August - 10:01

Matrix is an open source project that publishes the Matrix open standard for secure, decentralised, real-time communication. You can self-host and federate, or join existing servers, to enable instant messaging, text chat in chatrooms, voice and video chat, file transfer, and even bridging between many other networks such as IRC, XMPP, Signal, Telegram, WhatsApp, RSS, Facebook Messenger, Discord, Slack, and many more.

End-to-End-Encryption, device verification and trust, replication of chatrooms for redundancy, are all hallmarks of Matrix. It can serve as a secure communications platform for governments with roving diplomats, or for end users be an alternative to Signal, Telegram and WhatsApp.

It is the opposite of a walled garden, with its vision of acting as a generic HTTP messaging and data synchronisation system for the whole web - allowing people, services and devices to easily communicate with each other, empowering users to own and control their data, and select the services and vendors they want to use.

Watch at

#technology #opensource #security #privacy #instantmessaging #matrix #alternativeto #selfhosting #federated #decentralised