Show newer

I’ve seen a number of trust models for the web come and go, granting application-like privileges to web pages was always too risky. And I think that’s because misuse of these privileges is just so unlikely to be detected. On the web, different code for everyone is the rule.

Show thread

At least that’s the hope. I mean, there are lots of security researchers, there is antivirus software. A custom Chrome build distributed to only few people will hopefully stick out and be discovered. And Google doesn’t want the resulting backlash.

Show thread

Given the amount of damage malicious code in an application can do (and occasionally does), this is in fact surprising. Do people really trust e.g. Google that much? Probably not. But outright malicious code in Chrome is likely to be discovered, which makes it too risky.

Show thread

Interesting question from the discussion around my latest article: why won’t we trust websites with access that we grant to any locally install application? And I think that this is really about how we manage to trust local applications.

Dealing with Hacker News is always huge “fun.” Somebody skims the introduction, decides that an article is clickbait and immediately comments. I point out that he got it wrong and get downvoted. 🙄

It’s as if their entire bug bounty program is a means to restrict the information flow rather than address security issues. Since they won’t pay anyways, I am reporting issues via openbugbounty.org/ now. At least this way they will be disclosed.

Show thread

Amazon’s behavior wrt their bug bounty program is weird. They limited the scope to only specific amazon[.]com subdomains, even though compromise on any subdomain affects the entire domain. And they won’t disclose any reports.

Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users.

palant.info/2021/03/08/how-ama

Ok, I’m proofreading the article, should publish it shortly. It got really long once again…

Show thread

Then again, I’m not sure that I will be done on Monday. This is even bigger than I thought originally. 🙄

Show thread

Everybody concerned that I’m only bashing privacy violations of Chinese companies 🤡 can rejoice: bashing of a major US company incoming! I expect to be done with the blog post on Monday.

Oh, and a website ripping off the brand of a legitimate company and even linking to their TrustPilot reviews as if they were his. He is accepting only Bitcoin payments there, what a surprise.

Yes, I think that’s enough criminal energy. He had it coming…

Show thread

Never mind posing as a book author who releases his new book piece by piece. But of course the content belongs to someone else’s well-established book.

But he seems to be really studying Cybersecurity and Information Assurance right now. Should he be able to get a job here?

Show thread

He is running a large network of websites on stolen content, pretending to be an expert on everything and even impersonating a dead politician. He ripped off an entire website and replaced the copyright message with “See you in court”.

Maybe he deserves what’s coming to him?

Show thread

I stumbled upon a self-proclaimed “Senior Security Systems Engineer” and I’m undecided what to do. On the one hand, maybe I should just have pity with a kid who wants to appear larger.

Then again, he is probably closer to 30 than to 20. And his “achievements” are impressive.

I wrote about Xiaomi privacy issues without even mentioning where they are based, I honestly don’t care. Users need to know, that’s it. 90% of the responses fall into either “Of course, it’s China!” or “US companies do the same thing!” category. What’s wrong with the people?

3. You are more than welcome to do a deep dive into Y and Z. If you manage to prove badness, this is great and I’ll do my best to let people know. The more people investigate these issues, the better. Companies can only be held accountable if people are looking.

Show thread

1. There is a difference between *suspecting* that somebody does bad things and actually proving it.

2. There are different gradations of “bad” and while Y and Z probably do bad things as well, it’s not the same as what X is doing.

Show thread

Whenever I point out privacy or security issues with product X, there will be invariably responses along the lines of:

„Ha, what a surprise! I’m certain that products Y and Z do the same!“ 🤡

Thank you for demonstrating how clever and critical you are, now please go away.

My article on browsers data collection is making the rounds again. Just a reminder, Xiaomi “addressed” the issue by introducing an obscure setting, so that users can theoretically opt out. If they realize what’s going on and make the connection. palant.info/2020/05/08/what-da

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.