Comparison between Wazuh and CrowdSec
Having gained quite a lot of practical experience with both Wazuh and CrowdSec host intrustion detection systems, I wanted to share a few notes on how these compare in real life.
How EU Digital Cash might look like
With increasing announcements about the introduction of EU Digital Cash, I wanted to demonstrate what this might look like in practice. The GNU Taler project is funded by the ECB, so it is a strong contender to provide the technology for EUDC.
The real story behind EU QWAC
In 2023 technical social media were shaken by a wave of criticism of EU QWAC (Qualified Website Authentication Certificate) which, according to the critics, was essentially tool of mass surveillance. Below I demonstrate why this criticism was based largely on ignorance, carefully fueled by several US tech companies.
“Hope this email finds you well. Maintenance of pam_tacplus”
Few things annoy FOSS developers more than a huge, multi-billion IT corporation that suddenly sends me an email regarding an open-source project I’ve been running since 1990’s that I’ve recently shut down due to absolute lack of interest from its users… which happened to be telcos and large IT companies. Here’s what I replied:
Linux server with UEFI Secure Boot and LKRG
UEFI Secure Boot is an useful control to prevent trojanizing of a server and strongly recommended whenever you actually run a physical machine, either as a standalone server or host for virtual machines. On its own it’s not particularly difficult to configure with mainstream Linux distributions thanks to the fact that signing keys for distributions like Ubuntu are already distributed along with any modern BIOS. There’s one particular scenario where some customisations are required — when you run a Linux kernel in Secure Boot mode and want to load additional kernel modules.
Trusted software supply chains with SigStore
Trojanised libraries are an increasingly growing problem in sofware supply chain due to the fact that almost every Java, PHP, Python or Node project typically uses a dozen of third-party libraries which then chain-load further libraries. A compilation of a Java project or installation of Node or Python project is continous stream of third-party libraries loaded from repositories such as Maven, NPM or Pypi — and abuse is just matter of statistics.
Current state of security scanners for C/C++
A lot has improved over the last few years in terms of availability of C/C++ source code security scanners. Many scanners are now available for free for open-source projects, not only improving the security of commons code, but also allowing developers to get some hands-on experience and learn how they operate. In this part I’m discussing Synopsys Coverity, clang-analyzer and AddressSanitizer.
PRECIS, the next step in Unicode validation
PRECIS (Preparation, Enforcement, and Comparison of Internationalized Strings) is a framework for consistent and secure management of Unicode strings in web applications.
Why “only security updates” approach is not sufficient?
Many organisations by principle only apply product updates that are explicitly marked as security fixes. I argue why this policy is not sufficient with examples on how general updates also have impact on security.
State of web micropayments
As of 2021 there is little doubt that the world of web advertising is toxic and abusive for both the end users and content publishers, and negatively impacts web security. Are there any reasonable alternatives out there?