beerisgood
commented
2 years ago Sure! First link is already included in https://github.com/beerisgood/Smartphone_Security
I will check your second one ๐บ
Open jermanuts opened 2 years ago
beerisgood
commented
2 years ago Sure! First link is already included in https://github.com/beerisgood/Smartphone_Security
I will check your second one ๐บ
jermanuts
commented
2 years ago https://wonderfall.dev/docker-hardening All of it https://www.privacyguides.org/basics/threat-modeling/ left section
beerisgood
commented
2 years ago I added all but last one. Thanks! Your name is also listed in these new commits ๐บ
If you don't have more stuff, i would close this issue for now.
jermanuts
commented
2 years ago Thanks for adding some of them!
Got more suggestions :)
https://research.nccgroup.com/2021/10/27/public-report-whatsapp-end-to-end-encrypted-backups-security-assessment/ a research done also on whatsapp E2EE backups https://sudneela.github.io/posts/the-workings-of-whatsapps-end-to-end-encrypted-backups/
https://www.ndss-symposium.org/ndss-paper/improving-signals-sealed-sender/ the video is well explained too.
https://www.scss.tcd.ie/Doug.Leith/pubs/gboard_kamil.pdf
Add https://www.hardenize.com/ , https://mxtoolbox.com/ to (How to test your eMail provider (security & privacy) ??
Also https://youtu.be/aC9Uu5BUxII (monreo)
jermanuts
commented
2 years ago (An Antivirus does not improve your security)
Most of these links are dead and not technical but rather opinion based, maybe in future add archive.org or arhive.ph link when referencing a tweet.
beerisgood
commented
2 years ago (An Antivirus does not improve your security)
Most of these links are dead and not technical but rather opinion based, maybe in future add archive.org or arhive.ph link when referencing a tweet.
Only first link is dead. @Zanthed @terezipyrope
But yeah theyโre not technical. will check your other links. Thanks
jermanuts
commented
2 years ago https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html https://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest , https://portswigger.net/daily-swig/multiple-encryption-flaws-uncovered-in-telegram-messaging-protocol. Also no E2EE by default only when enabling secret chat, secret chat isn't available on desktop and some groups are censored by app store/play store.
https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browser-not-a-vpn/ https://madaidans-insecurities.github.io/encrypted-dns.html , https://madaidans-insecurities.github.io/browser-tracking.html https://madaidans-insecurities.github.io/security-privacy-advice.html#email https://www.privacyguides.org/basics/account-deletion/ https://www.privacyguides.org/advanced/erasing-data/#erasing-specific-files https://www.privacyguides.org/basics/email-security/#email-metadata-overview https://www.youtube.com/watch?v=QRYzre4bf7I (well explained TOR) https://www.youtube.com/watch?v=lVcbq_a5N9I (well explained TOR hidden services)
beerisgood
commented
2 years ago I added most of it and also mentioned you again in the commits. Thank you!
jermanuts
commented
2 years ago Thanks, glad you liked them.
jermanuts
commented
2 years ago https://www.bejarano.io/sms-phishing/ https://mega-awry.io/ (mega.nz flaws, don't trust encrypted storage clouds use cryptomator to upload your files to the cloud) https://mjg59.dreamwidth.org/59479.html (The Freedom Phone is not great at privacy)
beerisgood
commented
2 years ago Added ๐บ
Last link added in https://github.com/beerisgood/Smartphone_Security/blob/main/README.md
jermanuts
commented
2 years ago https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers https://www.ietf.org/archive/id/draft-nottingham-avoiding-internet-centralization-05.html https://pseudorandom.resistant.tech/federation-is-the-worst-of-all-worlds.html https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser https://rohanrd.xyz/posts/why-you-should-start-self-hosting/
EDIT: do you think the last 2 links fit/related to security?
Not related. Do you have any way of contacting? Might invite you to servers where you meet like-minded people or for discussing some topics.
beerisgood
commented
2 years ago Password manager link added. Thanks ๐
I read about Meta the other day, but since Meta itself is a problem in itself, i don't see the point of recording individual things about it. Regarding the other links i have no use.
I am only active on GitHub. All other community platforms are always crap from the users or even from the moderation and i don't want that anymore
jermanuts
commented
2 years ago Thanks for replying, I was going to recommend #grapheneos:grapheneos.org and https://matrix.to/#/#privacyguides:matrix.org anyway privacyguides is probably not as aggressive as grapheneos when it comes to moderation.
What about https://github.com/beerisgood/Security-link-collection/issues/1#issuecomment-1201232671 https://www.hardenize.com/ , https://mxtoolbox.com/ they seem to be more accurate than the ones recommended in this repo
https://github.com/guardianproject/haven/issues/454 (haven is broken) Tox has a severe vulnerability since 2017 and has yet to be fixed as of July 2022 where messages are spoofable. https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html
Mind changing the antivirus part in this repo with https://privsec.dev/knowledge/badness-enumeration/#antiviruses instead as we discussed https://github.com/beerisgood/Security-link-collection/issues/1#issuecomment-1201416999
beerisgood
commented
2 years ago GrapheneOS is already listed in my Smartphone repository. PrivacyGuides isnโt that good.
Will check your newest links ๐
beerisgood
commented
2 years ago What about #1 (comment) https://www.hardenize.com/ , https://mxtoolbox.com/ they seem to be more accurate than the ones recommended in this repo
while they're nice, both doesn't provide any further information or are even bloated with too much different stuff.
added other ones ๐บ
jermanuts
commented
2 years ago beerisgood
commented
2 years ago Thanks for the superuser link. Added! Second link isn't added because of highlighted Tor browser so much. Same reason why I doesn't add the one from madaidan
IPFS isn't worth a word in my opinion.
jermanuts
commented
2 years ago np, you are on HN rn https://news.ycombinator.com/item?id=32458440 if you don't know yet. Maybe in the future the security links repo wlll be posted on HN when more links are added to it. Keep it up :)
I use HN and lobste.rs to get these security links and steal from blogs that post references or footnoots lol
beerisgood
commented
2 years ago I was wondering where the rush of new likes was coming from.
Thank you! ๐ป
jermanuts
commented
2 years ago https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php Thought we are going to take a break from these amazing blogs but this one just popped on HN.
Also I have collected some links that might be interesting for you, not related to this repo! https://github.com/PrivSec-dev/privsec.dev/discussions/45#discussion-4300293
beerisgood
commented
2 years ago Thanks! Will add the link to smartphone security repository.
Yeah I follow PrivSec. I keep an eye on these links
jermanuts
commented
2 years ago latest electron addition can be added with electron no sandbox in this repo, also add https://mullvad.net/en/blog/2020/5/4/ios-vulnerability-puts-vpn-traffic-risk/ beside https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php as the have mitigation method in the )smartphone security repository).
Add https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser . Thanks
beerisgood
commented
2 years ago Link added but not the Mullvad one as they're promote their VPN too much in that article and I'm generally against using an VPN.
Thanks!
jermanuts
commented
2 years ago https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/
Edit: you added discussion :eyes: too late I guess lol
beerisgood
commented
2 years ago Thanks! Added
jermanuts
commented
2 years ago beerisgood
commented
2 years ago Nice! I added the blog post ๐ป
jermanuts
commented
2 years ago beerisgood
commented
2 years ago Thanks! Added ๐บ
jermanuts
commented
2 years ago jermanuts
commented
1 year ago 
xTrEIX
commented
1 year ago Hello,
Here is a link on password strength that might be useful to your list, assuming you accept the French language.
Rather than using the common method which stupidly tells you whether your password is weak or strong, and then how long a graphics card could decrypt it by brute force (its results are usually based on anything clear to you), the point here is to estimate the strength of your password by comparing it with cryptographic techniques, if the entropy of the password is 60 bits, you should probably change it if you want to use a password that is more resilient to exploitation.
Obviously, the password itself is an old concept that suffers from issues that cannot be fixed.
https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/
beerisgood
commented
1 year ago Thanks! Good site. However, passwords are not so important nowadays. Two factor and especially PassKeys are the better solutions
xTrEIX
commented
1 year ago Thanks! Good site. However, passwords are not so important nowadays. Two factor and especially PassKeys are the better solutions
You're welcome.
Yes, exactly, A 2007 study (I'm not sure of the date) indicates that the average password has 40 bits of entropy, I'm not convinced that this has changed much. Anyway, the strong password is useless if the server suffers a data leak and the data was stored in clear text, which is not rare.
https://www.microsoft.com/en-us/research/wp-content/uploads/2006/11/www2007.pdf
MFA and 2FA are useful if they are well implemented, I use it with some of my accounts (Aegis).
Passkey also seems to me to be the new way to go, I'm tired of passwords, but it will take some work, a change of habits and the correction of other problems, its democratization will probably be better for everyone.
xTrEIX
commented
1 year ago Two news potential links for your list :
Ungoogled Chromium : https://qua3k.github.io/ungoogled/ Tillitis Key : https://www.tillitis.se/
beerisgood
commented
1 year ago Ungoogled Chromium : https://qua3k.github.io/ungoogled/
Thanks. Added
Tillitis Key : https://www.tillitis.se/
"Release: 2023-03-23" "TKeyโขs design encourages developers to experiment"
I actually doesn't see any advantages against Yubikey's. Nitrokey's are also open source but not as good as Yubikey's.
jermanuts
commented
1 year ago beerisgood
commented
1 year ago Thanks. Added!
jermanuts
commented
1 year ago https://github.com/jmau111-org/windows_security
https://github.com/TokTok/c-toxcore/issues/426 (you can spoof messages)
Don't use onion browser due to webkit limitations use https://github.com/guardianproject/orbot-apple instead
Interesting technique https://textslashplain.com/2023/01/11/attack-techniques-phishing-via-local-files/
xTrEIX
commented
1 year ago I actually doesn't see any advantages against Yubikey's. Nitrokey's are also open source but not as good as Yubikey's.
This is a legitimate question you are asking and I don't know the answer, I just read that the key would be FPGA based, which would be better for running open hardware while Nitrokey would not from what I read, there is a discussion here :
https://news.ycombinator.com/item?id=32896580
Anyway, the competition is good and let the choice to use another security key with open hardware too, TKey is developed by Amagicom AB and they are not just anyone, which probably adds confidence.
Another link : Tracking and fingerprint doesn't need Javascript and can work with CSS, exemple here with tracking cursor without Javascript :
https://web.archive.org/web/20190508203229/https://twitter.com/davywtf/status/1124146339259002881
beerisgood
commented
1 year ago Sadly the Twitter link is down and I like to add only reachable links. I know about tracking with just CSS and this is just one tracking method from many
jermanuts
commented
1 year ago beerisgood
commented
1 year ago Thanks! Added
jermanuts
commented
1 year ago beerisgood
commented
1 year ago Added! ๐
jermanuts
commented
1 year ago https://malwaretips.com/threads/sandboxie-should-be-avoided-in-2019-and-above.93426/ (might be good to mention it in your hardening guide as insecure software)
beerisgood
commented
1 year ago While I agree, this post is old and need further research.
jermanuts
commented
1 year ago beerisgood
commented
1 year ago Nice info about another Linux Insecurity ๐
https://wonderfall.dev/fdroid-issues/ https://cronokirby.com/posts/2021/06/e2e_in_the_browser/