Pinned toot

I post about technical topics here, especially , , . My other account social.tchncs.de/@WPalant is for German-language non-technical stuff.

Came across this wonderful web-only password manager today. Sure, security-wise that's an inherently flawed combination. But their security bullshit is soooo charming...

So naive of me, assuming that an issue is fixed just because it should be according to the vendor's timeline. Three months in, the vendor managed to implement a one-line fix for the Chrome extension but not Firefox. The application remains vulnerable. Six days to go...

infosec.exchange/@WPalant/1036

And now I can go back to more important stuff: there was a huge vulnerability in an antivirus product (not Avast for a change), to be published next Tuesday.

Show thread

While Avast is planning to shut down Jumpshot, there is an ongoing investigation into their practices. I wonder how this will go, according to Avast they are fully compliant...

uoou.cz/en/vismo/dokumenty2.as

Show thread

Even this limited sample contains lots of names, email addresses and even home addresses of Avast users. Jumpshot customers could have easily deanonymized the users the data belongs to, and some probably did.

Show thread

I got my hands on a sample of Jumpshot data. My analysis confirms what everybody already suspected: Avast failed anonymizing the data they sold, leaving plenty of personal data untouched.

palant.de/2020/02/18/insights-

Then again, now that I am looking closer this server appears to recognize my default SSH key. And the issue seems to be that I used that key on GitHub until 3 years ago. So it looks like the scrapped GitHub keys are a bit dated.

Show thread

There I was thinking that using different SSH keys for each server was sufficient protection. Who thought that sending all of them to any server you try to connect to was a good idea?

twitter.com/FiloSottile/status

The downside of recycling an old Android tablet as a dashboard display: its ancient SSL implementation is locked out of most websites by now and I have to go hunting for web proxies to act as translators. Now I found a web proxy using unencrypted HTTP, this should do for a while.

Oh, so actually is actually a working process to get extensions removed from Chrome Web Store, other than having a contact on the inside. The Developer Data Protection Reward Program works apparently, at least if a privacy issue can be demonstrated. duo.com/labs/research/crxcavat

I'm rather late to the party but the Avast story took the not quite unexpected turn. I wonder whether this investigation will really conclude that Avast's practices were all GDPR-compliant.

vice.com/en_us/article/3a8vjk/

Boost if you're a firefox user and refuse to touch chrome* with a ten foot pole

Does anyone here have experience with Responsible Vulnerability Disclosure via openbugbounty.org/? Does it actually work? As in: do they manage to notify the right people to get the vulnerability fixed? What about non-website vulnerabilities?

Unfortunately, the article's title promises more than what's really there. Lesson in crisis management? After reading the article I still don't know what the lesson is supposed to be. It's mostly speculation about Avast's stock prices, not so much management's actions.

Show thread

As @MonztA@twitter.com points out, the trick of googling the article title and going to the Financial Times still works. They disable the paywall if they see Google as referrer...

Show thread

Achievement unlocked: being mentioned in the Financial Times. 🥳🎉🍾

Now I only need to figure out what they actually said behind the paywall there...

I'm watching the Avast news coverage and it's very visible once again: as long as tech news circulate among tech publications things are mostly sane. Once they hit mainstream media it all becomes a game of broken telephone. Journalists writing about things they don't understand…

Received an press release via email, apparently they are shutting down. Which is the right consequence if you look at their stock price. The reason is of course that "some users questioned our mission" which is as close to "we messed up" as it will probably get.

I guess this proves that I've never really known Bash. Until today I didn't realize that [ is a program located in /usr/bin.

twitter.com/TartanLlama/status

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.