PrivSec.dev https://privsec.dev/ Recent content on PrivSec.dev Hugo -- gohugo.io Wed, 30 Mar 2022 21:23:12 +0000 Docker and OCI Hardening https://privsec.dev/os/docker-and-oci-hardening/ Wed, 30 Mar 2022 21:23:12 +0000 https://privsec.dev/os/docker-and-oci-hardening/ Containers aren’t that new fancy thing anymore, but they were a big deal. And they still are. They are a concrete solution to the following problem: - Hey, your software doesn’t work… - Sorry, it works on my computer! Can’t help you. Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries. F-Droid Security Analysis https://privsec.dev/apps/f-droid-security-analysis/ Sun, 02 Jan 2022 21:28:31 +0000 https://privsec.dev/apps/f-droid-security-analysis/ F-Droid is a popular alternative app repository for Android, especially known for its main repository dedicated to free and open-source software. F-Droid is often recommended among security and privacy enthusiasts, but how does it stack up against Play Store in practice? This write-up will attempt to emphasize major security issues with F-Droid that you should consider. Before we start, a few things to keep in mind: The main goal of this write-up was to inform users so they can make responsible choices, not to trash someone else’s work. About Us https://privsec.dev/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://privsec.dev/about/ PrivSec.dev is made by a group of enthusiastic individuals looking to provide practical privacy and security advice for the end user. We are security researchers, developers, system administrators… generally people with technical knowledge and work in the field. We focus on in-depth system configuration, security analysis, and software/hardware recommendations. Our site is based on technical merits, not ideologies and politics. Tommy System Administrator. Benevolent dictator for life @privsec.dev. Website: tommytran.io Donate https://privsec.dev/donate/ Mon, 01 Jan 0001 00:00:00 +0000 https://privsec.dev/donate/ The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project. Linux Insecurities https://privsec.dev/os/linux-insecurities/ Mon, 01 Jan 0001 00:00:00 +0000 https://privsec.dev/os/linux-insecurities/ There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality. There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. Multi-factor Authentication https://privsec.dev/knowledge/multi-factor-authentication/ Mon, 01 Jan 0001 00:00:00 +0000 https://privsec.dev/knowledge/multi-factor-authentication/ Multi-factor authentication is a security mechanism that requires additional verification beyond your username (or email) and password. This usually comes in the form of a one time passcode, a push notification, or plugging in and tapping a hardware security key. Common protocols Email and SMS MFA Email and SMS MFA are examples of the weaker MFA protocols. Email MFA is not great as whoever controls your email account can typically both reset your password and recieve your MFA verification.