Blog

Tech blog on web, security & embedded
PTP was originally designed for networks in which all devices were ultimately trusted. In version 1, no security mechanism was present, and version 2 only provided an experimental mechanism. However, with version 2.1 of the PTP standard (IEEE 1588-2019) there is now a normative security mechanism in section 16.14.
The internet has a hole at the bottom of its trust stack, and we need to do something about it. In particular, the internet needs secure time synchronization to fortify the security of our digital world. In this article, we present a path towards the adoption of securely synchronized time.
Messing around with people's clocks can be a great source of practical jokes. Even nowadays, with many people getting their time digitally, this is not as impossible as you might think. (And the month of April, with the switch to summer time and April Fool's Day, provided the perfect timing for this experiment, of course...)
When sudo-rs development started, we added several dependencies using Rust’s crates ecosystem to quickly ramp up development. During development we accrued approximately 135 transitive (direct and indirect) dependencies. Once this was identified, we managed to reduce our total dependencies down to three. In this blog, we explain why and how we did this.
Our tagline reads “Software must become safer”, and for good reason; We feel very strongly about this. But it does lead to the obvious and fair question: “What exactly do you do to ensure that the software your teams produce is safe and secure?”
Thanks to funding from NLNet and ISRG, the sudo-rs team was able to request an audit from Radically Open Security (ROS). In this post, we'll share the findings of the audit and our response to those findings.
One of the hot topics in software security is memory safety. This article covers two questions: What is it? And why do we think it is worth investing in?

At Tweede golf we are convinced that if software is written in Rust, it will be more robust (compared to legacy languages such as C, C++ or Java), and more efficient (compared to code written in PHP or Python and again, Java).

In order to get more robust software out there, we have to get Rust code running on computers of people who are not themselves Rust developers.

In April 2023 Wouter (left in picture) and I and went to Paris to attend CYSAT, a conference about cyber security for the space industry. We met up with our client GAMA's Chris de Claverie (right in picture). Wouter and Chris (and also Dion) had been working together for months and teamed up to explain to the audience how and why they were putting Rust in space.
In March/April 2023 ntpd-rs underwent a security audit. The audit was executed by Radically Open Security and funded by NLnet Foundation. The audit did not uncover any major issues, but did help us make ntpd-rs more robust. It has been extremely valuable to have someone from outside of the development team look at the code in detail.
May 31, 2023

Threat Modelling

Since I joined Tweede golf as the security lead, I’ve had the chance to work on improvements regarding security and privacy for all projects, as well as for the organisation in general.
Recently, we gave a workshop for the folks at iHub about using Rust, specifically looking at integrating Rust with cryptography libraries written in C.
When conducting a penetration test (also known as a hack test) on a website, one of the first things that will catch my eye is the configured (or better, not-configured) security headers on the targeted website. Security headers are a defense-in-depth measure, in the form of response headers, that let the browser know what is allowed and what is not. Browsers will respect the rules defined by these headers and thereby protect visitors from client-side attacks and potentially leaking sensitive information.
When iHub's Bernard van Gastel asked us to help them start with Rust, we were somewhat surprised by their bold step but absolutely happy to assist. In this article we'll describe how we went about designing a workshop for the iHub team.
Sending documents over the internet can be a pain. Email providers generally support attachments with a maximum size between 10 and 50 MB, for larger files one would need to find another way. Most people would probably use one of the many public cloud or file sender solutions. But what if the files to be sent contain personal information, medical information or are private family photos? And how do you know that only the recipient can access and download these files?
It is common wisdom that one should avoid implementing their own cryptography if at all possible. This is generally good wisdom as writing correct cryptography code can be very tricky and takes quite a bit of time to get done right.
You might have seen the logo above on your identity card or passport. If you have it on there, then your card contains a NFC chip that allows it to be read by a computer. This way airport customs is supposed to more securely determine if your passport is really yours. But of course we could also try to read it ourselves with our own NFC reader.
David is Tweede golf's newest addition, and not just any addition, he combines his work as a software engineer with a PhD in theoretical high energy physics. Specialized in the field of privacy and security, David brings a lot of knowledge to the team. For 2021 we were on the look-out to strengthen our expertise in this domain. David joining the team is just that!
KubiKey as a project started out with one main goal: streamline and make more secure the process of accessing the kubernetes cluster used by Tweede golf.
With the current pandemic situation, it is hard to hold meetings at an appropriate and safe distance. Looking for secure alternatives, our local city government approached Tweede golf with developing a novel authenticated variant of videoconferencing, with the intention of holding city council meetings using this solution.
At Tweede golf I've been working with Rust a lot lately. My interest in Rust has been there for years, so I was very happy to start applying it in my working life, about a year ago. Since then I have worked with Rust both for our clients as well as employing it for our operations setup. I have also experimented with Rust for web [1]. Until now however we did not contribute to the Rust ecosystem. About time that we get our feet wet and publish our first crate!