Show more

Time to reevaluate common development practices and how these are affected by power dynamics.

This thread is very much worth reading:

Finally understood why I hated Scrum when other people didn't. Not so much because it was misapplied, rather being a remote worker put me into disadvantage more than usually here.

And the crypto is sane from what I can tell. Much harder to inspect the Rust-based DLL doing it however. Guess I'm done with RememBear then, will publish the findings once all the issues are fixed.

Oh, and SRP indeed is weird... blog.cryptographyengineering.c

Found a PBKDF2 call in with horribly bad parameters. Then realized that it was merely importing passwords from . And last year I've actually investigated myself how badly these are protected.

For a change, this time not a vulnerability but a bogus security mechanism. went to great lengths to protect their localhost traffic, all for nothing. Too often, security mechanisms are implemented that don't solve any actual issue.

It's fascinating to watch real-life phishing campaigns on So apparently sharing a PDF file via with an image linked to a site is a real thing, even used in a spear phishing campaign against People actually fall for that?

Apparently, there is a private bug bounty program on HackerOne. Unfortunately for me, I already declined the invitation to this one a year ago, so now they can no longer invite me to join. I likely wouldn't want to take this route anyway, private programs usually not allowing to publish your findings.

I was told that reporting via the support contact would work as well. This feels rather suboptimal...

Wow, next time I need a bunch of security tokens for a website, it seems that is the place to look for them. Password reset and account recovery links en masse...

via @j_opdenakker

So how does one report security issues to ? While they are boasting security features and their security audit, I can see nothing like a vulnerability disclosure program.

I've been looking into their password manager briefly and I will be compiling some PoCs...

My deployment script now compares old and new generated directories, copying mtime for any unchanged files. I couldn't find any better approach to that, other than relying on Hugo to update content in-place – something that doesn't work too well.

Made deployments to -based and more robust and atomic, no more spurious 404 errors because website is updating. Now I'd like to somehow avoid file modification time changing if contents didn't change...

Noticed yesterday that when I tried to unsubscribe from the browserext W3C email list in December 2017 it didn't work. Not a single email since then. So much for browser vendors not wanting to do bug-for-bug compatibility with Chrome's extensions...

And now that Hacker News users are stress-testing my comments system it became obvious that I never tried sending notifications to other mail servers. Bug in the Python script, wrong mail server configuration. Should be all fixed now.

The usual unavoidable hiccups. Backup script fails because it can no longer find a database. doesn't urlencode commas so the RSS feed redirect I created for it doesn't work even though it works in a browser.

My new challenge is live: "Can you trick this browser extension into revealing its data?" Very little code, hard to exploit. Many thanks to for the inspiration.

@mozilla How about you put a little effort into your communication? Don't you think that having perceived as a spam source is an issue? I would delete the account but I need to publish extensions.

And while we are at it, how about fixing

Dear @mozilla you once again sent me a promotional mail despite an explicit opt out of all mails. I would assume malice if I didn't know for certain that it's incompetence. Yes, I've seen the mess that your Basket project is.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.