Practical Security


App, Data, Cloud and IoT Security

Docker container security

In its default configuration a docker container has pretty good baseline security. The technology behind containers is mature and time proven (chroot 1979, zones 2004, LXC 2007). Breaking out of one is like breaking out of a VM. Possible, but hard - I’am talking side channels, row hammering, cache busting... [Read More]

Why OpenDNS is bad

It fails-unsafe. If your external IP changes and not immediately updated in OpenDNS then all previously blocked sites become available It logs all your DNS requests by default. It can be easily circumvented, by simply setting a different static DNS server on a box instead of using one provided by... [Read More]

OAuth vs OpenID Connect

OAuth is not an authentication or authorization protocol. It’s a scalable delegation protocol. OpenID Connect is an authentication protocol. It returns JWT, not an access token JWT [jot] (JSON Web Token) - is a bunch of JSONT docs, compacted and signed with a private key. There are 2 type: by... [Read More]

Stop SSH promiscuity

When asked for a public key authorization an SSH client will, in its default configuration, try all the keys available to it. This means it will expose all the keys you might have to any server that ask. Here is how to fix it if you value your privacy, .... [Read More]