<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Security &amp; Privacy on vo.rs</title><link>https://vo.rs/categories/security--privacy/</link><description>Recent content in Security &amp; Privacy on vo.rs</description><generator>Hugo</generator><language>en</language><copyright>This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.</copyright><lastBuildDate>Mon, 29 Jun 2026 10:00:00 +0000</lastBuildDate><atom:link href="https://vo.rs/categories/security--privacy/index.xml" rel="self" type="application/rss+xml"/><item><title>Reading the Tea Leaves: Hunting Intruders with journalctl and lnav</title><link>https://vo.rs/story/reading-the-tea-leaves-intruder-hunting-with-journalctl-and-lnav/</link><pubDate>Tue, 02 Jun 2026 10:00:00 +0000</pubDate><guid>https://vo.rs/story/reading-the-tea-leaves-intruder-hunting-with-journalctl-and-lnav/</guid><description>&lt;p&gt;When you suspect something is wrong with a server — a sluggish response, an odd process, a vague unease — the temptation is to start poking at running state. But the running state is the present, and an intruder&amp;rsquo;s interesting work is usually in the past. The record of that past is sitting right there in your logs, already written, already timestamped. Logs are your first and cheapest forensic tool, and two utilities turn them from an overwhelming wall of text into a readable story: &lt;code&gt;journalctl&lt;/code&gt; and &lt;code&gt;lnav&lt;/code&gt;.&lt;/p&gt;</description></item><item><title>Locking Out the Bots: Fail2ban and CrowdSec on a Modern Linux Server</title><link>https://vo.rs/story/locking-out-the-bots-fail2ban-and-crowdsec/</link><pubDate>Sat, 02 May 2026 10:00:00 +0000</pubDate><guid>https://vo.rs/story/locking-out-the-bots-fail2ban-and-crowdsec/</guid><description>&lt;p&gt;Stand up a fresh server, give it a public IP address, and within minutes complete strangers will start trying to log in. I&amp;rsquo;ve watched it happen on a stopwatch: a brand-new box, SSH open on port 22, and the first automated login attempt landed before I&amp;rsquo;d finished configuring it. They are not people. They are tireless scripts sweeping the entire internet, guessing usernames and passwords, probing for known vulnerabilities, and hammering login forms in the hope that one attempt in a million lands. Your authentication logs fill with failed attempts from places you have never been and will never go.&lt;/p&gt;</description></item><item><title>Your Photos, Your Server: Escaping Google with Self-Hosted Immich</title><link>https://vo.rs/story/your-photos-your-server-self-hosting-immich/</link><pubDate>Sat, 25 Apr 2026 08:30:00 +0000</pubDate><guid>https://vo.rs/story/your-photos-your-server-self-hosting-immich/</guid><description>&lt;p&gt;Your phone has quietly become the family archivist. Every birthday, holiday, and blurry photograph of a meal you wanted to remember is funnelled, by default, into a cloud service owned by a company whose business is understanding you. Google Photos is genuinely excellent software, but the price of that convenience is handing over an intimate, decades-long record of where you have been, who you know, and what your life looks like. There is now a credible way to keep all of that magic while moving the storage onto a server you control. It is called Immich, and this guide walks through standing it up on a Linux box and pointing your phone at it instead of the cloud.&lt;/p&gt;</description></item><item><title>Passkeys Explained: Killing the Password for Good</title><link>https://vo.rs/story/passkeys-explained-killing-the-password-for-good/</link><pubDate>Fri, 27 Feb 2026 08:30:00 +0000</pubDate><guid>https://vo.rs/story/passkeys-explained-killing-the-password-for-good/</guid><description>&lt;p&gt;The password has had a remarkable run for something nobody likes. It is the default way we prove who we are online, and it is also the single most reliable way attackers break in. The numbers are grim in a boringly consistent way: year after year, stolen or reused credentials sit at the top of the breach-cause charts, and &amp;ldquo;the user was phished&amp;rdquo; remains the entry point behind a huge share of successful account takeovers. Passkeys are the industry&amp;rsquo;s serious attempt to retire the password, and unlike most &amp;ldquo;the password is dead&amp;rdquo; headlines of the past decade, this one is actually shipping — Apple, Google and Microsoft all support it, and thousands of sites now offer it. Here is what a passkey is, why it is so much harder to steal than a password, and, honestly, where it still falls short.&lt;/p&gt;</description></item><item><title>SBOM: Software Bill of Materials and Why You Should Care About Your Dependencies</title><link>https://vo.rs/story/sbom-software-bill-of-materials-and-why-you-should-care-about-your-dependencies/</link><pubDate>Fri, 21 Nov 2025 07:00:00 +0000</pubDate><guid>https://vo.rs/story/sbom-software-bill-of-materials-and-why-you-should-care-about-your-dependencies/</guid><description>&lt;p&gt;Every time a serious supply-chain vulnerability lands, the same scramble begins. Someone in a chat channel asks &amp;ldquo;are we affected?&amp;rdquo; and the honest answer, for most teams, is &amp;ldquo;give us a few days and we&amp;rsquo;ll tell you.&amp;rdquo; When Log4Shell (CVE-2021-44228) broke in December 2021, that scramble ran for weeks across the entire industry, because a logging library buried five levels deep in build trees turned out to be everywhere and nobody had a map. That few days — or few weeks — is the gap an SBOM is meant to close. A Software Bill of Materials is just an inventory — a machine-readable list of every component that went into a build — but having one ready before the panic is the difference between an afternoon and a fortnight.&lt;/p&gt;</description></item><item><title>Linux Audit Framework: Tracking Who Did What on Your Servers</title><link>https://vo.rs/story/linux-audit-framework-tracking-who-did-what-on-your-servers/</link><pubDate>Fri, 03 Oct 2025 11:00:00 +0000</pubDate><guid>https://vo.rs/story/linux-audit-framework-tracking-who-did-what-on-your-servers/</guid><description>&lt;p&gt;The moment a server does something you didn&amp;rsquo;t expect — a file changes, a binary
appears, a user gains a privilege they shouldn&amp;rsquo;t have — the first question is
always the same: &lt;em&gt;who did this, and when?&lt;/em&gt; Ordinary logs rarely answer it. They
tell you a service restarted, not that someone read &lt;code&gt;/etc/shadow&lt;/code&gt; at 02:14. For
the real answer you need the Linux Audit Framework, the kernel-level recorder
that has been sitting on your box this whole time, almost certainly underused.&lt;/p&gt;</description></item><item><title>YubiKey for Everything: SSH, GPG, FIDO2, and the Paperweight Drawer</title><link>https://vo.rs/story/yubikey-for-everything-ssh-gpg-fido2-and-the-paperweight-drawer/</link><pubDate>Mon, 22 Sep 2025 16:00:00 +0000</pubDate><guid>https://vo.rs/story/yubikey-for-everything-ssh-gpg-fido2-and-the-paperweight-drawer/</guid><description>&lt;p&gt;I own four YubiKeys. Two are in active use; two live in what I&amp;rsquo;ve come to call
the paperweight drawer, retired because I changed my mind about how to use them.
That drawer is the honest part of this post. Hardware security keys are
genuinely excellent, but the path to using them well is littered with dead ends,
and the marketing won&amp;rsquo;t tell you which features are worth the bother. Here&amp;rsquo;s
what actually earns its keep on a self-hoster&amp;rsquo;s keychain.&lt;/p&gt;</description></item><item><title>Dirty Pipe, Copy Fail, Dirty Frag: What Linux Kernel Exploits Keep Teaching Us</title><link>https://vo.rs/story/dirty-pipe-copy-fail-dirty-frag-what-linux-kernel-exploits-keep-teaching-us/</link><pubDate>Tue, 13 May 2025 09:00:00 +0000</pubDate><guid>https://vo.rs/story/dirty-pipe-copy-fail-dirty-frag-what-linux-kernel-exploits-keep-teaching-us/</guid><description>&lt;p&gt;Every year or two, a Linux kernel privilege-escalation bug gets a catchy name, a logo, and a flurry of breathless coverage. Dirty COW. Dirty Pipe. DirtyCred. The branding is silly, but the pattern underneath is deadly serious and worth studying — not so you can write exploits, but so you understand &lt;em&gt;why your boxes keep being vulnerable to the same shape of bug&lt;/em&gt;, and what actually reduces the blast radius.&lt;/p&gt;</description></item><item><title>Cybersecurity by Design: Embedding Zero-Trust into Your Product Roadmap</title><link>https://vo.rs/story/cybersecurity-by-design-embedding-zero-trust-into-your-product-roadmap/</link><pubDate>Mon, 07 Apr 2025 08:30:00 +0000</pubDate><guid>https://vo.rs/story/cybersecurity-by-design-embedding-zero-trust-into-your-product-roadmap/</guid><description>&lt;p&gt;The most expensive security review I ever sat through happened the week before launch. A pen-tester found that any authenticated user could read any other user&amp;rsquo;s records by changing one integer in a URL — the classic IDOR — and the fix touched forty endpoints because authorisation had been assumed, never checked. We shipped two weeks late and bolted on a permission layer that should have been a load-bearing wall from day one. That is the lesson behind &amp;ldquo;zero-trust by design&amp;rdquo;: the cheap moment to decide that nothing is trusted by default is &lt;em&gt;before&lt;/em&gt; you&amp;rsquo;ve written the code that trusts everything.&lt;/p&gt;</description></item><item><title>Quantum-Safe Cryptography Explained: Future-Proofing Your Organisation's Data</title><link>https://vo.rs/story/quantum-safe-cryptography-explained-future-proofing-your-organizations-data/</link><pubDate>Thu, 27 Mar 2025 16:00:00 +0000</pubDate><guid>https://vo.rs/story/quantum-safe-cryptography-explained-future-proofing-your-organizations-data/</guid><description>&lt;p&gt;There is no quantum computer today that can break the encryption protecting your bank details, your VPN, or the TLS session you are almost certainly reading this over. That is the comforting half of the story. The uncomfortable half is that it does not matter. An adversary who cannot decrypt your traffic today can simply record it — quietly siphon the ciphertext into cold storage — and wait for the machine that can. This is called &amp;ldquo;harvest now, decrypt later&amp;rdquo;, and it turns a problem that feels a decade away into a problem you have already got, right now, for any data whose confidentiality has to outlive that decade.&lt;/p&gt;</description></item><item><title>From Zero to SSH Hero: Securely Hardening a Linux Server in 2025</title><link>https://vo.rs/story/from-zero-to-ssh-hero-securely-hardening-a-linux-server-in-2025/</link><pubDate>Mon, 03 Mar 2025 10:00:00 +0000</pubDate><guid>https://vo.rs/story/from-zero-to-ssh-hero-securely-hardening-a-linux-server-in-2025/</guid><description>&lt;p&gt;The first time I stood up a public-facing VPS and left &lt;code&gt;auth.log&lt;/code&gt; open in a terminal, the entries started scrolling within four minutes. Not within a day, not within an hour — within four minutes. A fresh box with a public IP gets found that fast, and the moment it is found, a queue of automated bots begins guessing &lt;code&gt;root&lt;/code&gt;/&lt;code&gt;123456&lt;/code&gt;, &lt;code&gt;admin&lt;/code&gt;/&lt;code&gt;admin&lt;/code&gt;, &lt;code&gt;ubuntu&lt;/code&gt;/&lt;code&gt;password&lt;/code&gt; against port 22, around the clock, forever. None of those attempts is sophisticated. They do not need to be. They are betting that out of the thousands of servers they hit, a handful will have left a weak password on. Your job is to make absolutely sure yours is not one of them, and the good news is that the controls that achieve this take about ten minutes and have not fundamentally changed in years.&lt;/p&gt;</description></item><item><title>TikTok and the Dance of Privacy: A Closer Look at the App's Hidden Dangers and Geopolitical Implications</title><link>https://vo.rs/story/tiktok-and-the-dance-of-privacy-a-closer-look-at-the-apps-hidden-dangers-and-geopolitical-implications/</link><pubDate>Wed, 01 Mar 2023 19:50:41 +0000</pubDate><guid>https://vo.rs/story/tiktok-and-the-dance-of-privacy-a-closer-look-at-the-apps-hidden-dangers-and-geopolitical-implications/</guid><description>&lt;p&gt;In September 2021, TikTok crossed one billion monthly active users, a milestone Facebook took roughly eight years to reach and TikTok managed in about four. By 2023 that figure had climbed past 1.5 billion. No app in history had captured the attention of the young so completely, and none had done so while owned by a company headquartered in Beijing. That single fact—that the most addictive product in the Western attention economy answers, ultimately, to a firm subject to Chinese law—turned a dancing app into a matter of national security, congressional hearings and, eventually, threatened bans.&lt;/p&gt;</description></item><item><title>Cookies on the internet, the good, bad and ugly.</title><link>https://vo.rs/story/cookies-on-the-internet/</link><pubDate>Mon, 01 Aug 2022 15:21:24 +0000</pubDate><guid>https://vo.rs/story/cookies-on-the-internet/</guid><description>&lt;p&gt;In 2020 Google announced it would phase out third-party cookies in Chrome within two years. It&amp;rsquo;s 2026, third-party cookies are still on by default, and in 2024 Google quietly abandoned the plan entirely — then in April 2025 confirmed it wouldn&amp;rsquo;t even show users a choice prompt. That single broken promise tells you almost everything about how cookies actually work on the internet: the technology is trivial, the incentives are not, and the gap between &amp;ldquo;we&amp;rsquo;ll fix the privacy problem&amp;rdquo; and &amp;ldquo;we run an advertising business&amp;rdquo; is where the whole mess lives.&lt;/p&gt;</description></item><item><title>Public/private key authentication using SSH</title><link>https://vo.rs/story/public-private-key-authentication-using-ssh/</link><pubDate>Fri, 03 Jan 2020 17:28:00 +0000</pubDate><guid>https://vo.rs/story/public-private-key-authentication-using-ssh/</guid><description>&lt;p&gt;Stand up a fresh cloud server, leave password login on, and within a few hours your auth log will be full of bots trying &lt;code&gt;root&lt;/code&gt;/&lt;code&gt;admin&lt;/code&gt;/&lt;code&gt;password123&lt;/code&gt; against port 22. I have watched a brand-new VPS take thousands of login attempts before I had even finished configuring it. None of them got in, because there was no password to guess — the box only accepted a cryptographic key that lives on my laptop and nowhere else. That is the whole pitch for public/private key authentication, and it is the first thing I set up on any machine I intend to keep.&lt;/p&gt;</description></item></channel></rss>