Oh look, it’s Xiaomi once again. Anyone taking bets that they will shrug away this scandal as well without any meaningful changes?
> Phones sold in Europe by China's smartphone giant Xiaomi have "a built-in ability to detect and censor terms such as 'Free Tibet', ‘Long live Taiwan independence‘ or ‘democracy movement‘, Lithuania's state-run cybersecurity body said on Tuesday.
Results of my experiment reporting an Amazon XSS via Open Bug Bounty:
· Reported on 2021-03-08
· Automatically disclosed on 2021-06-06, still unpatched
· Actually fixed at some point before 2021-09-17
No idea whether Amazon even received the original report. Maybe they only noticed because someone started exploiting this vulnerability. So: no, not sure whether I want to do this again.
And Travis CI joins the ranks of companies that cannot be trusted with security. Not because they have issues (who doesn’t) but because they cannot recognize and properly handle a critical vulnerability report.
The details are in this Twitter thread: https://twitter.com/peter_szilagyi/status/1437646118700175360
Biggest trouble with ancient hardware is that it has an equally ancient SSL implementation. Turns out, the most reliable way of “fixing” this is getting recent curl via a Cordova plugin and bypassing the system’s implementation for HTTPS requests completely.
Great thread by Matthew Green here. TL;DR: NSA made Juniper add a backdoor to their routers. A presumably Chinese APT hacked Juniper and made the backdoor usable for themselves. Damage caused: still unknown. But politicians keep asking for encryption backdoors.
Just to clarify: it’s all user-generated content. And since there appears to be zero moderation…
Further in the same thread:
> Having strong technical leadership has lots of advantages, but one of them is it naturally leads to a healthier cadence. These folks typically have to be home for dinner, and they're old enough to know that death marches don't work.
Here is what a healthy software project looks like:
> Chrome was delivered without any sprints at all. The team came in at 9 and left at 5 (figuratively, people actually kept their own ~8h schedules) every workday for a couple years like clockwork. No drama. No broken marriages, no broken families.
Why waste time on hacking when big corps have plenty of disgruntled employees who will readily deploy ransomware for some quick cash? All while these companies underestimate the insider threat and the destructive power employees could wield.
“Cybercrime Group Asking Insiders for Help in Planting Ransomware”
Huge “surprise”: the algorithm used by #Apple to scan your iPhone for CSAM has already been reconstructed. And the first collision is also there already. Yes, this is going to be fun.
> What’s the German word for “don’t build security systems that rely on obscurity but can’t keep important details confidential for more than two weeks.”
I don’t have the right words to describe what I think about this organizational dystopia.
> And now you all know enough for me to explain... this ticket was closed as "resolved" by Mr. Bullets shortly after I was forcibly re-orged under him (despite my escalation to senior #Apple leadership & his history of insults, violence, & intimidation).
Wow, what a nice chain by @zemnmez exploiting various issues in the Apple ID service. I particularly like the trick to make event.source be null for messages, wasn’t aware of this one. In the end there is even XSS on the domain, CSP isn’t preventing it.
Brace yourselves... I'd like to share with y'all an email I sent #Apple employee relations on July 16th detailing a list of my concerns & complaints (with associated Box folders & relevant evidence). #Harassment, #Discrimination, #Assault, #Retaliation, more...
Having read the Steve Jobs biography, I’m somehow not surprised at all that such things happen at #Apple. There is no way a healthy company culture would arise with this kind of leadership. And please spare me “the end justifies the means” speech.
> My #Apple team in SW Eng not only documented their goal of making my "life a living hell" in our dev work tracking system, they also kept whiteboards for tally marks when they "scored points" …
The guy wrote this thread without realizing how he is describing a massively toxic culture. And he concludes by stating that he now applies the lessons learned here at his startup. For me this conclusion reads as: “If you work at that startup: run! RUN! NOW!!!”
If you ever find yourself at a company doing this: leave ASAP. The “hard work” heroism is an incredibly bad take for everyone. Long work hours destroy people’s mental health, and they don’t even increase productivity. Overworked people make lots of mistakes, only wasting time.
> The Internet Explorer team was the hardest-working team I’ve ever been on. And I’ve worked at multiple start-ups. It was a sprint, not a marathon. …
For reference: white hat hackers do not transfer out $600 million to “bring attention to a vulnerability,” they would stop a step short of that. But one has to appreciate the gesture of transferring back all that money. 😅
> As our communication with Mr. White Hat is going on, the remaining user assets on Ethereum are gradually transfered to the multisig wallet (0x34D6B21D7B773225A102b382815e00Ad876E23C2) requested by Mr. White Hat.
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.