urn:uuid:c9e6cf53-c741-5de5-89b5-5cd48df7a6ce Topic: Security – Ctrl blog Daniel Aleksandersen https://www.daniel.priv.no/ Copyright © 2022 Daniel Aleksandersen. https://www.ctrl.blog/assets/logo/logo-square.svg 2022-04-27T04:01:00Z weekly 10 urn:uuid:4669d1b8-8be9-45a2-b305-f696c6d025a6 2022-04-27T04:01:00Z 2022-04-27T04:01:00Z SELinux is unmanageable; just turn it off if it gets in your way I’ve been an SELinux complexity apologist for years. Lately, I’ve concluded that every implementation with difficult-to-configure policies is just unmanageable. <p>Security-Enhanced Linux (SELinux) is a type of Mandatory Access Control (MAC) in the Linux kernel. It can prevent software from performing unexpected — such as abusive or malicious actions — on your Linux systems. However, … it’s also an unmanageable mess, and I have a much greater understanding of why people recommend that people disable it.</p> <p><a href="https://www.ctrl.blog/entry/selinux-unmanageable.html">Read more …</a></p> urn:uuid:22a5151e-766e-4181-b92a-4ec32248cbbc 2022-04-03T14:10:00Z 2022-04-03T14:10:00Z Should you trust a third-party bootloader to run newer MacOS versions? OpenCore lets you run the latest MacOS on unsupported Apple legacy hardware (and PCs). But software that bypasses security restrictions requires a lot of trust. <p>Apple periodically drops support for its older hardware, and customers get left with an increasingly insecure and outdated system. The Hackintosh scene, a community dedicated to running MacOS on unsupported hardware, might help extend the life of your Mac. However, can you trust its community-developed software to the same degree as you blindly trust Apple?</p> <p><a href="https://www.ctrl.blog/entry/macos-opencore-trust.html">Read more …</a></p> urn:uuid:9df4acbd-d7cd-42b9-9ce3-1b18645be810 2021-11-30T19:13:00Z 2021-11-30T19:13:00Z Closing the open redirect vulnerability in the Libravatar ecosystem I found an open redirect vulnerability in the Libravatar specification. An open-source avatar hosting API could be abused to redirect to untrusted websites. <p>Libravatar is a decentralized open-source alternative to Gravatar – the avatar image service. Last week, I noticed an URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability (CWE-601) in the Libravatar application programming interface (API) specification.</p> <p><a href="https://www.ctrl.blog/entry/libravatar-open-redirect.html">Read more …</a></p> urn:uuid:bb458e03-cd63-4de0-8ff3-4f5276c3f631 2021-09-22T10:09:00Z 2021-09-22T10:09:00Z Patch origin trust vs GitHub’s URL hierarchy Opening a pull request is all it takes to get a GitHub patch URL that’s indistinguishable from patches/commits that are a part of an open-source GitHub project. <p>Attentive readers may have noticed something a bit weird with the GitHub patch links in my last article. I shared links to two patches for Ruby's Rake build system which I also said hadn't yet been accepted into Rake. Yet, the patches looked like they came directly from the Rake project's official code repository at <code>https://github.com/ruby/rake/</code>. So, how did I get a patch URL that’s indistinguishable from commits/patches that are part of a project?</p> <p><a href="https://www.ctrl.blog/entry/github-patch-url-trust.html">Read more …</a></p> urn:uuid:30538782-c9dd-44a6-9818-157aeeefcea4 2021-05-14T10:11:00Z 2021-05-14T10:11:00Z Your clipboard is only as secure as your device A review/critique of the complexity, security, and unpredictable user experience of modern feature-laden copy–paste clipboards in today’s operating systems. <p>The system clipboard is part of every modern operating system. It lets us copy and paste text, images, files, and data between different applications. Like everything else these days, it’s increasingly getting tied up with other people’s servers (“the cloud.”) So, what does that mean for your clipboard privacy?</p> <p><a href="https://www.ctrl.blog/entry/clipboard-security.html">Read more …</a></p>