Very slow and incredibly loud.

Why do suspension bridges have stranded cables not solid rods? The major reason is that solid rods would fail suddenly and catastrophically, whereas stranded cables fail slowly and make alarming noises while they do. We build software systems out of solid rods; they fail abruptly and completely. Most are designed to perform their tasks as fast as possible, so that when they are compromised, they perform the attacker’s tasks as fast as possible.

David Rosenthal on failure.

This is actually from a talk about the externalities of cryptocurrencies, which is worth watching and/or reading in full.

2022-05-07T13:33:23+10:007th May, 2022|Tags: , |

SSL is still terrible, pt. 128.

Once upon a time, when I was a wee babe, I had a course trainer explain to me what SSL was actually, originally for, and I could never take it seriously ever again . . .

2022-05-04T04:01:00+10:004th May, 2022|Tags: |

Do you really need that VPN? (No.)

I had a longstanding VPN subscription mostly because it was very cheap and there when I needed it. I cancelled it recently, partly because technology has (more-or-less) moved on from the place where VPNs were “useful” but, mostly, because an over-abundance of mergers in the VPN industry meant there are few-to-no “good” players left.

The short version on VPNs is that always assume your VPN provider can see anything you’re trying to use said VPN to hide from anyone else. They start getting a lot less “useful” — and honestly a lot more dangerous — when you think about them in that way . . .

2021-12-20T07:30:56+11:0022nd December, 2021|Tags: , , |

Signal’s noise.

So this is, uh. A Thing. The tl;dr is Moxie Marlinspike, Signal founder and general INFOSEC troublemaker, got hold of a Cellebrite toolkit, i.e. the product various state agencies use to hack into cellphones. The article is a bit of a look into the application, focusing on the fact that code is apparently absolute garbage (and probably in breach of IP law) and vulnerable to a bunch of malware exploits.

Completely coincidentally, some installs of Signal now include completely random files for no reason. Whether you think it’s ethical or appropriate for Signal to use its userbase in this way? That’s up to you.

2021-05-07T09:55:08+10:0022nd May, 2021|Tags: |

Bad models.

The market loves to reward corporations for risk-taking when those risks are largely borne by other parties, like taxpayers. This is known as “privatizing profits and socializing losses.” Standard examples include companies that are deemed “too big to fail,” which means that society as a whole pays for their bad luck or poor business decisions. When national security is compromised by high-flying technology companies that fob off cybersecurity risks onto their customers, something similar is at work.

Similar misaligned incentives affect your everyday cybersecurity, too. Your smartphone is vulnerable to something called SIM-swap fraud because phone companies want to make it easy for you to frequently get a new phone — and they know that the cost of fraud is largely borne by customers. Data brokers and credit bureaus that collect, use, and sell your personal data don’t spend a lot of money securing it because it’s your problem if someone hacks them and steals it. Social media companies too easily let hate speech and misinformation flourish on their platforms because it’s expensive and complicated to remove it, and they don’t suffer the immediate costs ­– indeed, they tend to profit from user engagement regardless of its nature.

There are two problems to solve. The first is information asymmetry: buyers can’t adequately judge the security of software products or company practices. The second is a perverse incentive structure: the market encourages companies to make decisions in their private interest, even if that imperils the broader interests of society. Together these two problems result in companies that save money by taking on greater risk and then pass off that risk to the rest of us, as individuals and as a nation.

Bruce Schneier on incentives.

2021-04-19T07:56:02+10:0027th April, 2021|Tags: , , |

‹script src=haxx0rd.js›

As someone who spends a non-zero amount of time trying to explain to developers that, yes actually, the code they’re just randomly importing into the environment from npm is actually a massive, massive security vulnerability and they need an active plan to manage it, this post is basically my nightmare scenario…

Edit: Also, TIL apparently WordPress doesn’t sanitize HTML out of post titles.

2021-02-26T07:48:19+11:0018th March, 2021|Tags: , |

Get rich or hacked trying.

The most interesting part of the cybersecurity problem is that it isn’t purely about government capacity at all; private sector corporations maintain critical infrastructure that is in the “battle space.” Private firms like Microsoft are being heavily scrutinized; I had one guest-post from last January on why the firm doesn’t manage its security problems particularly well, and another on how it is using its market power to monopolize the cybersecurity market with subpar products. And yet these companies have no actual public obligations, or at least, nothing formal. They are for-profit entities with little liability for the choices they make that might impose costs onto others.

Indeed, cybersecurity risk is akin to pollution, a cost that the business itself doesn’t fully bear, but that the rest of society does. The private role in cybersecurity is now brushing up against the libertarian assumptions of much of the policymaking world; national security in a world where private software companies handle national defense simply cannot long co-exist with our monopoly and financier-dominated corporate apparatus.

Matt Stoller on externalities.

So what if I told you military fighter jets ran Microsoft Windows? Because yeah. They do.

This post is from a longer explanation of the recent SolarWinds exploit, which is what is generally called a supply-chain attack. Probably the best pop culture example of which I can think of is (unfortunately) Pacific Rim: Uprising, i.e. tfw a poor business practices result in a malicious insider in your third party vendor who installs backdoors into all the products it sells you and uses them to disable all your existing security tools and to open a reverse shell inside your firewall for the purpose of downloading additional malware. Because sometimes even terrible films manage to accidentally stumble onto a realistic plot point, apparently.1

  1. Kind of double ironic because there is a lot of Western paranoia about China doing exactly this via companies such as Huawei. But it’s okay, guys! It’s not Chinese companies! It’s Americans possessed by aliens or . . . whatever the fuck was going on in that film. Hey did you notice the part where Hong Kong suddenly doesn’t exist any more apparently? Because I sure did!
2021-06-09T06:42:24+10:0016th February, 2021|Tags: |

Baby’s First Programming Disaster.

So turns out Pillowfort is aptly named in the “exactly as robust as it sounds” sense.

More thoughts here, but tl;dr people pointed exactly these issues out over a year ago and Pillowfort told us they’d been fixed. They lied.

Serious Professional Advice: If you have a Pillowfort account… don’t. Assume all data you’ve ever posted there—from your passwords to your post content—is compromised. If you’ve used the same password at Pillowfort that you’ve used on any other service, change it on all those other services.1

They aren’t going to learn and they aren’t going to get better; Pillowfort is a get-rich-quick scheme for its creators who want to be fandom billionaires and don’t care what damage they do to get there. Do not let them get away with it.

  1. Also please don’t reuse passwords.
2021-01-27T08:57:37+11:0027th January, 2021|Tags: , , , |
Go to Top