Is it safe to whitelist my public ip to a server, even I am behind CGNAT?

I have a few VPS and Databases in GCP, I can access them by whitelisting my IP, but just few months ago my ISP rollout their CGNAT and I was affected. As far as I know CGNAT, allow multiple subscriber to have a single public IP.

Is still safe to whitelist my IP or I need another means or extra layer of protection?

Letting attacker control content-type, why is this safe?

I found a strange behavior of Shopify, where an attacker can change the extension on a URL and the backend will send back an HTTP content-type matching that extension, for each of these extensions:

atom: application/atom+xml bmp: image/bmp css: text/css csv: text/csv gif: image/gif jpg: image/jpeg json: application/json js: text/javascript mp3: audio/mpeg mpeg: video/mpeg mpg: video/mpeg pdf: application/pdf png: image/png rss: application/rss+xml svg: image/svg+xml tiff: image/tiff tif: image/tiff txt: text/plain xml: application/xml yml: application/x-yaml zip: application/zip 

For example, https://gavinwahl-test.myshopify.com/.foo.yml returns ‘Content-Type: application/x-yaml’, even though it’s a 404. https://gavinwahl-test.myshopify.com/search.svg returns the actual search page HTML but with image/svg+html content-type.

The search page also allows you to insert [html-escaped] text of your choice: https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 for example returns application/zip and is actually a valid zip file (despite having HTML around it).

It seems like there should be a vulnerability here. The search query is HTML escaped, but we can tell the browser to interpret in some other content type which may have different escaping rules. This has been done with EML (Microsoft Outlook Express mail message) files before. I know there are lots of vulnerabilities where content of one type is interpreted as a different content type, but Shopify claims that this practice is safe and not exploitable.

Is there actually a good argument that this is safe? Is there any way to get a reflected xss payload through based on the content type confusion?

(I have reported this as an issue to Shopify Security and they said it was safe, so I’m posting it publicly)

How to ensure Windows 10 is safe from critical security hole reported by NSA on 2020-01-14?

All over the news today (2020-01-14) is the story that the NSA and Microsoft have reported a critical security vulnerability in Windows 10.

But I haven’t been able to find clear instructions about how to ensure that Windows Update has worked properly.

When I click the Start button and then then type “winver” and click “Run command”, I see that I have Windows 10 Version 1803 (OS Build 17134.191)

Windows > Settings > “Update & Security” > “See what’s new in the latest update”, it bounces me to https://support.microsoft.com/en-us/help/4043948/windows-10-whats-new-in-recent-updates, which doesn’t seem to mention security at all.

The Windows Update feature itself seems flaky, confusing, and unreliable.

I’m the most tech-savvy in my large extended family, and I generally try to help others (especially older generations) keep their systems working well, but right now I’m struggling to find a set of steps I can walk them through to confirm that their systems are no longer vulnerable.

Is it safe to disable the bare/naked/root domain example.com and use www.example.com only?

This is Making a DNS setup for 20+ domains hosted on the same IP-address more manageable continued.

We’re already using the www version as primary. Each www is a CNAME to @, and it’s @ resolves to an IP address.

For convenience, I consider resolving each www to a common, shared CNAME, and dropping @ altogether because the it can’t be a CNAME.

Provided the website doesn’t link to example.com anywhere internally, is it a good idea to only keep www.example.com. I figured if someone types example.com and it does not exist, the browser will auto-try www.example.com, right?

Is safe to run Flutter SDK?

I have just downloaded the google’s flutter framework from the original website. But when I run flutter doctor I got this message:

developer cannot be verified

““idevice_id” cannot be opened because the developer cannot be verified.

macOS cannot verify that this app is free from malware.

Firefox downloaded this file today at 15:27 from flutter.dev.”

Should I be worried that I am running untrusted code from the internet? Even if the project is powered by Google?

I use this device only for work/dev but I have some sensitive files on this mac.

But maybe the real problem is: Why developer should make a lot of security exception while working? Should I download binaries and run this code?

How safe is a password generated from words?

I loathe passwords with completely random letters and digits. It’s so much nicer to have a password made up of proper words. Even if the total length is much longer, it’s easier to memorize, transcribe, etc.

So I thought of this password generation scheme:

result = ""  while (result.length < 12)   result += randomWord()  if (result.length < 16)   result += shortRandomWord()  result += randomInteger(1000, 9999) 

In this example, assume that randomWord() returns an English dictionary word of length 4 to 10, and shortRandomWord() returns one of length 4 to 5. This is sure to give you a password of length 16 to 21, made up of 2 to 5 words, plus the 4 random integers.

Is this a good password generator? How does its entropy compare to a function that generates a password of length 8 with random letters and digits?

How are short passwords not safe on the web?

On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more.

The reason being higher security.

But the same services limit the number of login attempts to 3-4 tries before locking your account and asking for more info. Something which I find very annoying, but that’s another topic.

So how is a short password insecure if they limit log in attempts ? If the pw has 5 characters someone can not try all combinations in just 3 attempts.

How to make sure we are in a safe room?

This must have been asked before but can not find it. The closest I found was this post but it lacks (perhaps in my knowledge of the documents in it) a clear understanding in the preparations of for example a room where two world leaders would meet, why both of them would be confident enough to be sure that they are not being monitored?

Is reading from /dev/urandom on macOS Catalina a safe way to produce cryptographically secure data?

I’m reading a lot about entropy of macOS…

I know it doesn’t use Yarrow anymore but as per this FIPS 140-02 doc a NIST compliant DRBG.

I read a lot:

https://github.com/briansmith/ring/pull/398 How can I measure (and increase) entropy on Mac OS X? https://stackoverflow.com/questions/5832941/how-good-is-secrandomcopybytes http://serverascode.com/2014/03/04/yarrow.html https://stackoverflow.com/questions/3170500/random-number-generator-dev-random https://stackoverflow.com/questions/42197958/secrandomcopybytes-provider-sha1prng-or-nativeprng-type-in-objc

Even mailed Craig F: https://apple.stackexchange.com/questions/362531/does-macos-still-use-yarrow-as-its-cryptographically-secure-pseudorandom-number

I see that SecRandomCopyBytes is now effectively using:

https://opensource.apple.com/source/xnu/xnu-4570.41.2/osfmk/corecrypto/ccdbrg/src/ccdrbg_nisthmac.c.auto.html

While /dev/urandom uses:

https://opensource.apple.com/source/xnu/xnu-4570.41.2/osfmk/prng/random.c.auto.html

I have much old code using /dev/urandom, on Catalina is it still valid to use `/dev/urandom/ for key material, is it cryptographically secure?

I don’t want to port everything to a macOS specific lib.

Even libsodium seems to use /dev/random, so I guess it’s ok?