Me trying out Session messenger came to an abrupt end - I'm uninstalling it and recommend that everybody does the same. People pointed out the app's connections to the alt-right scene which I could sadly confirm. So I don't want to contribute to them washing the stains away.
Wow, I knew of course that #Brave was running some really aggressive marketing campaigns... But now they are apparently spamming random bloggers because of links to MDN for browser extensions information.
For reference, the article in question is https://palant.info/2015/10/15/using-webextensions-apis-in-a-classic-extension/.
Oh, and did I mention that one can create an account from the desktop client without hacking the app?
Looks like I will be trying out Session messenger (https://getsession.org). It's a fork of #Signal with many of the same advantages, in particular unproblematic setup. It appears to have made more sensible decisions in some areas however - accounts not bound to phone numbers, random recovery codes etc.
One has to share a lengthy Session ID before communicating with someone however.
Registration requires me to pick a password (for server auth) *and* a recovery phrase for my encryption keys. Why does it require two security tokens where one would do? Oh, right, end-to-end-encryption is optional...
No, I can do this but I know that other people will give up. And I'm not even starting with IRC-inherited usability issues that will certainly frustrate anybody less technical who tries to communicate with me this way. 😢
With #Signal continuing to roll out PINs and making them mandatory despite all the criticism, I decided to finally look at #Matrix that people are recommending. Unfortunately, so far I'm not too impressed. Structural issues haunting most open source projects show here as well.
Publishing details of some BullGuard Antivirus and Secure Browser vulnerabilities. Contacting #BullGuard to report these was rather tough, but all is fixed now and I am good to publish - one week before 90 days deadline. #infosec #appsec
"Next Monday" came early - just got a message from the vendor that I am good to go, so will publish the article now.
Never mind, by now RIA FAN actually published their "story" which is being shared by Russian diplomats and Ministry of Foreign affairs. They are talking about "anti-Russian provocation" with a straight face. Yes, that article is featuring this very "evidence."
This isn't someone random who created these fakes, according to the watermark the originator is RIA FAN - the acronym means "Federal News Agency" (better known as Russian troll factory).
No, I don't think that the designated recipients are critical enough to spot the issue...
Fascinating. Russians wants to discredit an upcoming @bellingcat story, so they invent fake private conversations. But they do it in such an amateurish way that it's obvious - both sides of the conversation were written by the same person, someone who omits punctuation.
Sure, the strikes against organized crime achieved here are impressive. But this is also scary as the same tools could be (and are being) used against opposition and dissidents for example.
Depending on your country, you can probably trust the current government to do the right thing. But what about the next government? Maybe democratic countries should not be allowed to do this at all, or there should be very strong controls to prevent misuse.
This is a fascinating read. Let this sink in: law enforcement compromised the network of a secure chat solution and pushed malware to all endpoints in order to read all the messages. All that on the premise that the majority of the users were criminals, even though some weren't.
Always stated how they properly pseudonymized data, ignoring all the evidence to the contrary.
But "look what you made us do, we have to shut down Jumpshot and so many great people will lose their jobs!"
Sorry, not sorry. You still don't deserve to regain people's trust.
I must say, the concept of "performative contrition" is brilliant. It doesn't merely explain the behavior of individual abusers, companies behave this way as well.
Look at #Avast for example. Never admitted doing anything wrong, throughout the entire privacy scandal.
All of that without any fancy buffer overflows or such, merely abusing existing application logic. Could it be that antivirus vendors focused so much on hardening their binary code that they forgot the low-hanging fruit? And is it really hardened?
To be continued… 5/5
3) Bitdefender replaces browsers' built-in SSL warning pages which is surprisingly problematic. Quite remarkable what one can do with the security tokens found there. Arbitrary code execution from any website when opened in any browser. 4/5
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.