Pinned toot

I post about technical topics here, especially , , . My other account social.tchncs.de/@WPalant is for German-language non-technical stuff.

Wait, I thought that they did it as an additional precaution after fixing the issue. They didn't, that *is* their fix! WTF??? 🤯

Wow, one of my proof-of-concept pages is now triggering antivirus response, supposedly it's infected with "HEUR:Exploit.Script.Generic" (trivial to circumvent of course). I'm honored!

This is a lengthy article, building up the backstory before getting to the interesting part, but it's definitely worth reading. @ameschright@twitter.com has a point, FLOSS movement obsessing with source code is counterproductive, it's missing the bigger picture. lifeofaudrey.com/essays/histor

No, I'm not that naive. The real reason for Wikipedia not listing any criticism is its editors actively removing that information. Official reason: "we need better sources." As some people suspect, they mean sources putting Stallman in a better light. en.wikipedia.org/wiki/Wikipedi

There are topics where one wishes to have never heard anything about. I can only hope that it is the reason why the Wikipedia article on Richard Stallman contains no huge section titled "Criticism" or "Controversy." Most things in this thread aren't exactly new yet unmentioned.

twitter.com/_sagesharp_/status

The results on Mastodon are 5 for "keep as is" vs. 1 for "split up." On Twitter I got 6 for "keep as is" vs. 3 for "split up" vs. 1 for "remove details." I've added an executive summary at the top of the post as suggested by @gcluley which is hopefully sufficient as a compromise.

The important factors are motivation, willingness to learn and the ability to see own mistakes and shortcomings. The current skill level can often be judged from previous work, no need to waste everybody's time on that in the interview.

For reference, my take is:

• Education is not important, there are different ways to get there.
• Having done the exact same thing before is not important, they can learn on the job.
• Accent is not important, they will get better at English very soon.

Don't design your interviewing process like that. You don't need hiring consensus from everybody working at the company. There aren't all too many things that are really important to know about a candidate. Understand what those are and ask the right questions.

twitter.com/EmmaWedekind/statu

Now that a have a mostly final version of the draft, I did a word count. It's pretty identical in size to palant.de/2019/08/12/recognizi and around 25% longer than palant.de/2019/08/19/kaspersky. So at least it isn't a lot longer than things I've written before.

Of course, if you say that my blog posts are always very long, you will probably be right. No matter how hard I try, it always gets out of hand. But this one is even longer than usual!

The draft of my post on more vulnerabilities (to be published end of November) is getting very long. What should I do with it?

Got the important hint from a commenter on my blog post: the privacy policy field exists, in the overall developer settings. Makes total sense to share privacy policy between totally unrelated extensions. Anyways, is back in Chrome Web Store!

just took down without any advance warning. My offense: I didn't publish a privacy policy, this extension not collecting any data whatsoever. The joke: unlike Mozilla Add-ons, Chrome Web Store does not have a field for the privacy policy!

IMHO, these useful hints largely apply to working in a diverse environment in general, not just when dealing with autistic people. They boil down to: don't assume that everybody thinks and reacts in the same way as you and be respectful.

twitter.com/commaficionado/sta

Today I learned that you can do 12345678901234567890n * 2n and get precise results in JavaScript. The "n" at the end of a number denotes the "bigint" type which is available as of Chrome 67 and Firefox 68. How did I miss this? developer.mozilla.org/en-US/do

Of course, that challenge/response scheme is bolted on top of a conventional OAuth-based authentication (called OpenID in the code for extra obfuscation points).

A client capable of getting the "public" key from the "private" key can decrypt the challenge and thus prove knowledge of the master password to the server. Yeah, why use an established PAKE protocol if it's so easy to design your own and obfuscate it with bogus terminology...

The encryption key here is derived from the master password which isn't known to the server, but both "public" and "private" keys are. So to authenticate a user the server encrypts random data with the "public" key, then sends "private" key and the ciphertext as a challenge.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.