Mainline

Original, edited content. The "real" blog.filippo.io posts.

Komodia/Superfish SSL Validation is broken

If you are on the ball already and just want the new vulnerability, scroll to the "client side SSL verification" section. tl;dr The Komodia/Superfish proxy can be made to allow self-signed certificates without warnings. Recap Some Lenovo laptops shipped with Superfish preinstalled - an ad injecting software. How…

So I lost my NAS password

I got my WD My Book World Edition II NAS out of the closet. The reason it went in the closet is that I locked myself out of SSH access, and in the meantime I forgot most of its passwords. Still, I need a NAS, so let's get it back…

scrypt all the things!

If you take away only one thing from this post let it be this: If you have a human password, scrypt it. The reason passwords suck is because humans are terrible at generating and storing entropy. (That and password reuse, but that's another story.) And the reason that's a problem…

PSA: enable automatic updates. Please.

I want you to do a quick inventory of all the boxes, VPS, servers etc. you have root on. Ok, now tell me, when is the last time you updated the one you almost forgot about? Is it vulnerable to ShellShock? Is it vulnerable to Heartbleed? Go patch it now,…

Salt & Pepper, please: a note on password storage

Everyone will tell you that the best practice for password storage is [sb]crypt with random salt. Ok, we got that and even maybe got everyone to agree. But let me bump that up a notch: do you know what pepper is? The concept of peppering is simple: add a…

On Keybase.io and encrypted private key uploading

One thing in particular of Keybase.io attracts a lot heat recently: they support uploading your encrypted key on their servers. This usually is pointed at as a mortal sin. Well, here is my private key, the untouched output of gpg --armor --export-secret-keys filippo.io | gpg --armor --clearsign. -----BEGIN PGP…

Why Go is elegant and makes my code elegant

This is a enthusiast blog post. I'm not even gonna speak about how concurrency comes easy with Go. Honestly, I'm not good enough to speak about it. I'll just speak about how using Go in my everyday programming makes me happy. Go has elegance, good tools and has had the…

My remote shell session setup

It's 2014 and I feel entitled to a good experience connecting to a remote server, instead the default still feels like telnet. After searching for quite a long time, I finally built my dream setup. These were the requirements: I want a single window/tab/panel of the terminal I'm…

How the new Gmail image proxy works and what this means for you

Google recently announced that images in emails will be displayed automatically by default to Gmail users, thanks to an anonymizing proxy operated by them. This, they say, will actually benefit users privacy. This might very well be true if images are prefetched when an email is received. The help page…

The ECB Penguin

This is an image that has become kind of a cultural icon in the cryptography and InfoSec community. I'm speaking about "the penguin", a picture of the Tux Linux mascot encrypted with a block cipher in ECB mode that still shows clearly the outline of the original. .@solardiz @ErrataRob ECB…