It always amazes me just how little care companies offering a security product put into the security of their services. Look through the whole thread:

twitter.com/Shadow0pz/status/1

I've started to compile a list of common mistakes that antivirus software is making, not unlike the one I published under palant.de/2018/08/29/password-. So far I have three perfectly avoidable issues. One antivirus had all of them, another "only" two.

EU is going to offer a bug bounty on some open source projects. @k8em0@twitter.com has her doubts that this is a good idea.

twitter.com/k8em0/status/10788

So the verdict is final: antivirus undoing everything the browser vendors learned about security in the past decade is not a vulnerability but a "low probability security risk." Weakening web infrastructure is a cosmetic issue at best.

A report on the breach has been released and @sawaba@twitter.com is analyzing it. His conclusion: 34 (in words: thirty four!) control and process failures lead to this disaster. Worth a read:

twitter.com/sawaba/status/1072

I published my thoughts on private bug bounty programs. These don't reflect well on the vendors running such programs, and neither on and .

Many thanks to @k8em0@twitter.com for the inspiration.

palant.de/2018/12/10/if-your-b

I post about technical topics here, especially , , . My other account social.tchncs.de/@WPalant is for German-language non-technical stuff.

Looking through old vulnerability reports, hackerone.com/reports/232432 is a real gem. The reporter advises staying clear of innerHTML and using safe DOM methods instead. Yet to this day they are still using their error-prone approach. 1/2

@EdOverflow@twitter.com pointed out to me that generally doesn't seem to take security seriously. The ownership verification issues he discovered also weren't considered important enough. 1/2
edoverflow.com/2018/logic-flaw

Refreshing my assembly reading skills, it has been a while. Somebody considered it a good idea to essentially hang out a binary on the web - no other way to demonstrate just how much trouble they got themselves into.

Found a security issue compromising end-to-end encryption in under some circumstances. Response so far: known issue, not worth fixing. It doesn't look like they misjudged the severity here, so I am just speechless. Stay tuned...

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.