9x0rg ~ a work in progress

Loose collection of posts by a random dude, mostly about infosec, mountain biking, all things Asian & data privacy. Oh, and beer of course. Still a work-in-progress; hundreds of posts need to be migrated from the old platform.

R.I.P. Fakawi Chief

A True Friend Is Gone Nick Ong aka Fakawi Chief as he was called among the South-East Asian mountain biking community, has passed today in Kuala Lumpur, Malaysia. Nick Ong 1 was a man of many talents: creator of the Fakawi Tribe, captain of the Malaysian Fakawi Banshee Downhill Team, Malaysian importer of Banshee Bikes, jungle explorer on weekends, unwavering supporter of traks.org, the advocacy group for Bukit Kiara, Kuala Lumpur’s mountain biking gem, outdoor and MTB film maker 2, oh, and also a medical doctor, all served by a sharp mind with an unparalleled sense of humour....

April 13, 2023 · 1 min · 9x0rg

Threema: analysis of a secure messenger

[EDIT: 09.01.2023]: Threema has reacted to the publication in bold terms: The [research] paper is based on an old protocol that is no longer in use. The presented findings do not apply to Threema’s current communication protocol “Ibex” or have already been addressed. None of them ever had any considerable real-world impact. See how the story develops. Threema is a Swiss encrypted messaging application which has been widely advertised as a secure alternative to Signal, WhatsApp or Wire....

January 9, 2023 · 3 min · 9x0rg

Protect a parked domain without email

DNS entries for a parked domain that does not send emails but has a website Hostname Type TTL Data @ MX 1800 0 . @ TXT 1800 "v=spf1 -all" *._domainkey TXT 1800 "v=DKIM1; p=" _dmarc TXT 1800 "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;" DNS entries explained Null MX Explicitly configure an ’empty’ MX record according to RFC7505. @ 1800 IN MX 0 . SPF Set an an empty policy and a hard fail. @ 1800 IN TXT "v=spf1 -all" DKIM *....

January 5, 2023 · 1 min · 9x0rg

Telling users to ‘avoid clicking bad links’ isn’t working

Abstract: Telling users to ‘avoid clicking bad links’ still isn’t working by David C. - Technical Director for Platforms Research and Principal Architect - NCSC (UK) Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing. Infosec tenets simply don’t work Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job...

December 28, 2022 · 2 min · 9x0rg

Sign the web0 manifesto

## web0 is the decentralised web ## web3 = **decentralization** + blockchain + NFTs + metaverse web0 = **decentralization** - blockchain - NFTs - metaverse web0 = **decentralization** In other words, web0 is web3 without all the corporate right-libertarian Silicon Valley bullshit – Aral Balkan1 Head over here and sign the web0 Manifesto. This will probably not change the world overnight but let these different voices be heard. Thank you....

December 28, 2022 · 1 min · 9x0rg

Ditching WhatsApp [updated]

[First published on September 05, 2016] I am ditching WhatsApp, following Facebook’s decision to begin harvesting data from its messaging service. Even though Motherboard claims “it may be possible to prevent WhatsApp to give your phone number to Facebook” (LOL) WhatsApp will still harvest your metadata. “Sharing metadata with Facebook still exposes users to significant risks,” says Claire Gartland, consumer protection counsel for the Electronic Privacy Information Center. “Facebook will have data indicating who WhatsApp users communicate with and how frequently, and connecting WhatsApp users with their social media accounts and broader online activity, associations, political affiliations, and more....

June 14, 2018 · 2 min · 9x0rg

Chiffrement de messagerie instantanée: à quel protocole se vouer?

Vu sur le site de l’ANSSI: Accompagnant la prise de conscience généralisée du besoin de sécuriser ses communications électroniques, de nombreuses applications de messagerie (quasi) instantanée ont fait leur apparition sur les ordiphones. Toutes annoncent un haut niveau de sécurité, laissant ainsi l’utilisateur dans le doute, vis-à-vis du niveau réel de sécurité à escompter. Donc, que privilégier entre Signal, Telegram ou XMPP? Je ne cite pas WhatsApp/Facecrook à dessein, hein....

November 15, 2017 · 1 min · 9x0rg

Malaysia telco databreach - check yourself

Lowyat reported on Oct. 30, 2017 that a total of 46.2 Million Malaysian phone numbers were exposed, and the dataset included IC numbers, addresses, IMSI, IMEI and SIM numbers as well. Check yourself out Head over to SayaKenaHack.com, the dedicated website created by Keith Rozario and check if your details are part of the breach.

November 14, 2017 · 1 min · 9x0rg

A HTTP 404 by Peugeot

Nice pun Mailfence: the Peugeot 404, the first car I remember as a child. With red leather seats. What a beauty.

November 9, 2017 · 1 min · 9x0rg

The good Jihadi

In North Sumatra, a former Indonesian radical has opened a boarding school for the children of terrorists to prevent their futures from looking like his own past. Words by: Gabrielle Lipton Photography by: Albert Ivan Damanik Wat happens when children begin to realise that their parents are following a different path? What happens when that path ends behind bars? Or on the receiving end of a bullet? What happens in the minds of children whose parents are terrorists?...

November 9, 2017 · 3 min · 9x0rg