Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@briankrebs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>briankrebs</span></a></span> That explains all the shite I've seen, incl. the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.space/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> in <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> itself...</p><p><a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome
Administered by:
Server stats:
4.6Kactive users
techhub.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.2
#cryptoapi
0 posts · 0 participants · 0 posts today
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://social.heise.de/@iX_Magazin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>iX_Magazin</span></a></span> <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> ist <em>inhärent unfixbar unsicher</em>...</p><p>Siehe <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> - <a href="https://infosec.space/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a>!</p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@euroinfosec" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>euroinfosec</span></a></span> which doesn't matter when they literally <a href="https://infosec.space/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> and integrate <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> like <a href="https://infosec.space/tags/Recall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Recall</span></a>! </p><p><a href="http://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">http://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@cR0w" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>cR0w</span></a></span> too many.</p><ul><li>Jist like there are way too many applications suceptible to the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.space/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> of <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>.</li></ul><p><a href="http://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">http://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p><p>So far testing by <span class="h-card" translate="no"><a href="https://social.heise.de/@ct_Magazin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ct_Magazin</span></a></span> / <span class="h-card" translate="no"><a href="https://social.heise.de/@heiseonline" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>heiseonline</span></a></span> (and myseof later on) revealed only few <a href="https://infosec.space/tags/Apps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apps</span></a> not vulnerable to this specifics <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a>:</p><ul><li><a href="https://infosec.space/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> (uses <span class="h-card" translate="no"><a href="https://mastodon.cc/@Mozilla" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Mozilla</span></a></span> / <span class="h-card" translate="no"><a href="https://mastodon.social/@mozilla_support" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>mozilla_support</span></a></span> / <a href="https://infosec.space/tags/Mozilla" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mozilla</span></a> <a href="https://infosec.space/tags/NSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NSS</span></a> & has it's own <a href="https://infosec.space/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> certificate storage)</li><li><span class="h-card" translate="no"><a href="https://mastodon.online/@thunderbird" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>thunderbird</span></a></span> (Mozilla NSS)</li><li><span class="h-card" translate="no"><a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>torproject</span></a></span> / <a href="https://infosec.space/tags/TorBrowser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TorBrowser</span></a> (Mozilla NSS; custom certificates)</li><li><a href="https://infosec.space/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> (uses <span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> <a href="https://infosec.space/tags/WolfSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WolfSSL</span></a> and manages it's own certs)</li></ul><p>Anything else that uses the CryptoAPI is, espechally *all <a href="https://infosec.space/tags/Chromium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chromium</span></a>-Forks (aka. All Browsers except Firefox, Tor Browser, <a href="https://infosec.space/tags/dillo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dillo</span></a>, <a href="https://infosec.space/tags/LynxBrowser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LynxBrowser</span></a>…)</p>
Kevin Karhan :verified:USpol, Trump, US-centric Internet Infrastructure, National Internet Blackout
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://social.linux.pizza/@marjolica" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>marjolica</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@utf_7" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>utf_7</span></a></span> <span class="h-card" translate="no"><a href="https://techhub.social/@dashjackson" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>dashjackson</span></a></span> <span class="h-card" translate="no"><a href="https://social.glitched.systems/@froge" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>froge</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@arstechnica" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>arstechnica</span></a></span> It'll impact <em>any</em> application that uses <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>' <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> and doesn't come with it's own <a href="https://infosec.space/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Encryption</span></a> Library and <a href="https://infosec.space/tags/CertificateManagment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CertificateManagment</span></a>.</p><ul><li>IDK if the <em>"<a href="https://infosec.space/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> Subsystem for <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>"</em> (The real <em>"<a href="https://infosec.space/tags/WindowsSubsystemForLinux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WindowsSubsystemForLinux</span></a>"</em> is <a href="https://infosec.space/tags/Wine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Wine</span></a>!) may or may not be as <a href="https://infosec.space/tags/cursed" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cursed</span></a> as to just wrap said functions into the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> instead of doing it with the applications' dependencies.</li></ul><p>Needless to say all <a href="https://infosec.space/tags/Chromium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chromium</span></a> variants and <a href="https://infosec.space/tags/IE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IE</span></a> / <a href="https://infosec.space/tags/Edge" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Edge</span></a> are vulnerable to this <a href="https://infosec.space/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a> which exists since at least <a href="https://infosec.space/tags/WindowsXP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WindowsXP</span></a> to this day!</p><ul><li>Thus consider said <a href="https://infosec.space/tags/OS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OS</span></a> <em>inherently unsafe!</em></li></ul>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.world/@signalapp" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>signalapp</span></a></span> it merely prevents <a href="https://infosec.space/tags/Screenshots" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Screenshots</span></a> by claiming it's <a href="https://infosec.space/tags/DRM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DRM</span></a>'d content.</p><ul><li><p>It's a mere <em>ask</em> and <a href="https://infosec.space/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> could specifically close that <a href="https://infosec.space/tags/API" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>API</span></a> and make it subject to contractual agreements (as they did with their <a href="https://infosec.space/tags/Antivirus" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Antivirus</span></a> API calls to disable <a href="https://infosec.space/tags/WindowsDefender" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WindowsDefender</span></a>!) if they decide this is against their wishes.</p></li><li><p>It also doesn't prevent the <a href="https://infosec.space/tags/Keylogger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Keylogger</span></a> nor works against the <a href="http://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" target="_blank">known</a> <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.space/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> affecting all <a href="https://infosec.space/tags/Browsers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browsers</span></a> (except <a href="https://infosec.space/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> and <span class="h-card" translate="no"><a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>torproject</span></a></span> / <a href="https://infosec.space/tags/TorBrowser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TorBrowser</span></a>) which can be triggered by a single <a href="https://infosec.space/tags/HTTPS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HTTPS</span></a> request.</p></li></ul><p>The correct solution for <a href="https://infosec.space/tags/Signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Signal</span></a> would be to alert all their users and specifically block <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> in general or at least <a href="https://infosec.space/tags/Windows11" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows11</span></a> simply because it is a <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> and <em>empirically cannot be made private or secure</em>.</p><p>But that would require them to actually give a shit, which thed don't, cuz otherwise they would've stopped demanding <a href="https://infosec.space/tags/PII" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PII</span></a> like a <a href="https://infosec.space/tags/PhoneNumber" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhoneNumber</span></a> and moved out of juristiction of <a href="https://infosec.space/tags/CloudAct" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudAct</span></a>.</p><ul><li>I mean, what's gonna prevent the <a href="https://infosec.space/tags/Trump" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Trump</span></a>-Regime from threatening <span class="h-card" translate="no"><a href="https://mastodon.world/@Mer__edith" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Mer__edith</span></a></span> et. al. with lifetime in jail for not kicking the <a href="https://infosec.space/tags/ICC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICC</span></a> (or anyone else he and his fans dislike) from <a href="https://infosec.space/tags/Signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Signal</span></a>'s infrastructure?</li></ul><p>Since they are highly centralized.they certainly <em>are capable</em> to comply with <em>"<a href="https://infosec.space/tags/Sanctions" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sanctions</span></a>"</em> (or whatever bs he'll claim!)...</p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://tiggi.es/@DeltaWye" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>DeltaWye</span></a></span> <span class="h-card" translate="no"><a href="https://chaos.social/@kfh" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>kfh</span></a></span> I'd say <span class="h-card" translate="no"><a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>torproject</span></a></span> / <a href="https://infosec.space/tags/TorBrowser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TorBrowser</span></a> as it's <a href="https://infosec.space/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> but <a href="https://infosec.space/@kkarhan/114388251948556423" rel="nofollow noopener" target="_blank">without</a> <a href="https://infosec.space/tags/tracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tracking</span></a>, <a href="https://infosec.space/tags/adware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>adware</span></a> and <a href="https://infosec.space/tags/analytics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>analytics</span></a>! </p><p>But if you're using <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> like <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>, any <a href="https://infosec.space/tags/Browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browser</span></a> that doesn't use the <a href="https://infosec.space/tags/backdoored" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoored</span></a> <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> (i.e. all <a href="https://infosec.space/tags/Chromium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chromium</span></a>-Forks do use it!) is better...</p><ul><li>And yes, even <a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" target="_blank">the <em>"fix"</em> I released</a> isn't propably permanent as any <a href="https://infosec.space/tags/WindowsUpdate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WindowsUpdate</span></a> can revert it!</li></ul>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@paco" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>paco</span></a></span> <a href="https://infosec.space/tags/Copilot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Copilot</span></a> & <a href="https://infosec.space/tags/Recall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Recall</span></a> are the perfect <a href="https://infosec.space/tags/InfoStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoStealer</span></a> <a href="https://infosec.space/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> combo!</p><ul><li>This makes <a href="https://github.com/kkarhan/windows-ca-backdoor-fix/" rel="nofollow noopener" target="_blank">the</a> <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> - <a href="https://infosec.space/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a> look chill by comparison!</li></ul>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@cryptrz" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>cryptrz</span></a></span> add to that the fact that the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> is <a href="https://infosec.space/tags/backdoored" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoored</span></a> and that said <a href="https://infosec.space/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> can be triggered with a simple <a href="https://infosec.space/tags/HTTPS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HTTPS</span></a> request in any <a href="https://infosec.space/tags/Browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browser</span></a> [except <a href="https://infosec.space/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> & <a href="https://infosec.space/tags/TorBrowser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TorBrowser</span></a> as they use <a href="https://infosec.space/tags/NSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NSS</span></a> instead!] (or <a href="https://infosec.space/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PowerShell</span></a>'s horrible <code>wget</code> implementation)...</p><p>And we have sufficient proof thaf <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> is a <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> that <em>noone</em> should use and that should be banned across the globe.</p><p><a href="http://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">http://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@0x40k" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>0x40k</span></a></span> well, <a href="https://infosec.space/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> to this day has a <a href="https://infosec.space/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a> in the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> that <a href="http://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" target="_blank">remains unfixed to this day</a>...</p><ul><li>And since Microsoft doesn't acknowledge the concept of <a href="https://infosec.space/tags/consent" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>consent</span></a> in <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> (and doesn't even fake it!) and they are both <a href="https://infosec.space/tags/PRISM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PRISM</span></a> collaborators <em>AND</em> subject to <a href="https://infosec.space/tags/CloudAct" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudAct</span></a>, they <em><a href="https://infosec.space/tags/CantFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CantFix</span></a></em> & <em><a href="https://infosec.space/tags/WontFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WontFix</span></a></em> it!</li></ul>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://nrw.social/@roman78" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>roman78</span></a></span> <span class="h-card" translate="no"><a href="https://astronomy.social/@admin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>admin</span></a></span> <span class="h-card" translate="no"><a href="https://nrw.social/@olifantenbaer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>olifantenbaer</span></a></span> angesichts der Lücken in <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> inklusive <a href="https://infosec.space/tags/Backdoors" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoors</span></a> ist das digitales <a href="https://infosec.space/tags/FlexTape" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FlexTape</span></a> bei durchgerrostetem Rohr...</p><ul><li>Hinzu kommt dass <a href="https://infosec.space/tags/WindowsUpdate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WindowsUpdate</span></a> entsprechende Einstellungen resetted.<a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></li></ul>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://social.tchncs.de/@gborn" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>gborn</span></a></span> <span class="h-card" translate="no"><a href="https://hessen.social/@MichaelD" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>MichaelD</span></a></span> <span class="h-card" translate="no"><a href="https://det.social/@Bundesligatrainer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Bundesligatrainer</span></a></span> <span class="h-card" translate="no"><a href="https://chaos.social/@Ihazchaos" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Ihazchaos</span></a></span> nein, eben nicht.</p><p>Dass <a href="https://infosec.space/tags/Windows10" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows10</span></a> [und besonders <a href="https://infosec.space/tags/Windows11" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows11</span></a>] nicht <a href="https://infosec.space/tags/DSGVO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DSGVO</span></a>- & <a href="https://infosec.space/tags/BDSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BDSG</span></a>-konform sein können ist <a href="https://www.lda.bayern.de/media/windows_10_report.pdf" rel="nofollow noopener" target="_blank">evidenzierte Tatsache</a> und ich habe noch keine*n Anwält*in gesehen die etwas anderes behaupten und dafür im Zweifelsfalle auch die <a href="https://infosec.space/tags/Haftung" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Haftung</span></a> übernehmen würden.</p><ul><li><p>Wohingegen ich mir sicher bin dass <span class="h-card" translate="no"><a href="https://fosstodon.org/@SUSE" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SUSE</span></a></span> & <span class="h-card" translate="no"><a href="https://ubuntu.social/@ubuntu" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ubuntu</span></a></span> mir im Zweifelsfalle sogar ne <a href="https://infosec.space/tags/Versicherung" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Versicherung</span></a> der <a href="https://infosec.space/tags/Compliance" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Compliance</span></a> ab Werk anbieten würden, was <a href="https://infosec.space/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> aufgrund von <a href="https://infosec.space/tags/CloudAct" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudAct</span></a> inhärent nicht kann!</p></li><li><p>Außerdem verbietet sich das Procurement von Anbietern die in <em>"illegaler Agententätigkeit"</em> [u.a. <a href="https://infosec.space/tags/PRISM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PRISM</span></a>] involviert sind (!!!) schon aus oberflächlicher <em>due diligence</em>...</p></li></ul><p>Von <a href="https://github.com/kkarhan/windows-ca-backdoor-fix/" rel="nofollow noopener" target="_blank">einfach ausnutzbaren</a> <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> - <a href="https://infosec.space/tags/Backdoors" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoors</span></a> in der <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> unter <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> hab ich noch garnicht angefangen! </p><ul><li>TLDR: <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> gehört in den <a href="https://infosec.space/tags/M%C3%BCll" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Müll</span></a> und notfalls auf ne <a href="https://infosec.space/tags/airgapped" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>airgapped</span></a> Kiste bzw. <a href="https://infosec.space/tags/offline" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>offline</span></a> VM! Ich fass' den shice nicht an!!!</li></ul><p><a href="https://infosec.space/tags/EOD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EOD</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://transfem.social/@puppygirlhornypost2" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>puppygirlhornypost2</span></a></span> <span class="h-card" translate="no"><a href="https://social.vlhl.dev/users/navi" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>navi</span></a></span> yeah, but that's a common problem based off <a href="https://infosec.space/tags/TechIlliteracy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TechIlliteracy</span></a> and lack of proper explaination!</p><ul><li>Given the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> of <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> is <a href="https://infosec.space/tags/backdoored" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoored</span></a> for <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> [<a href="https://infosec.space/tags/NSAKEY_" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NSAKEY_</span></a> & <a href="https://infosec.space/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a>-<a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" target="_blank">Updates</a> I'd consider <a href="https://infosec.space/tags/BitLocker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BitLocker</span></a> insecure and the least of it's problems!</li></ul><p>Bonus points if <a href="https://infosec.space/tags/TPM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TPM</span></a> bs prevents <a href="https://infosec.space/tags/DataRecovery" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DataRecovery</span></a>.</p><ul><li>My biggest problem with <a href="https://infosec.space/tags/FDE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FDE</span></a>/ <a href="https://infosec.space/tags/FullDiskEncryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FullDiskEncryption</span></a> is that is mandates direct access to a system to authenticate, thus one needs to manually mount stuff on servers post-boot instead.</li></ul>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://goatdaddy.net/profile/vvelox" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>vvelox</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@SecurityWriter" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SecurityWriter</span></a></span> I trust noone, but unlike <a href="https://infosec.space/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a>, <a href="https://infosec.space/tags/RedHad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RedHad</span></a> didn't betray it's paying customers by literally shoving <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> <a href="https://infosec.space/tags/Backdoors" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoors</span></a> into critical compontents like the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a>... </p><p><a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://mas.to/@tokyo_0" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tokyo_0</span></a></span> <a href="https://infosec.space/tags/TrueCrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TrueCrypt</span></a> is <a href="https://infosec.space/tags/abandonware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>abandonware</span></a> with serious security issues. </p><ul><li><em>DO NOT USE TRUECRYPT FFS!!!</em></li></ul><p>Use <a href="https://infosec.space/tags/VeraCrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VeraCrypt</span></a> or even better: migrate machines to <a href="https://infosec.space/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> and use <a href="https://infosec.space/tags/LUKS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LUKS</span></a> / <a href="https://infosec.space/tags/dmcrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dmcrypt</span></a> instead, as it's the best option at hand.</p><ul><li>If you need to shuttle data to <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> and <a href="https://infosec.space/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>macOS</span></a> machines and using <a href="https://infosec.space/tags/SFTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SFTP</span></a> / <a href="https://infosec.space/tags/SSHFS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSHFS</span></a> to mount a secure storage over the network isn't an option, than you're stuck with VeraCrypt, as <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>' <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> is evidently <a href="https://infosec.space/tags/backdoored" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoored</span></a> to the point that every <a href="https://infosec.space/tags/Browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browser</span></a> except <a href="https://infosec.space/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> is susceptible to <a href="https://infosec.space/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> hijacking with background updates...</li></ul><p><a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
xoron :verified:<p>"Encryption at Rest" for JavaScript Projects</p><p>Following a previous post (<a href="https://infosec.exchange/@xoron/113446067764347249" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@xoron/113446</span><span class="invisible">067764347249</span></a>), which can be summarized as: I'm tackling state management with an extra twist: integrating encryption at rest!</p><p>I created some updates to the WIP pull-request. The behavior is as follows.</p><p>- The user is prompted for a password if one isn't provided programmatically.<br> - This will allow for developers to create a custom password prompts in their application. The default fallback is to use a JavaScript prompt().<br> - It also seems possible to enable something like "fingerprint/face encryption" for some devices using the webauthn api. (This works, but the functionality is a bit flaky and needs to be fixed before rolling out.)<br>- Using AES-GCM with 1000000 iterations of PBKDF2 to derive the key from the password.<br> - The iterations can be increased in exchange for slower performance. It isn't currently configurable, but it might be in the future.<br> - The salt and AAD need to be deterministic and so to simplify user input, the salt as AAD are derived as the sha256 hash of the password. (Is this a good idea?)</p><p>The latest version of the code can be seen in the PR: <a href="https://github.com/positive-intentions/dim/pull/9" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/positive-intentions</span><span class="invisible">/dim/pull/9</span></a></p><p>I'm keen to get feedback on the approach and the implementation before i merge it into the main branch.</p><p><a href="https://infosec.exchange/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://infosec.exchange/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Encryption</span></a> <a href="https://infosec.exchange/tags/IndexedDB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IndexedDB</span></a> <a href="https://infosec.exchange/tags/WebDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDevelopment</span></a> <a href="https://infosec.exchange/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.exchange/tags/FrontendDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FrontendDev</span></a> <a href="https://infosec.exchange/tags/ReactHooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReactHooks</span></a> <a href="https://infosec.exchange/tags/StateManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StateManagement</span></a> <a href="https://infosec.exchange/tags/WebSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSecurity</span></a> <a href="https://infosec.exchange/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://infosec.exchange/tags/PersonalProjects" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PersonalProjects</span></a></p>
xoron :verified:<p>"Encryption at Rest" for JavaScript Projects</p><p>I'm developing a JavaScript UI framework for personal projects, and I'm tackling state management with an extra twist: integrating encryption at rest!</p><p>Inspired by this React Hook: Async State Management (<a href="https://positive-intentions.com/blog/async-state-management" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">positive-intentions.com/blog/a</span><span class="invisible">sync-state-management</span></a>), I’m extending it to support encrypted persistent data. Here's how:</p><p>✨ The Approach:</p><p>Using IndexedDB for storage.</p><p>Data is encrypted before saving and decrypted when loading using the Browser Cryptography API.</p><p>Event listeners will also be encrypted/decrypted to avoid issues like browser extensions snooping on events.</p><p>The password (should never be stored) is entered by the user at runtime to decrypt the data. (Currently hardcoded for now!)</p><p>The salt will be stored unencrypted in IndexedDB to generate the key.</p><p>🔗 Proof of Concept:<br>You can try it out here: GitHub PR (<a href="https://github.com/positive-intentions/dim/pull/8" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/positive-intentions</span><span class="invisible">/dim/pull/8</span></a>). Clone or run it in Codespaces and let me know what you think!</p><p>❓ Looking for Feedback:<br>Have I missed anything? Are there better ways to make this storage secure?</p><p>Let's make secure web UIs a reality together! 🔒</p><p><a href="https://infosec.exchange/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://infosec.exchange/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Encryption</span></a> <a href="https://infosec.exchange/tags/IndexedDB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IndexedDB</span></a> <a href="https://infosec.exchange/tags/WebDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDevelopment</span></a> <a href="https://infosec.exchange/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.exchange/tags/FrontendDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FrontendDev</span></a> <a href="https://infosec.exchange/tags/ReactHooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReactHooks</span></a> <a href="https://infosec.exchange/tags/StateManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StateManagement</span></a> <a href="https://infosec.exchange/tags/WebSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSecurity</span></a> <a href="https://infosec.exchange/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://infosec.exchange/tags/PersonalProjects" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PersonalProjects</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://mstdn.social/@rysiek" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>rysiek</span></a></span> <a href="https://infosec.space/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> blaming the <a href="https://infosec.space/tags/EU" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EU</span></a> for <a href="https://infosec.space/tags/CrowdStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CrowdStrike</span></a> when the most affected customers are <a href="https://infosec.space/tags/Airlines" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Airlines</span></a> from the <a href="https://infosec.space/tags/USA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USA</span></a> that don't eben service Airports in <a href="https://infosec.space/tags/Europe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Europe</span></a> <em>at all</em> is the biggest <em>insult to the intellect of everyone</em> since they denied <a href="https://infosec.space/tags/_NSAKEY" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>_NSAKEY</span></a> and their <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.space/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a>:</p><p><a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@malwaretech" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>malwaretech</span></a></span> thanks for adding another legendary <a href="https://infosec.space/tags/ITsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ITsec</span></a> <a href="https://infosec.space/tags/fuckup" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fuckup</span></a> by <a href="https://infosec.space/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> to the long list of *"<a href="https://infosec.space/tags/WontFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WontFix</span></a>" <a href="https://infosec.space/tags/Exploits" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Exploits</span></a> that prevent me from even touching <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> at all...</p><p>If a literal <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> <a href="https://infosec.space/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a> in the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" target="_blank">wasn't worse enough already</a>...</p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload