It always amazes me just how little care companies offering a security product put into the security of their services. Look through the whole thread:

I've started to compile a list of common mistakes that antivirus software is making, not unlike the one I published under So far I have three perfectly avoidable issues. One antivirus had all of them, another "only" two.

EU is going to offer a bug bounty on some open source projects. has her doubts that this is a good idea.

So the verdict is final: antivirus undoing everything the browser vendors learned about security in the past decade is not a vulnerability but a "low probability security risk." Weakening web infrastructure is a cosmetic issue at best.

A report on the breach has been released and is analyzing it. His conclusion: 34 (in words: thirty four!) control and process failures lead to this disaster. Worth a read:

I published my thoughts on private bug bounty programs. These don't reflect well on the vendors running such programs, and neither on and .

Many thanks to for the inspiration.

I post about technical topics here, especially , , . My other account is for German-language non-technical stuff.

Looking through old vulnerability reports, is a real gem. The reporter advises staying clear of innerHTML and using safe DOM methods instead. Yet to this day they are still using their error-prone approach. 1/2 pointed out to me that generally doesn't seem to take security seriously. The ownership verification issues he discovered also weren't considered important enough. 1/2

Refreshing my assembly reading skills, it has been a while. Somebody considered it a good idea to essentially hang out a binary on the web - no other way to demonstrate just how much trouble they got themselves into.

Found a security issue compromising end-to-end encryption in under some circumstances. Response so far: known issue, not worth fixing. It doesn't look like they misjudged the severity here, so I am just speechless. Stay tuned...

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.