Show more

Me trying out Session messenger came to an abrupt end - I'm uninstalling it and recommend that everybody does the same. People pointed out the app's connections to the alt-right scene which I could sadly confirm. So I don't want to contribute to them washing the stains away.

Show thread

Wow, I knew of course that was running some really aggressive marketing campaigns... But now they are apparently spamming random bloggers because of links to MDN for browser extensions information.

For reference, the article in question is palant.info/2015/10/15/using-w.

Oh, and did I mention that one can create an account from the desktop client without hacking the app?

Show thread

Looks like I will be trying out Session messenger (getsession.org). It's a fork of with many of the same advantages, in particular unproblematic setup. It appears to have made more sensible decisions in some areas however - accounts not bound to phone numbers, random recovery codes etc.

One has to share a lengthy Session ID before communicating with someone however.

Registration requires me to pick a password (for server auth) *and* a recovery phrase for my encryption keys. Why does it require two security tokens where one would do? Oh, right, end-to-end-encryption is optional...

No, I can do this but I know that other people will give up. And I'm not even starting with IRC-inherited usability issues that will certainly frustrate anybody less technical who tries to communicate with me this way. 😒

Show thread

Ok, registering with . Federated approach is great - I can choose a German homeserver. But one disabled registrations, another has a broken CAPTCHA, I don't know who runs the rest and whether they are reliable. So back to matrix.org (hello ).

Show thread

There are different clients which can be used - great, some of these look like they will provide better performance and user experience compared to . But half of them doesn't support end-to-end-encryption, how are these even allowed? Another fails to surface errors.

Show thread

With continuing to roll out PINs and making them mandatory despite all the criticism, I decided to finally look at that people are recommending. Unfortunately, so far I'm not too impressed. Structural issues haunting most open source projects show here as well.

twitter.com/qrs/status/1280242

Publishing details of some BullGuard Antivirus and Secure Browser vulnerabilities. Contacting to report these was rather tough, but all is fixed now and I am good to publish - one week before 90 days deadline.

palant.info/2020/07/06/dismant

"Next Monday" came early - just got a message from the vendor that I am good to go, so will publish the article now.

Show thread

It seems that I'm done with the illustration for next Monday's article. We'll have another "secure browser" to pick apart in a week.

Never mind, by now RIA FAN actually published their "story" which is being shared by Russian diplomats and Ministry of Foreign affairs. They are talking about "anti-Russian provocation" with a straight face. Yes, that article is featuring this very "evidence."

Show thread

This isn't someone random who created these fakes, according to the watermark the originator is RIA FAN - the acronym means "Federal News Agency" (better known as Russian troll factory).

No, I don't think that the designated recipients are critical enough to spot the issue...

Show thread

Fascinating. Russians wants to discredit an upcoming @bellingcat story, so they invent fake private conversations. But they do it in such an amateurish way that it's obvious - both sides of the conversation were written by the same person, someone who omits punctuation.

twitter.com/bellingcat/status/

Sure, the strikes against organized crime achieved here are impressive. But this is also scary as the same tools could be (and are being) used against opposition and dissidents for example.

Depending on your country, you can probably trust the current government to do the right thing. But what about the next government? Maybe democratic countries should not be allowed to do this at all, or there should be very strong controls to prevent misuse.

Show thread

This is a fascinating read. Let this sink in: law enforcement compromised the network of a secure chat solution and pushed malware to all endpoints in order to read all the messages. All that on the premise that the majority of the users were criminals, even though some weren't.

vice.com/en_us/article/3aza95/

Always stated how they properly pseudonymized data, ignoring all the evidence to the contrary.

But "look what you made us do, we have to shut down Jumpshot and so many great people will lose their jobs!"

Sorry, not sorry. You still don't deserve to regain people's trust.

Show thread

I must say, the concept of "performative contrition" is brilliant. It doesn't merely explain the behavior of individual abusers, companies behave this way as well.

Look at for example. Never admitted doing anything wrong, throughout the entire privacy scandal.

twitter.com/mm_schill/status/1

All of that without any fancy buffer overflows or such, merely abusing existing application logic. Could it be that antivirus vendors focused so much on hardening their binary code that they forgot the low-hanging fruit? And is it really hardened?

To be continued… 5/5

Show thread

3) Bitdefender replaces browsers' built-in SSL warning pages which is surprisingly problematic. Quite remarkable what one can do with the security tokens found there. Arbitrary code execution from any website when opened in any browser. 4/5

palant.info/2020/06/22/exploit

Show thread
Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.