Blog
Tech blog on web, security & embedded
security
Select allIoTadvanced-UIsalgorithmsautomotivecc++data-compressiondata-engineeringdevelopmentdevopseducationembeddedgointeropirmajavascriptluameet-the-teammeetupmemory-safetymicroservicesntpd-rsopen-dataopen-sourcependulumprivacypythonreactresearchrustsecuritystatimestm32technologytimingtoolstypescriptweb-developmentwhy-rust
November 25, 2024
Manipulating time through (S)NTP
The NTP protocol is used by many devices to synchronize their system clocks. However, many devices use SNTP clients (Simple NTP) which are even more vulnerable to interference. As most (S)NTP packets are unauthenticated, they are vulnerable to spoofing, making it possible to change a device's time by manipulating (S)NTP packets.
In this blog, we discuss how (S)NTP packets can be forged to manipulate a device's system clock. Especially on the default SNTP client for many Linux systems, this turned out to be very easy. We will also dicuss the consequences of such attacks, as well as how these attacks can be prevented.
June 7, 2024
Authentication for PTP
PTP was originally designed for networks in which all devices were ultimately trusted. In version 1, no security mechanism was present, and version 2 only provided an experimental mechanism. However, with version 2.1 of the PTP standard (IEEE 1588-2019) there is now a normative security mechanism in section 16.14.
May 24, 2024
A safe Internet requires secure time
The internet has a hole at the bottom of its trust stack, and we need to do something about it. In particular, the internet needs secure time synchronization to fortify the security of our digital world. In this article, we present a path towards the adoption of securely synchronized time.
May 14, 2024
Hacking time: how you can control anyone's clock
Messing around with people's clocks can be a great source of practical jokes. Even nowadays, with many people getting their time digitally, this is not as impossible as you might think. (And the month of April, with the switch to summer time and April Fool's Day, provided the perfect timing for this experiment, of course...)
March 7, 2024
Sudo-rs dependencies: when less is better
When sudo-rs development started, we added several dependencies using Rust’s crates ecosystem to quickly ramp up development. During development we accrued approximately 135 transitive (direct and indirect) dependencies. Once this was identified, we managed to reduce our total dependencies down to three. In this blog, we explain why and how we did this.
March 1, 2024
“Software must become safer”, but how?
Our tagline reads “Software must become safer”, and for good reason; We feel very strongly about this. But it does lead to the obvious and fair question: “What exactly do you do to ensure that the software your teams produce is safe and secure?”
November 6, 2023
sudo-rs' first security audit
Thanks to funding from NLNet and ISRG, the sudo-rs team was able to request an audit from Radically Open Security (ROS). In this post, we'll share the findings of the audit and our response to those findings.
November 1, 2023
Why we sponsor memory safety event Tectonics
One of the hot topics in software security is memory safety. This article covers two questions: What is it? And why do we think it is worth investing in?
October 30, 2023
Dealing with Dependencies in Rust
At Tweede golf we are convinced that if software is written in Rust, it will be more robust (compared to legacy languages such as C, C++ or Java), and more efficient (compared to code written in PHP or Python and again, Java).
In order to get more robust software out there, we have to get Rust code running on computers of people who are not themselves Rust developers.
June 30, 2023
Our talk at CYSAT 2023
In April 2023 Wouter (left in picture) and I and went to Paris to attend CYSAT, a conference about cyber security for the space industry. We met up with our client GAMA's Chris de Claverie (right in picture). Wouter and Chris (and also Dion) had been working together for months and teamed up to explain to the audience how and why they were putting Rust in space.
June 21, 2023
Report: NTP security audit
In March/April 2023 ntpd-rs underwent a security audit. The audit was executed by Radically Open Security and funded by NLnet Foundation. The audit did not uncover any major issues, but did help us make ntpd-rs more robust. It has been extremely valuable to have someone from outside of the development team look at the code in detail.
May 31, 2023
Threat Modelling
Since I joined Tweede golf as the security lead, I’ve had the chance to work on improvements regarding security and privacy for all projects, as well as for the organisation in general.
September 14, 2022
Using C libraries in your Rust project
Recently, we gave a workshop for the folks at iHub about using Rust, specifically looking at integrating Rust with cryptography libraries written in C.
June 1, 2022
Security headers: How to go from F to A+
When conducting a penetration test (also known as a hack test) on a website, one of the first things that will catch my eye is the configured (or better, not-configured) security headers on the targeted website. Security headers are a defense-in-depth measure, in the form of response headers, that let the browser know what is allowed and what is not. Browsers will respect the rules defined by these headers and thereby protect visitors from client-side attacks and potentially leaking sensitive information.
April 29, 2022
Introducing Rust in security research
When iHub's Bernard van Gastel asked us to help them start with Rust, we were somewhat surprised by their bold step but absolutely happy to assist. In this article we'll describe how we went about designing a workshop for the iHub team.
September 3, 2021
Cryptify: your identity ís the key
Sending documents over the internet can be a pain. Email providers generally support attachments with a maximum size between 10 and 50 MB, for larger files one would need to find another way. Most people would probably use one of the many public cloud or file sender solutions. But what if the files to be sent contain personal information, medical information or are private family photos? And how do you know that only the recipient can access and download these files?
It is common wisdom that one should avoid implementing their own cryptography if at all possible. This is generally good wisdom as writing correct cryptography code can be very tricky and takes quite a bit of time to get done right.
March 26, 2021
The future of the BSN and Dutch identification
You might have seen the logo above on your identity card or passport. If you have it on there, then your card contains a NFC chip that allows it to be read by a computer. This way airport customs is supposed to more securely determine if your passport is really yours. But of course we could also try to read it ourselves with our own NFC reader.
March 15, 2021
David's first weeks at Tweede golf
David is Tweede golf's newest addition, and not just any addition, he combines his work as a software engineer with a PhD in theoretical high energy physics. Specialized in the field of privacy and security, David brings a lot of knowledge to the team. For 2021 we were on the look-out to strengthen our expertise in this domain. David joining the team is just that!
March 15, 2021
Kubernetes access with your yubikey
KubiKey as a project started out with one main goal: streamline and make more secure the process of accessing the kubernetes cluster used by Tweede golf.
September 11, 2020
Safe video conferencing with Jitsi and IRMA
With the current pandemic situation, it is hard to hold meetings at an appropriate and safe distance. Looking for secure alternatives, our local city government approached Tweede golf with developing a novel authenticated variant of videoconferencing, with the intention of holding city council meetings using this solution.
February 20, 2019
Our first Rust crate: decrypting ansible vaults
At Tweede golf I've been working with Rust a lot lately. My interest in Rust has been there for years, so I was very happy to start applying it in my working life, about a year ago. Since then I have worked with Rust both for our clients as well as employing it for our operations setup. I have also experimented with Rust for web [1]. Until now however we did not contribute to the Rust ecosystem. About time that we get our feet wet and publish our first crate!