business A Pirate's take on Command vs. Leadership Tired of being told that you should be a leader? Do not worry. Pirate captains had great leadership skills, and they were still beaten to oblivion by Navy Captains who exercised pure command on their ships.
business A Pirate's take on Strategy vs. Tactics Strategy vs.Tactics is one of the most written-about topics in business, but most business books seem to explain it in ways that hinder both the clarity of thought and the establishment of good conceptual frameworks.
crypto-anchors Crypto Anchors: Exfiltration Resistant Infrastructure I've been thinking about a concept that Nathan McCauley and I came up with a few years ago: crypto-anchoring—and how much impact this kind of architectural decision could have in the breaches
bitcoin Bitcoin hard-forks and replay attacks Dealing with blockchain hard-forks seems to have become an unfortunate and time-consuming reality of working in the cryptocurrency space these days: all the cool kids seem to be doing it. With the looming
The two metrics that matter for host security As companies move their infrastructures towards ephemeral microservices, there is an opportunity to rethink some of the security metrics typically used to track infrastructure risk, such as the number of currently unpatched vulnerabilities
docker Why you shouldn't use ENV variables for secret data The twelve-factor app manifesto recommends that you pass application configs as ENV variables. However, if your application requires a password, SSH private key, TLS Certificate, or any other kind of sensitive data, you
hash Why should *hard* be secure enough? Information and non-invertibility The guarantees provided by hashes are of critical importance for security. One of the major points of hashes is, of course, their non-invertibility. However, even though I know how to do the necessary
docker Hitless TLS Certificate Rotation in Go One of the core security goals of Docker's Swarm mode is to be secure by default. To achieve that, when a new Swarm gets created it generates a self-signed Certificate Authority (CA) and
docker Build once run where? Migrating my blog to hyper.sh A few months ago, I ran into a cool new product called hyper.sh, a Docker container hosting platform. The goal of hyper.sh is to make it easier to deploy your containerized
docker Increasing Attacker Cost Using Immutable Infrastructure One neat thing about Docker containers is the fact that they are immutable. Docker ships with a copy-on-write filesystem, meaning that the base image cannot be modified, unless you explicitly issue a commit.
csp Creating a CSP Policy from Scratch When I added the Content-Security-Policy (CSP) security header to my website, I was more concerned about getting a good rating on securityheaders.io, than actually creating a good policy. In this post I'll
csp From F to A+: Getting Good Grades on Website Security Evaluations Even though diogomonica.com is a statically generated blog, created using Jekyll, it's always fun to run it through security evaluation websites such as SSL Labs and Security Headers. Unfortunately, last week, when
passwords Password Security: Why the horse battery staple is not correct I’ve intentionally kept myself from commenting on Password Security in the wake of the last month’s mass iCloud account compromise. My feeling was that this topic had already been discussed to
mptcp MPTCP: The path to multipath I first heard about MultiPath TCP (MPTCP) in 2007 when I met Olivier Bonaventure in Louvain-la-Neuve, Belgium. In the meantime MPTCP has been gaining a ton of traction, from having Apple using it
beam Skynet (beta): The rise of the Beam robot At work we bought a few telepresence robots from SuitableTech called Beam. The Beam robots allow anyone from a remote location to have face-to-face interaction with the people at our HQ. Each Beam
bot Bot wars - The arms race of restaurant reservations in SF I love food. This means that I'm bound to compete for reservations at good restaurants with the hipsters that are native to San Francisco. This is a peek into the arms race going
Weird packet of the day Once in a while I open wireshark and just look at my baseline traffic. It's useful for when I actually want to find something weird to quickly distinguish between what's normal and what
Raising the dead - Undeleting files in ext4 Chances are that you have, at least once in your life, deleted files that you had no backups of. This is how I partially recovered some of my files after deleting them on
terminal Hush OS X Terminal, hush I've been noticing for a while a huge delay when opening new tabs and windows on iTerm (or terminal.app). This would range from 3 to 7 seconds when opening a new tab.
crypto It's not just the salt, stupid There have been hundreds of articles about the recent password hash leaks from Linked-in and eHarmony. One particular detail that most of these articles seem to have in common is the fact that
Exploit-suggester This tool essentially outputs a list of exploits that you might want to try out after you gain local access to a host. Nothing you cannot do manually, and not the most brilliant
The dangers of pastebin-like websites Services like pastebin.com are useful for sharing and discussing code. However, people trust the generated URLs to be unknown to anyone else, other than the people we want to share them with.
python Dead Simple HTTPd in Python Sometimes, this is all you need: glow:~ dmonica$ python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... This simple command has saved me hours of precious time. I've even
wifi Sniffing in Monitor Mode with Airport Sniffing in OS X has been a reality for quite some time, thanks to the effort of people like the guys from Kismet (https://www.kismetwireless.net/) and KisMAC (http://trac.kismac-ng.org/
python Facebook Sidejacking I've just released a tool called py-cookieJsInjection on github (see Part II of this post here). py-cookieJsInjection is a python script that sniffs cookies from the network, and outputs Javascript code that can