Pinned post

I post about technical topics here, especially , , . My other account social.tchncs.de/@WPalant is for German-language non-technical stuff.

Looks like something very uncommon is about to happen end of month: a vulnerability disclosure *before* the disclosure deadline! In fact, this particular vulnerability has been fixed within a day. Too bad that reporting a vulnerability usually doesn’t go as smoothly.

Yes, it’s easy to get all paranoid here. The big question is whether the paranoia is justified, and I don’t expect the answer to turn up any time soon. All we get is a suspicion that there might be more things going on than busting drug cartels.

Show thread

And with Signal making rather questionable crypto decisions lately, how do we know who is currently pulling the strings there?

palant.info/2020/06/16/does-si

Show thread

The FBI had to disclose their operation at some point for legal reasons. Russian or Chinese APTs are not bound by such rules. How do we know that they haven’t compromised some encrypted messengers already and are reading all communications?

Show thread

Fascinating read on how the FBI ran Anom encrypted phone company. In particular:

“We wanted to shatter the trust in the encrypted phone industry that catered to criminals.”

The question remaining is: how can we as non-criminals still trust encrypted messengers?

vice.com/en/article/m7e733/ano

A quote from the article explaining what happened at Basecamp:

“Do you protect this extremely senior employee that you’ve protected for many years? And [the answer] was yes.”

You cannot both tolerate toxic people and have an inclusive work environment at the same time.

platformer.news/p/-how-basecam

I looked into the Ninja Cookie extension and found it really sloppy with security. I don’t know why after three months they only managed to address the biggest issue, they never wrote back after acknowledging my initial report.

palant.info/2021/05/04/univers

The add-on blocklist is now a Bloom filter, meaning that seeing its contents isn’t trivial. Also, stopped updating blocked.cdn.mozilla.net/ last year. If you need a human-readable list of blocks, it seems that firefox.settings.services.mozi is the only place now.

Great thread on how to manage a team in order to make it more inclusive and welcoming to women. Yes, it’s sad but all of this is really necessary. Patricia knows what she is talking about. No, we cis men don’t.

twitter.com/pati_gallardo/stat

Wow. As we don’t have enough vulnerabilities in open source projects as it is, “researchers” from University of Minnesota introduce more on purpose. To “prove” that it can be done. 🤦‍♂️

Via @rakyll@twitter.com: twitter.com/rakyll/status/1384

It seems that he has shut down most of his websites hosting copycat content, that’s good news. Yes, even the one with copyright message replaced by “See you in court.” However, he has set up a new fake company website and a Twitter account for it. 🙄

Show thread

Another upcoming disclosure deadline in less than four weeks. Universal XSS in a browser extension, really bad. The vendor managed to produce two releases in the time but no fix for the critical issue. Sent out a reminder… 🙄

The Print Friendly & PDF browser extension allowed any website to completely take over the extension. Considerable attack surface remains, and Firefox version is still vulnerable (exploitation slightly more complicated there).

palant.info/2021/04/13/print-f

Guess what: the extension vendor who took almost three months to address a critical vulnerability, cutting it very close to the deadline, only did some minor surface polishing. The underlying issues are still present and I better don’t look too closely. Disclosure tomorrow. 😬

Don’t get me wrong, deepfakes are a concern. But apparently not big enough a concern yet that we need to worry about a mom manipulating videos in order to harass her daughter’s competition. Harassment with a real video is enough to get her indicted.

dailydot.com/debug/deepfake-va

So whoever compromised the PHP source code repository did so by pushing via HTTPS with password-based auth. They had to guess usernames. Sounds like a password reuse issue: the password leaked elsewhere, so they didn’t know the matching username.

portswigger.net/daily-swig/php

So apparently the leaked data of 533 million Facebook users came from a 2019 breach that wasn’t previously disclosed after all. Not just that, Facebook chose not to notify the users affected either. Yes, totally reasonable and responsible behavior, as you would expect.

wired.com/story/facebook-data-

Noticed that a former follower blocked me. Weird, what did I do? Oh, I retweeted something about the harm RMS has done and is still doing…

People, choosing heroes means also reconsidering the choice sometimes. Some turn out to be awful human beings when you take a closer look.

Great blog post, explaining how linked list questions in job interviews had their time and place in the 80s. Also showing how the cargo culting likely happened which made them still popular today despite being largely pointless.

hillelwayne.com/post/linked-li

What we need is software that users can rely on, that will act in their best interest rather than monetize them behind their backs. Clearly, Free Software failed to define ethical aspects of software, and we now know why. So maybe ethicalsource.dev/ is the right answer.

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.