varx boosted

Or I could just do like Robin Rendle and say fuck it to AMP: robinrendle.com/notes/taking-s

"Here’s my hot take on this: fuck the algorithm, fuck the impressions, and fuck the king. I would rather trade those benefits and burn my website to the ground than be under the boot and heel and of some giant, uncaring corporation."

It makes me a little sad and a little amused to see regexes being used incorrectly in this context: cve.mitre.org/cgi-bin/cvename.

It would be super fun to gather stats by customer, or look at breakdowns of password badness by user-account age, but we'd have to be super careful in how that was done; I don't actually want to end up with a list of email addresses that have vulnerable passwords!

I integrated the Pwned Passwords dataset into our login server at work and oh man, our customers are *terrible* at picking unique passwords.

Like, it's not perfect data, and obviously I have no way of cleaning it because we don't get to actually *look* at them, but... probably around 20% of the passwords are bad in some way.

varx boosted

You know....

If you have to write BPF rules in your C or C++ code for better security, and even the folks who invented libsecconf have to get peer review of the rules they're demoing as they write demo code on stage, and they made a couple of crucial mistakes...

Maybe that's not a good solution?

#libsecconf

varx boosted

People keep discovering "funny" angles about the recent Kaspersky privacy leak. I will present another angle on Monday as I happened to research the very same thing.

twitter.com/ydklijnsma/status/

varx boosted

"The software product industry (including mobile phone makers) has reaped excess profits for decades by selling risky products and offloading the risk onto their clients and society."

So very true, and many others. Great article on vulnerability disclosure by @HalvarFlake.

addxorrol.blogspot.com/2019/08

Also some minor critical feedback (unsolicited suggestion, typo) 

@cwebber On the problems of reputation scoring, I keep being hopeful that someone will invent cryptographically blinded, distributed reputation networks that allow a meaningful and non-dystopian representation of community trust.

It's a problem in meatspace too, though; if someone gains a reputation as an asshole in one town, then can just go to another town and get a clean record. But by the same token, you can escape a nasty, hateful town and start a new life.

Maybe I'm hoping for too much!

@cwebber I just finished reading your OcapPub draft and really enjoyed it. I like the direction you're going.

I've been doing some writing and coding on my own project, gitlab.com/timmc/cavern; it's very different in approach, but you might be interested in comparing them. In particular, when you wrote

« If the problem is users receiving unwanted messages, perhaps the solution comes in making intentional social connections. »

it reminded me of the "socially-local" privacy level I'm using.

A Tumblr called "Accidentally Quadratic", dedicated to showcasing instances of software that did just that: accidentallyquadratic.tumblr.c

varx boosted

I tried producing some useful instructions for less experienced people to recognize flaws in password managers. Let me know whether it worked!

palant.de/2019/08/12/recognizi

I'm looking at the XDG Base DIrectory specification, and while I think it's a lovely idea to use ~/.config/MyApp/ and ~/.cache/MyApp/... I really can't get behind storing important documents in ~/.local/share/MyApp. That feels like a recipe for dataloss and/or user confusion.

specifications.freedesktop.org

varx boosted

Ah, I think it still asks me about *me*, but not any of the actual market research questions that might reveal Top Secret Initiatives or whatever. Boring.

> Invited to fill out a market research survey

> "By clicking Yes, you agree to keep all Dropbox Information confidential."

> Click "yes" by accident, click "back", then "no"

> Survey continues as before

🤔

With all the "here are my URLs, please dereference them" that ActivityPub involves, there've *got* to be some implementations vulnerable to SSRF.

On various anti-patterns in open source language:

« A maintainer accidentally cuts a bad release. The next morning, their inbox overflows with user complaints. None of the complaining users were known to the maintainer before the breakage. In fact, the maintainer’s shocked by the suddenly-apparent popularity of their project. Where did they all come from?

Apparently “adoption” was high. But in no meaningful sense did users “adopt” the project. They merely used it. »

writing.kemitchell.com/2017/10

varx boosted

Currently, @kaspersky is making a very good case for not reporting security issues via their bug bounty program. After taking 8 months to resolve their issues, they are blocking publication because "users of earlier versions of the product are still vulnerable."

varx boosted

@benhamill

Harry Potter and the Structure and Interpretation of Computer Programs.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.