Signal’s noise.

So this is, uh. A Thing. The tl;dr is Moxie Marlinspike, Signal founder and general INFOSEC troublemaker, got hold of a Cellebrite toolkit, i.e. the product various state agencies use to hack into cellphones. The article is a bit of a look into the application, focusing on the fact that code is apparently absolute garbage (and probably in breach of IP law) and vulnerable to a bunch of malware exploits.

Completely coincidentally, some installs of Signal now include completely random files for no reason. Whether you think it’s ethical or appropriate for Signal to use its userbase in this way? That’s up to you.

2021-05-07T09:55:08+10:0022nd May, 2021|Tags: |

Bad models.

The market loves to reward corporations for risk-taking when those risks are largely borne by other parties, like taxpayers. This is known as “privatizing profits and socializing losses.” Standard examples include companies that are deemed “too big to fail,” which means that society as a whole pays for their bad luck or poor business decisions. When national security is compromised by high-flying technology companies that fob off cybersecurity risks onto their customers, something similar is at work.

Similar misaligned incentives affect your everyday cybersecurity, too. Your smartphone is vulnerable to something called SIM-swap fraud because phone companies want to make it easy for you to frequently get a new phone — and they know that the cost of fraud is largely borne by customers. Data brokers and credit bureaus that collect, use, and sell your personal data don’t spend a lot of money securing it because it’s your problem if someone hacks them and steals it. Social media companies too easily let hate speech and misinformation flourish on their platforms because it’s expensive and complicated to remove it, and they don’t suffer the immediate costs ­– indeed, they tend to profit from user engagement regardless of its nature.

There are two problems to solve. The first is information asymmetry: buyers can’t adequately judge the security of software products or company practices. The second is a perverse incentive structure: the market encourages companies to make decisions in their private interest, even if that imperils the broader interests of society. Together these two problems result in companies that save money by taking on greater risk and then pass off that risk to the rest of us, as individuals and as a nation.

Bruce Schneier on incentives.

2021-04-19T07:56:02+10:0027th April, 2021|Tags: , , |

‹script src=haxx0rd.js›

As someone who spends a non-zero amount of time trying to explain to developers that, yes actually, the code they’re just randomly importing into the environment from npm is actually a massive, massive security vulnerability and they need an active plan to manage it, this post is basically my nightmare scenario…

Edit: Also, TIL apparently WordPress doesn’t sanitize HTML out of post titles.

2021-02-26T07:48:19+11:0018th March, 2021|Tags: , |

Get rich or hacked trying.

The most interesting part of the cybersecurity problem is that it isn’t purely about government capacity at all; private sector corporations maintain critical infrastructure that is in the “battle space.” Private firms like Microsoft are being heavily scrutinized; I had one guest-post from last January on why the firm doesn’t manage its security problems particularly well, and another on how it is using its market power to monopolize the cybersecurity market with subpar products. And yet these companies have no actual public obligations, or at least, nothing formal. They are for-profit entities with little liability for the choices they make that might impose costs onto others.

Indeed, cybersecurity risk is akin to pollution, a cost that the business itself doesn’t fully bear, but that the rest of society does. The private role in cybersecurity is now brushing up against the libertarian assumptions of much of the policymaking world; national security in a world where private software companies handle national defense simply cannot long co-exist with our monopoly and financier-dominated corporate apparatus.

Matt Stoller on externalities.

So what if I told you military fighter jets ran Microsoft Windows? Because yeah. They do.

This post is from a longer explanation of the recent SolarWinds exploit, which is what is generally called a supply-chain attack. Probably the best pop culture example of which I can think of is (unfortunately) Pacific Rim: Uprising, i.e. tfw a poor business practices result in a malicious insider in your third party vendor who installs backdoors into all the products it sells you and uses them to disable all your existing security tools and to open a reverse shell inside your firewall for the purpose of downloading additional malware. Because sometimes even terrible films manage to accidentally stumble onto a realistic plot point, apparently.1

  1. Kind of double ironic because there is a lot of Western paranoia about China doing exactly this via companies such as Huawei. But it’s okay, guys! It’s not Chinese companies! It’s Americans possessed by aliens or . . . whatever the fuck was going on in that film. Hey did you notice the part where Hong Kong suddenly doesn’t exist any more apparently? Because I sure did! []
2021-06-09T06:42:24+10:0016th February, 2021|Tags: |

Baby’s First Programming Disaster.

So turns out Pillowfort is aptly named in the “exactly as robust as it sounds” sense.

More thoughts here, but tl;dr people pointed exactly these issues out over a year ago and Pillowfort told us they’d been fixed. They lied.

Serious Professional Advice: If you have a Pillowfort account… don’t. Assume all data you’ve ever posted there—from your passwords to your post content—is compromised. If you’ve used the same password at Pillowfort that you’ve used on any other service, change it on all those other services.1

They aren’t going to learn and they aren’t going to get better; Pillowfort is a get-rich-quick scheme for its creators who want to be fandom billionaires and don’t care what damage they do to get there. Do not let them get away with it.

  1. Also please don’t reuse passwords. []
2021-01-27T08:57:37+11:0027th January, 2021|Tags: , , , |

Fuck certs.

As someone who has spent essentially their entire professional career trying to avoid accruing industry certs, I do so love a good gripe about the CISSP.

The whole “certification” system in IT in general and INFOSEC in particular is so laughably corrupt and, worse, has so little relation to actual job skill that the whole damn thing really just needs to be burnt to the ground.

2020-08-23T20:53:18+10:003rd September, 2020|Tags: |

That LiveJournal thing.

Denise has a pretty good write-up of the LiveJournal password breach over at Dreamwidth.


We’ve seen several contradictory claims about when the file was allegedly gathered from LiveJournal: one claim for June/July of 2014, and one claim for sometime in 2017. From what we’ve learned from our users who we’ve spoken to about their accounts, we believe the 2014 claim is more likely to be accurate and that the person(s) who obtained the data in 2014 didn’t use it for several years, but we can’t say for certain. Because of that uncertainty, it’s best if you treat any password you’ve ever used on LiveJournal in the past as compromised, since we can’t tell for certain when the alleged breach happened.

(It’s worth noting Firefox, for example, leans towards the 2017 date. Regardless, assume compromise.)

Also, LiveJournal’s official response—specifically the claim the data are “falsified”—is… interesting. More specifically specifically, what they seem to be claiming is that someone has taken account details from other breaches and attributed them to LiveJournal. Given that I know I, personally, use a LiveJournal-specific email address and I still got a breach noticed from Have I Been Pwned? this is, to put it bluntly, full of shit.

Anyway, tl;dr:

  • change your password at LiveJournal and any other place you may have used the same password
  • don’t reuse passwords
  • activate multifactor where possible, particularly high-value accounts like email addresses and anything financial1
  • use a password manager.2
  1. Also, preference hard tokens over soft tokens/apps over SMS codes. []
  2. I use 1Password, which is nice but kinda expensive; LastPass and KeePass are more affordable options. []
2020-05-28T10:09:03+10:0028th May, 2020|Tags: , |
Go to Top