Show more

@MarciaBokeh@twitter.com is another veteran who has been laid off. I remember her being praised very high for her QA work, she is really good.

talentdirectory.mozilla.org/?i

Show thread

I looked through talentdirectory.mozilla.org/ and Mozilla apparently fired @sheppy@twitter.com. If you are a fan of – that's the guy you have to thank, it was a horrible mess before Eric Shepherd started working on it. Get him a great new job!

It's hard to imagine a scenario where a CSP bypass is still of value under these conditions. If anything, it helps obfuscate the attack payload, loading most of the code from another website. So this really isn't the big deal it sounded like from the description.

Show thread

That's the real reason why perimeterx.com/tech-blog/2020/ lists some sites being vulnerable while others are "safe": all these sites allow inline scripts in their CSP. Yet if attackers can run scripts on the target domain, they already can do pretty much anything they want.

Show thread

I deleted some toots on CVE-2020-6519, these were incorrect. Upon closer inspection, this turned out to be a minor issue, only relevant in rare edge cases. An important part is missing from the description: inline scripts have to be allowed.

"I would consider the CharUpper and CharLower family of functions to be deprecated. Instead, use the LCMapStringEx function"

One consequence of endless backwards compatibility: over time all reasonably simple API function names will end up deprecated…

devblogs.microsoft.com/oldnewt

For reference: that's a major antivirus vendor. And there is a very obvious correct way to do this. In fact, I think it's the first time I see somebody mess this up.

Show thread

The code below is from a browser extension. Question: what does it do when executed in Firefox?

let script = document.createElement("script");
script.src = "chrome-extension://" + chrome.runtime.id + "/app/scripts/" + fileName;
head.appendChild(script);

Note that even the privacy policy on Firefox Add-ons doesn't mention why you need to generate a UUID for each user and send it along with each database update (not merely telemetry requests). Nor does it explain the impact of that telemetry setting.

Show thread

Hi @Malwarebytes@twitter.com, do you have a proper privacy policy for your Browser Guard extension? The one under addons.mozilla.org/en-US/firef is unformatted, so it is unreadable (yes, formatting is supported here). And the link from Chrome Web Store is generic info, not for the extension.

Maybe and its forks are good clients. From what I've read there should be solid end-to-end encryption enabled by default. But it's only one client on one platform. And other clients have wildly inconsistent encryption support, same issue as with .

Show thread

I did not bother installing /Psi+ any more. These messengers still try hard to imitate the ICQ client as well as contemporary IRC clients. Judging by discussions, encryption is not only not default, there are issues enabling it at all. Encrypting files is unsupported.

Show thread

Next one was which looks better but expects knowledge of things like identifiers without providing any explanation when something is wrong (yes, version 0.1). Here as well, encryption isn't the default. At least the discussions are younger. github.com/dino/dino/issues/84

Show thread

I started looking into clients with end-to-end-encryption support. First one was , with its "charming" 90s messenger style. Encryption isn't the default here however, no progress on the corresponding issue. dev.gajim.org/gajim/gajim-plug

Note that with a central server instance one has many of the same concerns - but compromising a server is a bigger hurdle than running a bunch of OpenDHT nodes, and there is also a higher chance that some irregularities will be noticed.

Show thread

That's the issue I see here: end-to-end encryption is great, but a setup where any party can start collecting metadata fairly easily probably isn't too privacy-friendly. And the issue is known of course, so devs recommend using VPN or Tor.

git.jami.net/savoirfairelinux/

Show thread

And not just that, these nodes (presumably run by the project) can see who is talking to whom as they deliver messages.

What if NSA or somebody else decided to run a dozen nodes? How much of the network graph would they see this way?

Show thread

I'm not sure what percentage of user IDs you will see passing by. Another concern is however that the majority of the OpenDHT traffic appears to be originating at OVH-hosted nodes, not actual users. These should be able to associate your user ID and IP address.

Show thread

I looked briefly into messenger and its peer-to-peer concept relying on certainly has some side-effects. Just by running an OpenDHT node one can get an idea of what users are on the network and look up their names (some chose to use their full names).

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.