"Zombie grannies and unintended leaks"
We take a bloodied baseball bat to Android malware, and debate the merits of a social media strike, as one of the team bites the bullet and buys a smart lock for the office.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast!
Find it in your favourite podcast app now https://link.chtbl.com/smashingsecurity
A cat sat atop a tower. A passing knight spotted her and called out:
"Are you a princess, perhaps, a wizard, or dragon?"
"It's a poor cat that cannot be all three."
"Should I then court you, seek your advice, or fight you?"
"A conversation could reveal that, but you bore me."
#MicroFiction #TootFic #SmallStories
Amazing, 7 Eleven launch mobile payment app: a day after launching it attackers stole half a million USD from customers, as the app had no security around password reset (any user could reset anybody else’s password) https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/
Back when the GNU project was starting, among the first things they rewrote as Free Software were:
- text editor / IDE (Emacs)
- assembler, linker, and compiler
IOW, they made tools that they needed to further develop Free Software without relying on proprietary tools.
They wanted their project to be self-hosting.
Nowadays, we have more free software than ever, but we develop it using github and Discord...
"Can I fully control my Android phone?": No, you can't.
– in our tests, AFWall+ leaked DNS queries of all apps on the device (including blocked apps), making it easy to determine apps installed on the phone
– updating Android doesn't imply that firmware vulnerabilities get fixed
– apps from F-Droid/Play Store etc. can still leak personal data as shown in our /e/ article
– besides, your proprietary baseband processor, GPS, sensors etc. remain out of control
5 lessons learned from the matrix.org breach:
– purely focusing on technical security causes insecurity
– the cause of the breach isn’t limited to matrix.org at all
– think twice about using any service on the internet
– think twice about running your own server on the internet
– react to any security-related messages
they seem to be intentionally creating a product that's inferior to both of the things it's combining
the idea (presumably) being that they can trick a bunch of people into using these systems
even though their code is woefully inadequate for most purposes, you'll only find that out after putting a significant amount of work into a project
at which point you have two choices: drop what you're doing and start over (which helps Microsoft by wasting their competitors' money) or switch to Microsoft's similar but non-open-source solution that actually has the features you need
In one corner we have the Master Lock 570, a pin tumbler lock with a dead core (not spring loaded) and 4 security pins. In the other corner we have a snake rake and tension wrench. Guess who wins? (Within 45 seconds, every single time.) #lockpicking
Question on #OpenBSD vmm: is there a reason whereby the host cannot tell the guests to shutdown when the host shutsdown? e.g. by sending the equivalent of C-A-Del to the console, for example (and C-A-Del mapped to “shutdown -h now”)?
Is there no ACPI “message” one can send the guests about shutting down cleanly?
infosec, CISSP. Lives in Scotland
A Mastodon instance for info/cyber security-minded people.