Pinned toot

I post about technical topics here, especially , , . My other account is for German-language non-technical stuff.

illustrates nicely why specs should to be accompanied by a stable reference implementation. While it's a great idea in principle, all available server implementations are badly outdated and most violate the spec in more or less subtle ways.

Oh, already published the extension update - they seem to have improved their turnaround times, which is great. Now if I could somehow change the extension name, it's still being listed as Easy Passwords...

Decided to do an intermediate extension release before I pile up even more changes. Interestingly, this time only the version got published immediately. decided to flag it for manual review, and reviews are always taking a while.

Was pleasantly surprised today by being resolved. Only to see it immediately followed up by: "Script error. Ignore." So still won't properly protect the database of locally stored passwords, and no plans change this it seems.

And once again Patricia's Aas talk states: election security is all about protecting against the very people running the election. Which is why machine voting is so complicated, falsifications have to be detected (actually detected, not merely detectable) despite compromised voting machines.

Note to future self: yes, when opening an HTML page from disk, absolutely won't load a web worker from a file, not even a file in the same directory. And: no, this doesn't make any sense as a security mechanism because loading same file via <script> tag works just fine.

Spent some time figuring out why extension pop-ups don't receive keyboard focus in my test profile. Turns out, there is an undocumented focusmanager.testmode preference which you don't want to be set. I guess I used with this profile which enabled it.

Website cites statement by "Our mission: "We started vpnMentor to offer users a really honest, committed and helpful tool when navigating VPNs and web privacy."

Mission failed?

So the specialty of is apparently creative email ? Got a mail today trying hard to look like it was sent by an unaffiliated private person when it was clearly automated. Not the first time they did it either:

With the recent security issue, many people recommend as alternative. Personally however, I certainly prefer products that own their security issues: And I'm not the only one who made such experience with the Keybase team.

Finally removed support (many workarounds for long-standing bugs) from , I was never able to publish anything in the Microsoft Store anyway - blocked by some special review for browser extensions which never completed. Maybe with the Chrome-base Edge it will be easier.

Today I finally tried the naive approach and who would have thought: replacing textarea value from the input event produces no visible effects whatsoever! So I got rid of an 800+ lines third-party dependency and simplified my own code at the same time...

A while ago I was looking for a library to do formatted input for . Most solutions would introduce an annoyance: original input replaced by formatted after a delay. So back then I settled on a library that reimplemented browser's input processing to avoid this effect.

Realized today that ES6 modules support in .js is rather new and hardly usable. Somehow I'm expecting of a JS environment to be ahead of browsers and forget that it is merely an outdated version of Chrome's JS engine.

Wrote a quick&dirty script to ensure that IDs and class names in my .js components are good for something, so typos here will be caught now. The remaining challenge is validating component properties, the plugin won't catch typos there. Wonder how I could do that?

So the mystery of updates hanging occasionally at 99% on turned out to be running in the headless update process and expecting user input. I uninstalled needrestart now which should solve this issue.

And while I didn't really intend to have functional changes with such a huge commit, for some things it simply didn't make sense to reimplement them unchanged. So many UI elements which used to be subpages are modal overlays now, with better usability and keyboard navigation.

Got over my NIH syndrome and refactored most of the user interface with .js. Things got far more modular now, the complexity was really starting to become prohibitive here.

Stefan Esser on Twitter:

"The simple reality is there are so many 0-day exploits for iOS and the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones."

Some people had doubts. The response in the comments is plausible:

"Nobody will show you their 0-day just because you ask. But I can see how many players these days built teams/companies around iOS exploitation."

“Just install Linux on it” is the “just change the engine of your car” of tech.

Not everyone is a mechanic, not everyone wants to be a mechanic, and, if we want a world where freedom is the norm, we must stop expecting everyone to become a mechanic.

Note: this is not because these people are too dumb to be mechanics. It’s because they’re brain surgeons and space-shuttle pilots and they have three kids and they care for a loved one and they don’t have time to also be a mechanic.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.