CORS (Cross-Origin Resource Sharing) is hard. It's hard because it's part of how browsers fetch stuff, and that's a set of behaviours that started with the very first web browser over thirty years ago. Since then, it's been a constant source of development; adding features, improving defaults, and papering over past mistakes without breaking too much of the web.
Anyway, I figured I'd write down pretty much everything I know about CORS, and to make things interactive, I built an exciting new app.
A password manager/generator that takes a master password, a URL, a username, and optionally a serial number (for when you have to change passwords) and (re)generates the password for you. Requires no database or third party storage - the right password is always generated for you. Desktop versions, browser plugins, and a cli tool.
No notepad feature, so no storing your 2fa recovery codes there.
The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access).
This project demonstrates how you can create a rogue cell tower detector using a Raspberry Pi and a SIM 900 module. The detector can identify rogue towers and triangulate their location. The demonstration uses a SIM 900 GSM module to fingerprint each cell tower and determine the signal strength of each tower relative to the detector.
Tools, scripts and tips useful during Penetration Testing engagements.
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
The CSRC provides a searchable database of resources on the topic of counter-surveillance, with a focus on targeted surveillance against people who have things to hide. We want to help anarchists and other rebels acquire a practical understanding of the surveillance threats they may face in their struggles and in their lives. We prefer resources written by friends and understandable without prior technical knowledge.
A curated checklist of tips to protect your digital security and privacy.
A smart solution to the problem of passwords. Cloverleaf generates passwords on demand, using the name of the app you're making a password for and a master password to derive a passcode. Enter those two things and you don't need to store the passcode because you can re-generate it whenever you want.
Can be installed as a native app and used offline.
The HTTP response headers that this site analyses provide huge levels of protection and it's important that sites deploy them. Hopefully, by providing an easy mechanism to assess them, and further information on how to deploy missing headers, we can drive up the usage of security based headers across the web.
Script that will detect if a stranger is trying to use your laptop or if a stranger/authorized driver is trying to drive your car. This script will detect the face, and send you an email if new user is not identified.
Repository containing useful links for all things Physical Security.
A curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys.
chasquid is an SMTP (email) server with a focus on simplicity, security, and ease of operation.
It sends and receives email as a typical MTA (for example, can be used instead of Postfix or Exim), and it is designed mainly for individuals and small groups.
It's written in Go, and is open source under the Apache license 2.0.
A wireless auditing tool implemented as a shell script that uses other tools to do the job.
A site that documents the practice of letterlocking - cleverly folding, cutting, and sealing letters in the 17th century for tamper evidence and security.
Build interactive map of securicams from Shodan. Based on your address or coordinates, script creates map of Shodan cameras in neighborhood. Requires an API key.
Teaching the server tech you need for development and production. Eliminating the frustration of server configuration. Databases, configuration management, containers, proxies, security, PHP, and much more.
With their small size and ubiquitous use, we’ve become quite accostomed to commercial home-monitoring camera systems — so much so that they tend to fade into their settings, even when prominently placed up front and center. It’s an extension of camera-equipped-everything maneuvering us to take the constant recording of our lives for granted.
A curated list of resources for learning about vehicle security and car hacking.
Redhat's online book of defensive programming technques. Covers languages, specific programming tasks and software features, and implementing security features in a secure manner.
3745 links, including 199 private