Yellow Flag 😷 @WPalant@infosec.exchange

It seems that he has shut down most of his websites hosting copycat content, that’s good news. Yes, even the one with copyright message replaced by “See you in court.” However, he has set up a new fake company website and a Twitter account for it. 🙄

@varx Maybe I should give Lightning another try. I’m using Thunderbird for email and RSS, but the calendar was horrible…

@varx Not sure what you mean by “used to”, I think the last time Thunderbird has seen any kind of attention was more than a decade ago. It has been in pure maintenance mode for a very long time, I’m just happy it’s still working at all.

Another upcoming disclosure deadline in less than four weeks. Universal XSS in a browser extension, really bad. The vendor managed to produce two releases in the time but no fix for the critical issue. Sent out a reminder… 🙄

The Print Friendly & PDF browser extension allowed any website to completely take over the extension. Considerable attack surface remains, and Firefox version is still vulnerable (exploitation slightly more complicated there). #XSS #infosec #BugBounty

https://palant.info/2021/04/13/print-friendly-pdf-full-compromise/

Guess what: the extension vendor who took almost three months to address a critical vulnerability, cutting it very close to the deadline, only did some minor surface polishing. The underlying issues are still present and I better don’t look too closely. Disclosure tomorrow. 😬

Don’t get me wrong, deepfakes are a concern. But apparently not big enough a concern yet that we need to worry about a mom manipulating videos in order to harass her daughter’s competition. Harassment with a real video is enough to get her indicted.

https://www.dailydot.com/debug/deepfake-vaping-video-cheerleaders/

So whoever compromised the PHP source code repository did so by pushing via HTTPS with password-based auth. They had to guess usernames. Sounds like a password reuse issue: the password leaked elsewhere, so they didn’t know the matching username.

https://portswigger.net/daily-swig/php-maintainers-release-post-mortem-report-after-backdoor-planted-in-git-repo

@doenietzomoeilijk Yes, the article mentions that. It might be the reason why Facebook originally claimed this to be data from an already disclosed breach.

Yes, I also hope that they get a massive fine for trying to sweep this under the carpet.

So apparently the leaked data of 533 million Facebook users came from a 2019 breach that wasn’t previously disclosed after all. Not just that, Facebook chose not to notify the users affected either. Yes, totally reasonable and responsible behavior, as you would expect.

https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/

Noticed that a former follower blocked me. Weird, what did I do? Oh, I retweeted something about the harm RMS has done and is still doing…

People, choosing heroes means also reconsidering the choice sometimes. Some turn out to be awful human beings when you take a closer look.

Great blog post, explaining how linked list questions in job interviews had their time and place in the 80s. Also showing how the cargo culting likely happened which made them still popular today despite being largely pointless.

https://www.hillelwayne.com/post/linked-lists/

What we need is software that users can rely on, that will act in their best interest rather than monetize them behind their backs. Clearly, Free Software failed to define ethical aspects of software, and we now know why. So maybe https://ethicalsource.dev/ is the right answer.

While at it, could we consider moving beyond Free Software? I’m increasingly convinced that it is a dead end we wasted decades on. GNU/Linux is used everywhere, yet it gives users exactly zero leverage. Having access to those mountains of code is no gain, it’s almost useless.

After loosing RSS feeds again in Thunderbird I got fed up and reported the bug. Looks like it has good chances to get fixed! https://bugzilla.mozilla.org/show_bug.cgi?id=1701414

Free Software Foundation Europe is severing its ties to FSF. Yes, at this stage it’s the only right decision.

https://fsfe.org/news/2021/news-20210324-01.html

@kettlevoid https://www.kvb-rad.de/de/koeln/ – have fun. Already tested it and works in Chrome without wasting much memory. So whatever the problem is, it must be Firefox-specific.

Stumbled upon a (legitimate) website that managed to drive up Firefox memory usage by 2 GB and almost hang the entire UI before I closed the tab. And Firefox spent around five minutes working on freeing all that memory. I feel an urge to dissect it and figure out what they did…

For anybody concerned that my previous article on Amazon Assistant only discussed potential threats: here is the actual data being collected for “analytics” purposes. Lots of it and linked to the user’s Amazon account. #amazon #privacy

https://palant.info/2021/03/22/follow-up-on-amazon-assistants-data-collection/

I’m writing a follow-up on Amazon Assistant, will hopefully be finished today. There is more to this story…