Hi there. I’m a bug on the Internet.

Thoughts and research on security, privacy, and pharmacology.

Securing OpenSSH keys with hardware-based authentication (FIDO2)

Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce atacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better? Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....

April 9, 2022 · 5 min · Wonderfall

Docker and OCI: a humble hardening guide

Containers aren’t that new fancy thing anymore, but they were a big deal. And they still are. They are a concrete solution to the following problem: - Hey, your software doesn’t work… - Sorry, it works on my computer! Can’t help you. Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries....

March 30, 2022 · 19 min · Wonderfall

A brief and informal analysis of F-Droid security

This blog post has been taken over by PrivSec with my explicit permission, and will be continuously improved by other people. You can access this updated blog post on the PrivSec website. They will continue improving it without me. I decided to take down the original blog post of my own accord since I didn’t want too much attention from it, and this has very much become a burden. I was particularly saddened by the negative reactions which often resorted to personal attacks, rather than a healthy exchange focused on technical facts....

January 2, 2022 · 1 min · Wonderfall