The scroll-animated graphic is well made. It goes through the different topic step by step.

Loading a ressource can deanonymise a user:

1. Cloudflare CDN shares the nearest airport in its HTTP header Cf-Ray
2. A favicon cache works: "Since everytime you load their site, your browser automatically downloads this favicon, this means a user from each one of this locations has visited the Namecheap.com site within the 5 minutes with the last visit from Tokyo, Japan.". So if you lead a specific content created only to target one user, you can know from which data center the content is loaded (and its nearest airport).
3. As Signal uses Cloudflare caching for the attachments, the same attack can be exploited.

With an innocent-looking attachment, an attacker can deanonymize users and find their location within an approximate radius (tens of miles, depending of the datacenters).

It works only if the user clicks to download the attachment in this case.

4. Push notification of Signal with an image can trigger the cache... So a 0-click exploit can exist.

If the target has push notifications enabled (which it is by default), they don't even have to open the Signal conversation for their device to download the attachment. [...]
An attacker can run this deanonymization attack any time and grab a user's current location without a single interaction.

A similar exploit can be used on Discord with custom emojis: the custom emoji is a custom content downloaded by one user.

Conclusion:

his attack can be used to track Signal accounts, correlate identities, find employees meeting with journalists and much more.
Any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken.

Useful to get alerted when one website copies another or someone is copying your achitecture.

I don't understand: 2FA in a password manager makes it vulmeran

For maximum security, you can store your 2FA token elsewhere, like a YubiKey (see Yubico Authenticator) or Google Authenticator, and keep the recovery codes safe somewhere outside your computer, but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.

I still think it is better to split passwords and 2FA on two systems for security purposes.

Utiliser des portes dérobées est à double tranchant: un attaquant peut aussi les exploiter. Pour un de ces raisons, les experts en cybersécurité déconseille les portes dérobées.

Instead of hash functions to store password, use Password-Based Key Derivation Functions (PBKDF) such as Argon2id.

bcrypt should be avoided due to its huge footgun: it truncates inputs longer than 72 characters. Okta AD/LDAP was vulnerable because of it.

Checksum functions such as CRC32 and xxh3 are optimized for pure speed and don't provide any security guarantees about their output, and it's easy to find collisions for a given checksum.

In 2024 based on I/O speed, a hash function with a throughput of 1 GB / s / core is considered fast enough for most use cases.

I skip the speed part because it is not relevant for me: 100MB/s or 1GB/s does not make much difference.

SHA3 and the BLAKE family which produced secures hash functions that are also misuse resistant.

A strength >= 128 bits is considered secure. The security agencies recommendation are a bit different. Hash length ranges from 256 (NIST) to 512 (ECRYPT-CSA).

SHA3 has many functions, SHA2 is vulnerable to length extension attacks (secret || message) but BLAKE3 has none of these issues.

Post-Quantum security from Grover's algorithm divides by 2 the preimage and 2nd-preimage resistance. The BHT algorithm predicts however that a quantum computer can find a collision in $2^{\mathrm{<mfrac><mtext>n</mtext><mtext>3</mtext></mfrac>}}$ operations instead of 2^n/2

So SHA2 for convenience or BLAKE for the rest. There is only C and Rust that have official support for BLAKE though.

The intention of this page is to collect and highlight malware written in the Rust programming language, so that malware reverse engineers have a collection of Rust samples to practice reversing on.

J'ouvre l'espace "dépôt de documents" sur le site de ma mutuelle, et je vois un Thumbs.db.
Purin encore un machin géré sous Windows. Non seulement géré sous Windows, mais accédé via cette saleté d'explorateur de fichiers Windows :facepalm:
J'imagine les employés qui viennent double-cliquer sur les fichiers déposés par les adhérents😬
Les probables problèmes de droits entre répertoires, les fausses manipulation (entre adhérents) trop vites arrivées quand on manipule de fichiers à la souris, etc

La fuite est encore incertaine, mais peut être réelle.

Adding a proof-of-work algorithm can work with this experience.

I guess that the main lesson was that these particular spammers, are really low-effort creatures. You raise the bar a little, and they stop being effective.

How to better use JWTs

Icedrive
pCloud
Icedrive
Seafile
Tresorit

Each company reacts differently.

Mais certains experts en sécurité ont exprimé récemment de fortes inquiétudes quant au fait que le ME [Management Engine des processeurs] pourrait cacher une porte dérobée, car il fonctionne indépendamment du système d’exploitation et a accès à la mémoire, au réseau et au matériel.

Korben revient sur l'historique de securité de Intel, avec plusieurs failles démontrées...

En plus des problèmes de sécurité, la CSAC critique la fiabilité des produits Intel et son attitude face aux plaintes des utilisateurs.

À suivre car la CSAC n'a encore publié aucune preuve, et qu'Intel n'a pas encore répondu.

The purpose of the attack appears to be for intelligence collection as the hackers might have had access to systems used by the U.S. federal government for court-authorized network wiretapping requests.

This is why putting a backdoor is risky