But guess what, the world will just move forward regardless of how bad your eyes become.

So, it’s time to upgrade your monitor, a great, very informative essay.

To sum up, this is the best setup for programmers:

1. Text can’t be made look good on low-resolution displays.
2. High-PPI displays are now a commodity, it’s time to switch.
3. Notebooks are ok, but a standalone monitor is always better.
4. 4K monitor only makes sense with 2x / 200% scaling.
5. If you want to got further, there are now affordable 4K @120 Hz options.

https://tonsky.me/

Guess how many type of ransomware out there? Believe it or not, there are thousands, definitely not covered by the image below:

Not anymore with the use of TLS, StartTLS, or even better S/MIME which is suitable for your most sensitive information.

Every email sent through TLS is encrypted to protect the message in transit from one server to another. It requires both mail servers to follow along in order for the encryption to work. But not all mail servers are equally made. If an email is sent via TLS but the other end doesn’t accept TLS, the email will be degraded from TLS. Like back to the old days, email gets decrypted and delivered in plain text. Bad news for you but good news for the man in the middle.

According to Google, during a 3-month period between March 11, 2019, and June 9, 2019, 89% of emails going out from Gmail and 94% of email received by Gmail are encrypted. And who are the top bad guys?

So how to tell if my incoming emails are encrypted

Gmail

Google is on top of a lot of things. This is no different. If you are using Gmail as your main mail app, you can easily tell whether the email you received has never been intercepted by the man in the middle.

When you get an email, click the little down arrow to reveal the header and you will find if the message was received through TLS or other encryption method.

Outlook

Not as easy as Gmail but still can be done. Open the email you received from outside, click File > Properties.

And look through the Internet headers section. If you see the word TLS in there somewhere you can safely tell your email is safe during the transition.

How to tell if email I am sending is encrypted

For Gmail, if you have S/MIME enabled on your account, you will see a lock icon that shows the level of encryption supported by your message’s recipients. Otherwise, there is no direct way to tell whether your email will be safe all the way to the other end.

But there are a few workarounds that we can still take.

First, we can start with an introduction email and only start sending confidential content after receiving one email from other party and verified that it’s safe.

Or, we can use a TLS checker to scan and verify that the mail server used by the domain you are communicating with supports at least TLS. It’s safe to email me confidential stuff because it’s OK in the TLS column like below.

But never send confidential emails to the mail server that’s not safe like below.

Last, if you are using Gmail and need the highest security for sending confidential via email, you can turn on the Confidential Mode so entire email communication will be secured.

SPF, Sender Policy Framework, allows the receiver to check that an email claiming from a specific domain comes from an IP address authorized by that domain’s admin. A typical SPF record is a TXT DNS entry similar to this:

 "v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all" 

it simply tells that emails from the specific domain are sent either from 192.0.2.0/24 or 198.51.100.123 or should be rejected if came from anywhere else.

Tool to check SPF record: https://mxtoolbox.com/spf.aspx

DKIM, DomainKeys Identified Mail, allows the receiver to check that an email claiming from a specific domain was indeed authorized by the owner of that domain. It requires a digital signature linked to a domain name for each outgoing email message. At the receiver end, the email can be verified by looking up the sender’s public key in DNS. To achieve this, you will need a public key entry in the domain’s DNS as well as a digital certificate on the mail server.

You don’t need to implement both SPF and DKIM. Utilizing either one of them should be good enough.

/Update on May 7, 2019/

Thanks to Dave for pointing out that you do need both SPF and DKIM. Yes, SPF and DKIM accomplish the same goal with a different approach. Implementing both would be ideal. I should have pointed out that most of the mail providers like Office 365 and G Suite have default DKIM in place for those who don’t have it implemented. It’s always recommended to use your own DKIM key on all outgoing messages.

Tool to verify DKIM setup: https://mxtoolbox.com/DKIM.aspx

To set up and enable DKIM in Office 365, follow this documentation.

DMARC, Domain-based Message Authentication, Reporting, and Conformance extends both SPF and DKIM and gives the domain owners a way to protect their domain from unauthorized use, a.k.a email spoofing. A TXT entry was added in DNS as a policy to specify which mechanism (SPF or DKIM) is employed when sending emails from that domain and how to check From field presented to end-users.

"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com;"

it simply translates that DMARC version 1 will be used with none in Policy, Quarantine in the subdomain, percentage of “bad” emails to apply the policy, and an email address to receive aggregate reports.

Note that _dmarc needs to be in the Host field when adding the TXT record. You will need to set up either SPF or DKIM first before setting up DMARC. A message that doesn’t pass SPF or DKIM checks triggers the DMARC policy.

Once it’s published, the mailbox specified in the entry will be getting reports in XML format once per day.

It’s recommended to set the policy to none when first implemented so no impact will be made to your email setup. Once you have collected enough data and analyzed it, you can then change the policy to either reject or quarantine.

Tool to verify DMARC record:

• https://mxtoolbox.com/DMARC.aspx
• https://www.learndmarc.com/ – a visual breakdown of how email servers communicate, giving you a better understanding of SPF, DKIM and DMARC and how they work together.

Resource

• SPF Wiki – https://en.wikipedia.org/wiki/Sender_Policy_Framework
• DKIM Wiki – https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
• DMARC Wiki – https://en.wikipedia.org/wiki/DMARC
• DMARC – https://dmarc.org/overview/
• Email Authenticity 101 – https://www.alexblackie.com/articles/email-authenticity-dkim-spf-dmarc/

OSINT framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources. Some of the sites included might require registration or offer more data for $$$, but you should be able to get at least a portion of the available information for no cost.

I originally created this framework with an information security point of view. Since then, the response from other fields and disciplines has been incredible. I would love to be able to include any other OSINT resources, especially from fields outside of infosec. Please let me know about anything that might be missing!

A good resource, displayed in a cool tree view, when searching for free tools for gather information.

The Voice Kit was launched last year and was a huge success. It lets you build your own natural language processor and connect it to the Google Assistant. All fits in a handy little cardboard cube powered by a Raspberry Pi.

The release of version 2 upgrades the kit with a recently released Raspberry Pi Zero WH and a micro SD card with preloaded OS to help you get started without having to set the card up themselves.

If you need more, how about a Vision Kit to make an intelligent camera that experiences with image recognition using machine learning. All is packed also in a cupboard powered by a Raspberry Pi.

Both Voice and Vision kits are available from Target in the US.

If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is johnsmith@gmail.com, you own all dotted versions of your address:

• john.smith@gmail.com
• jo.hn.sm.ith@gmail.com
• j.o.h.n.s.m.i.t.h@gmail.com

The intention of this is good but it also opens a door for a phishing scam. Here is an example.

James Hfisher received an email from Netflix asking him to update his payment details.

Since the email is genuinely from Netflix, he clicked the link. It logged him in and directed him to an “Update your credit or debit card” page, which again is genuinely hosted on Netflix. No phishing spotted so far.

But then, he found that he doesn’t recognize the credit card number shown on the Update page, never seen that number and certainly never used one. What’s going on?

James finally realized that the email was sent to james.hfisher@gmail.com with a dot in it while the one he uses doesn’t. The email was supposed to be bounced but instead, it ended up in James’ inbox, thanks to Gmail’s dots don’t matter feature.

Here is how this runs down, concluded by James eventually.

1. Hammer the Netflix signup form until you find angmail.com address which is “already registered”. Let’s say you find the victim,jameshfisher
2. Create a Netflix account with address,james.hfisher.
3. Sign up for a free trial with a throwaway card number.
4. After Netflix applies the “active card check”, cancel the card.
5. Wait for Netflix to bill the canceled card. Then Netflix emailsjames.hfisher for a valid card.
6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card,**** 1234.
7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
8. Use Netflix free forever with Jim’s card **** 1234!

So, dots do matter in some cases.

/via James Hfisher/

Life is about to get a whole lot harder for websites without HTTPS – Troy Hunt

It’s taken us a while, but finally we’re getting to a “secure by default” web!

What Every Developer Must Know about HTTPS – Troy Hunt

So that’s what I’ve created and I’m enormously happy to now see it up live on Pluralsight. If you’ve not tried them before, you can get into it for less than $1 a day and gain immediate access to thousands of courses, including some very good content on HTTPS

I wanna go fast: HTTPS’ massive speed advantage – Troy Hunt

This is all simply a test of “what’s the fastest we can go over HTTP versus what’s the fastest we can go over HTTPS”. I don’t want fair, I want fast. If you wanna go fast, serve content over HTTPS using HTTP/2.

A Journey to Get an EV – Troy Hunt

It’s a 14-page long journey Troy took to get a green EV for Have I been Pwned. Does it worth the effort?

This whole EV cert thing is hard to measure in terms of value; I have no idea how many more people will put their email address into HIBP or how much more media or good will or donations it will get. No idea at all.

But what I do know is that it adds transparency and legitimacy to a realm that as I mentioned earlier, tends to be inhabited by a lot of shady characters and that’s gotta count for something.

On the Value of EV Certs, Commercial CAs, Phishing and Let’s Encrypt – Troy Hunt

The bottom line is that as of today, the effectiveness of EV certs is entirely dependent on people recognising what they mean and actually adapting their behaviour accordingly. It’s hard to argue with that.

Are EV certificates worth the paper they’re written on? – Scott Helme

I’m not opposed to the idea or the value of EV certificates but right now they just seem like a nice revenue stream for CAs. The technical and user issues outlined above need to be addressed before EV can have real value. The amount of information and mis-information surrounding them really doesn’t help and there’s also some pretty wild claims from CAs about what EV can do.

Debunking the fallacy that paid certificates are better than free ones – Scott Helme

When you look at a certificate the only thing we really care about is whether or not the browser is going to accept it, we care if the certificate is valid. To be valid there are various technical criteria outlined above regarding it’s format, the fields it contains and the data inside them that must be met. There’s also criteria around how it was issued that the CA must adhere to and all of this plays a part in the ultimate determination made by the browser about the certificate itself. Whether or not anyone handed over some hard-earned cash to purchase the certificate simply does not matter one bit. The browser doesn’t even have knowledge of whether that happened and there’d be no way and no need for it to do so. There’s absolutely no difference between a free certificate and one that you had to shell out some cash for.

Do SSL warranties protect you? – Scott Helme

All in all, the idea of a warranty on a certificate just seems like some marketing fluff for the CA to add to their sales page. The chances of this being useful are close to non-existent and there doesn’t appear to be a viable way for a consumer to prove the certificate was the cause anyway.

Certificate Transparency, an introduction – Scott Helme

Certificate Transparency is an open framework for monitoring and auditing the certificates issued by Certificate Authorities in near real-time. By requiring a CA to log all certificates they generate, site owners can quickly identify mis-issued certificates and it becomes much easier to detect a rogue CA.

HSTS – The missing link in Transport Layer Security – Scott Helme

HSTS allows for a more effective implementation of TLS by ensuring all communication takes place over a secure transport layer on the client side. Most notably HSTS mitigates variants of man in the middle (MiTM) attacks where TLS can be stripped out of communications with a server, leaving a user vulnerable to further risk.

Understanding HTTP Strict Transport Security and preloading it into the browser – Troy Hunt

As HTTPS becomes more ubiquitous across the web, this feature should really start to gain traction and hopefully initiatives like Let’s Encrypt will help expedite that (note also that this is now being reported as “Arriving September 2015”). It’s good times for those wanting to further protect their web assets and not so good for those wanting to intercept other people’s traffic.

The 6-Step “Happy Path” to HTTPS – Troy Hunt

1. Get a free cert
2. Add a 301 “Permanent Redirect”
3. Add HSTS
4. Change Insecure Scheme References
5. Add the upgrade-insecure-recquests CSP
6. Monitor CSP reports

5 ways to implement HTTPS in an insufficient manner – Troy Hunt

it doesn’t matter how many pages you’re loading securely or how many padlock icons or vendor certifications you drop on the site, once you start sending auth cookies around insecurely, you’re toast. It’s completely pointless to secure those personal details in transit but then let the auth cookie which can load them back up float around in the clear. That is a very insufficient use of HTTPS indeed.

5 ways to tackle an insufficient HTTPS implementation – Troy Hunt

The simpe way of doing this is for HTTPS everywhere

SSL is not about encryption – Troy Hunt

It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process.

Cheat Sheets – Scott Helme

• CSP Cheat Sheet
• HSTS Cheat Sheet
• HPKP Cheat Sheet
• HTTPS Cheat Sheet
• Performance Cheat Sheet

Here is why your static website needs HTTPS – Troy Hunt

So that’s precisely what I’ve done – intercepted my own traffic passed over an insecure connection and put together a string of demos in a 24-minute video explaining why HTTPS is necessary on a static website. Here’s the video and there’s references and code samples for all the demos used immediately after that:

Some other useful resources

Does My Site Need HTTPS

Is TLS Fast Yet

HTTP vs HTTPS Test

Have you been pwned – Troy Hunt

Report Uri – Scott Helme

Security Headers – Scott Helme – check your headers for things like HSTS and HPKP

The infamous SSL Labs – to check your config

Here is how you can do it.

1. Go to this Lightbox site and click Download button to download the script package.

2. Extract the package and save both css and js folder into your website. For example, I created a separate folder called source and saved both folders in it.

3. Add the following three lines at the top of the page in <head> tag.

    <script src="https://code.jquery.com/jquery-3.2.1.min.js" integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=" crossorigin="anonymous"></script>
    <script src="/source/js/lightbox.js"></script>
    <link href="/source/css/lightbox.css" rel="stylesheet" />

4. Update the link by adding rel="lightbox" and title for image caption. For example,

<a href="images/image-1.jpg" rel="lightbox" title="my caption"><img src='images/image-1.jpg'/></a>

That’s about it, as simple as like that.

After the long period of wait with 4 releases of Platform Preview in between, Microsoft finally decided to open the door and unlock the beauty of the web by its first beta of IE 9. Unlike the last 2 releases on 7 and 8, this time, it looks promising. Even after 10 minutes of use, I am already impressed, in many aspects. It feels like Microsoft finally has caught up and back in the browser game.

The look

It’s streamlined, simplified in a way that users can truly enjoy the web surfing experience with more vertical space reserved. Comparing to the previous versions, it’s got address bar and tabs unified, even the search is integrated within the address bar together. It’s also got toolbars stripped down, with favorites bar and status bar not enabled by default. So users have the maximized space for web surf. It seems that IE 9 offers the most web surfing real estate among all the browsers.

However, the unified tab and address bar doesn’t help too much for those who often open many tabs at the same time. For those folks, me included, a separated tab and address bar might be more useful.

The speed

One of the most significant improvement in IE 9 is the performance. For all the benchmark comparison you can find on the internet, IE 9 is placed pretty much all at the top, or near to the top. The only area that IE 9 is slower than the latest Chrome and Opera is the JavaScript engine, which is still a few millisecond behind. But still, IE 9 beats both browsers in overall performance because of its very first and own full hardware acceleration.

Even on my 3-year-old laptop, the 50 fishes are still able to swimming in the ocean in 46 FPS speed, which is very smooth. You can test more things out over at IE9 Test Drive.

The tabs

Finally, you can tear off the tabs in this version of IE, which makes viewing two tabbed web pages side-by-side nicely by simply just snapping them to both sides of your screen. The New Tab Page is also redesigned and displays the sites you visit most often with color codes.

However, there is still one thing that is missing in tab. I still can’t close the tabs that are not active because there is no cross mark attached on the tabs that I can easily click. I’d like to see it’s available when the final version releases.

Also, the tab dragging isn’t as smooth as it does in Chrome or Firefox. Dragging a whole size of page surely is more difficult than dragging just a preview of the page.

The standard compliance

It’s the most stand compliance browser in IE history. Not only does it support industry web standards, but it also supports the new standard of CSS3 and HTML5. Even though it doesn’t render my site properly, I believe the effort that goes to make the browser more standard friendly is very noticeable.

The new features

There are many new features introduced in IE 9. And among these new nice features, the most interesting, maybe useful one is the pin-2-taskbar. Yes, with IE 9 in Windows 7, you can pin a webpage to the taskbar, simply by dragging the website icon in the address bar into the taskbar. And you can utilize the Jump list to quick access some of the features embedded in the pinned web page.

Lately, I found myself spending much more time on Chrome than IE and Firefox but now I will be switching my focus over to IE 9 a lot more. I will be exploring more features and will be covering them a lot in Windows7hacker in the past a couple of weeks.

Overall

I believe IE 9 will be the most significant upgrade since IE 6. While it still dominates in the corporate environment, the new release will be winning back a lot of consumers who have gone part ways with either Firefox or Chrome as well. It’s still in the early stage of beta testing so will have no doubts that the final release will be much better.