Wladimir Palant @WPalant@infosec.exchange

#Google just took down #PfP without any advance warning. My offense: I didn't publish a privacy policy, this extension not collecting any data whatsoever. The joke: unlike Mozilla Add-ons, Chrome Web Store does not have a field for the privacy policy!

Any hints on how to report McAfee security vulnerabilities? I tried the official process documented under https://www.mcafee.com/enterprise/en-us/threat-center/product-security-bulletins.html but my mail to security_report@mcafee.com didn't trigger the automated response. And security@mcafee.com bounces.

There is a redirect set up for security.txt on http://mcafee.com domain but it points to a non-existent file of course...

In case anybody considered Amazon Echo an exception: no, Google Assistant sends audio recording to the "cloud" and now we know for sure that Google employees can listen in: https://twitter.com/mikko/status/1149025136173113344. Big surprise.

If you ask me...

After some iterating, things look somewhat better now, in particular less cluttered - access keys are indicated by underlining the letter wherever possible. This is how the same screen looks now when pressing the Alt key.

Implemented access keys in #PfP, pressing Alt will show you all of them. Access keys have always been a major #l10n pain, so this time I decided to choose them automatically - seems to work reasonably well. Only few UI elements will change their access key depending on context.

Actually, combining Unicode property escapes with the heuristic above as fallback is easy enough. So in current Chrome my isLetter() function will use the more correct approach while in Firefox it will be the simple but not quite correct fallback code.

I think that I'll use the function below - a letter is something that is modified by toUpperCase() or toLowerCase(). This excludes some more exotic letter variants, and it just won't work on scripts like Hebrew or Arabic, but it should do for my use case for now.

And PfP options are part of the pop-up now. You can still get to them the way your browser lets you configure extensions. But quite frankly, how many people managed to find them there?

Selecting a site got its own tab now, so it's visually different from choosing an alias for a site and should no longer confuse anybody.

The visible change: sync should now work with any server supporting remoteStorage protocol (https://remotestorage.io/). The bigger but rather hidden change: sync protocol requires even less trust in the storage provider now, no tampering with the data should succeed.

A big one: no more "Easy Passwords 1.x compatible password" here, weaker password generation is gone for good. If you still had any legacy passwords these will be converted to stored passwords now, same happens when importing backups with legacy passwords.

Previous screenshot shows a minor improvement: website name is a link now. Here is one more: you can copy the user name from the password menu. Oh, and you can navigate both the password list and the password menu with arrow keys: https://pfp.works/documentation/keyboard-navigation/

I finally released #PfP: Pain-free Passwords 2.2.0! Get it here: https://pfp.works/

This is a major one, lots improvements here. The most noticeable one is the user interface, the tab strip on the left should make it much easier to navigate.

So #Google, I don't have a recovery phone or any other #2FA options configured. Then why is changing my password only possible if I still happen to have that #Android VM where I logged into Play Store using that account? How is this better than the recovery email I configured?

And the six months transition period actually took 16 months... I finally implemented the last migration step for #PfP towards stronger crypto, all the old stuff is gone for good now. Lots of backwards compat code removed.

https://github.com/palant/pfp/commit/511d41009c61a27afdd089672558d67f7c40d31f

I think I'm down overhauling user interface for #PfP, it looks good now. A few changes to core functionality and this can be released.

So the specialty of #VPNMentor is apparently creative email #spam? Got a mail today trying hard to look like it was sent by an unaffiliated private person when it was clearly automated. Not the first time they did it either: http://spam.tamagothi.de/2018/10/10/quick-question/

Stumbled upon a malicious Facebook ad. The add promises a funny quiz and links to hallo-quiz [dot] com. That site will then redirect you to fimepobala [dot] com which shows the supposed quiz (only visible with the correct referrer). #infosec

Quite remarkable statistics of a private #bugbounty program. So one report got the maximum $5000 bounty, and around 21 others got rewarded around $250 on average. The other 765 reports didn't receive any bounty at all. Worth contributing?

Thank you #Fortinet, I feel sooooo much safer using this network! #FortiGuard #firewall #security