Does anyone happen to have a buidroot definition for encfs package (for Raspberrypi)?

(In case you wonder why I like encfs? Because it's the only cross platform fs-based encryption (so perfect for using over Dropbox) for which there is also an iOS app available (Boxcryptor Classic).)

Qubes Security Bulletin #31: Several Xen bugs, practical impact unclear (XSA 216-224):

t.co/l2ZjcCOGRf

Congrats to the Xen Team for finding most of the bugs and to Jann Horn of Google Project Zero for the remaining two!

No busques más, esta es toda la dulzura que necesitarás hoy

Here's my quest for a project planning & tracking software:
github.com/QubesOS/qubes-issue

Some features I want:
1. Decompose projects into sub-projects, & further down,
2. Balance incomes & expenses,
3. Dependencies which can span multiple projects,
4. Take declarative description of projects, tasks, deps, people's availability, various constrains, etc,
5. Calendar-time and resource limitations aware.

So far TaskJuggler seems best, anything better/similar?

Organizations all over the world should DEMAND from Intel ability to disable ME/AMT code. For good. There are likely many more bugs there.

Intel should provide means to disable all ME code which runs AFTER host CPU init is complete, i.e. all the UNTURSTED-input processing code.

Intel AMT drama: 

1. Details by the original discoverer: embedi.com/files/white-papers/
2. Independent rediscovery: t.co/l0rDyFlb0N
TLDR: trivial auth bug in the AMT web server...

What consequences should face those, who build web servers into our CPUs?

Remember Intel's been keen on mocking OSS for its lack of security & liability. Here's a fragment from the 2014 book by Intel ME architect:

A book about Mind, disguised as treatise on Formal Systems and Reasoning, camouflaged as work on Beauty, ultimately talking about Mind... ❤

Qubes Security Bulletin #30 for another critical Xen bug(s) in PV memory virtualization (XSA 213-214): github.com/QubesOS/qubes-secpa

The bugs were found by the same researcher who found the previous Xen bug (XSA 212): Jann Horn of Google P0, congrats!

Also, please read our commentary in the bulletin (linked above) about the general defense approaches we've been working on for Qubes 4.x.

Infosec ethics/drama 

HackerOne is running a bug bounty program for FlexiSpy, who specialise in spying on spouses twitter.com/josephfcox/status/

Their justification: it's "just fixing vulns" twitter.com/senorarroz/status/

I don't buy this at all. By providing security testing services to a shady company, you lend legitimacy to them and their brand. I agree with Casey on this one twitter.com/caseyjohnellis/sta

Turned out that the phrase "Plan B" has a special connotation in the US (a day-after contraception pill), which I wasn't aware before . One of the US-based devs pointed this out and we're discussing how/if to change the option name and to what alternative (needless to say some users didn't like the "paranoid" name either):
t.co/0YBigxAH0V

I guess Qubes OS is getting ever more mainstream... :)

Show thread

New post: "Compromise recovery on Qubes OS":
qubes-os.org/news/2017/04/26/q

Because fuckups happen... and it's good to have a reasonable Plan B.

I really like draw.io, a free Visio alternative, which also works fine in *offline* mode as a Chrome app (I tested it in offline VM).

But it would be even cooler if there was an easy way to package Chrome Apps as RPM or DEB, as then it could be easily installed in a template VM for use in many different AppVMs. Anyone knows how to do that?

(The diagram below is for an upcoming post on Qubes Compromises Recovery, BTW)

I did a write up for the Hamburgsides keynote I did last year - 'The Mighty Superpowers of a well-established "Us"', about BlackHoodie, why XYZ-only workshops make sense, why otherness is an issue and about how-to Padawan 0x1338.blogspot.de/2017/04/the

Have fun planting virus signatures in strange places that touch remote disks somehow/somewhere.

Example:

Change your mail sig to:
X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Or send it in a browser var, as a password (quickly find the sites that don't encrypt passwords), send to open syslogs, etc.

The some AV actually delete/quarantine the file (weblogs, mailspool, {u,w}tmp etc.)!

What are your ideas?

Inspired by: sec.cs.tu-bs.de/pubs/2017-asia

@rootkovska @micahflee Hi there! In @gnome we are doing a lot of work to sandbox things and solve the root cause for this kind of problem. We'd love to hear about these bugs from researchers first, instead of depending on hardening-after-the-fact downstreams like Subgraph and Qubes to push bug reports to us.

Example conversation I'd like to happen around this bug: purpose of .desktop files vs. filename spoofing; executing code you downloaded; sandboxing all executions by default.

Also, the Subgraph reaction has been baffling. They:
1. Ignored Micah's report for 2 weeks (which he gave them to patch) & did nothing to resolve the problem,
2. Downplayed/denied the bug once it got published: twitter.com/bleidl/status/8518
twitter.com/subgraph/status/85
3. Falsely implied that the bug affected QubesOS: twitter.com/bleidl/status/8518
4. Finally patched: twitter.com/subgraph/status/85

Show thread
Show older
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!