Time to reevaluate common development practices and how these are affected by power dynamics.
This thread is very much worth reading: https://twitter.com/statuses/990968833547497472
Finally understood why I hated Scrum when other people didn't. Not so much because it was misapplied, rather being a remote worker put me into disadvantage more than usually here.
And the crypto is sane from what I can tell. Much harder to inspect the Rust-based DLL doing it however. Guess I'm done with RememBear then, will publish the findings once all the issues are fixed.
Oh, and SRP indeed is weird... https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
Found a PBKDF2 call in #RememBear with horribly bad parameters. Then realized that it was merely importing passwords from #Chrome. And last year I've actually investigated myself how badly these are protected. #infosec #crypto
For a change, this time not a vulnerability but a bogus security mechanism. #RememBear went to great lengths to protect their localhost traffic, all for nothing. Too often, security mechanisms are implemented that don't solve any actual issue. #infosec
Apparently, there is a private bug bounty program on HackerOne. Unfortunately for me, I already declined the invitation to this one a year ago, so now they can no longer invite me to join. I likely wouldn't want to take this route anyway, private programs usually not allowing to publish your findings.
I was told that reporting via the support contact would work as well. This feels rather suboptimal...
Wow, next time I need a bunch of security tokens for a website, it seems that urlscan.io is the place to look for them. Password reset and account recovery links en masse...
Just blogged: Don't leak sensitive data via security scanning tools. https://email@example.com/dont-leak-sensitive-data-via-security-scanning-tools-7d1f715f0486
My post on implementing search and comments in a blog built by a static site generator is up. #Hugo
Dear @mozilla you once again sent me a promotional mail despite an explicit opt out of all mails. I would assume malice if I didn't know for certain that it's incompetence. Yes, I've seen the mess that your Basket project is.