Wladimir Palant @WPalant@infosec.exchange

PSA: If you pick up a call and there is nothing in the line, with a noisy background kicking in only after a few seconds - be very suspicious. They might claim to have called you, but it was actually a robot which transferred the call to a call center. Don't fall for any scams.

For reference, support for XUL on the web was completely disabled in 2010: https://bugzil.la/546857

Components.interfaces continued causing issues for a few years longer and was eventually replaced by a shim in 2013: https://bugzil.la/429070

From today's perspective, this was crazy. This functionality was rightfully disabled as it was inadvertently exposing internals of the browser to the web and increased the attack surface of the browser massively. But Components.interfaces is still provided, for backwards compat.

Got a notification from a Mozilla bug so old that the content type of the attachment was application/vnd.mozilla.xul+xml. Do you know that Mozilla used to allow XUL to be used on the web? Back then I even wrote an article on how you would create a <xul:tree> with a custom view.

Does it have to be binary or will JSON-based do as well? 😀

I've created a bunch of binary formats in the past, but growing up I started to understand the advantages of well-known and human readable container formats with pre-existing parsers - such as XML or JSON.

Wow, somebody blocked me on Mastodon, that's a first. I dared to criticize PGP...

And #email is indeed beyond saving, I don't see secure communication over email to happen, ever. No way around establishing new protocols for encrypted communication, e.g. #Signal.

#crypto #infosec

https://palant.de/2018/11/12/as-far-as-i-m-concerned-email-signing-encryption-is-dead/

The scary thing: some products in need of #crypto such as password managers are being built on top of #PGP because that's supposedly easier to get right. But it's not. Looking at #Passbolt for example, there are definitely better way to do public key crypto.

#infosec

So here you have the full picture now: #PGP doesn't work and never will. Stop recommending it, stop organizing key signing parties, you aren't helping anybody doing that. Just put it to grave instead.

#RIPPGP #crypto #infosec

https://latacora.singles/2019/07/16/the-pgp-problem.html

Wow, so Kazakhstan is now systematically subverting HTTPS encryption? Crazy times...

https://bugzilla.mozilla.org/show_bug.cgi?id=1567114

Great explanation. Back in 1969 it was easier to go to the moon than to fake the video coverage of the moon landing (and today it's the opposite). Not that this will convince anybody...

https://www.youtube.com/watch?v=_loUDS4c3Cs

And here seems to be a fairly balanced view on the topic: https://jasoncrawford.org/10x-engineers

Actually, Marco Rogers has a nice thread on why this kind of extreme stereotypes is very harmful.

https://twitter.com/polotek/status/1150053646073131008

I'm quite relieved that this doesn't apply to me. Even back when my social skills were far worse than they are now - my desktop background was never black. And I make pauses while typing. So I'm not *that* type of engineer. #10xEngineer

https://twitter.com/skirani/status/1149302828420067328

This article by @slooterman@twitter.com explains a lot. Much of the available information on #autism is so bogus that it's hard to understand how somebody who has ever interacted with an autistic person can believe it, much less call it "research." https://undark.org/2019/07/11/being-autistic-at-an-autism-research-conference/

I think that this is a consequence of the increased volume. With the drastically increased number of questions, most of them will never be seen by anybody once answered. Only few answers will be seen and receive upvotes regularly, this has no impact on the median however.

Eight years ago I created a #StackOverflow data query to see which tags attract the most upvotes: https://meta.stackexchange.com/a/105674/163275. Today I updated that query and the results changed remarkably: essentially, the high end of the scale no longer exists, it's one vote for almost all tags.

In case anybody considered Amazon Echo an exception: no, Google Assistant sends audio recording to the "cloud" and now we know for sure that Google employees can listen in: https://twitter.com/mikko/status/1149025136173113344. Big surprise.

If you ask me...

Disclosing six #RememBear security issues today. Most of these aren't terribly important but demonstrate lack of attention to security-relevant details. #infosec #passwords

https://palant.de/2019/07/08/various-remembear-security-issues/

After some iterating, things look somewhat better now, in particular less cluttered - access keys are indicated by underlining the letter wherever possible. This is how the same screen looks now when pressing the Alt key.