infosec

/Tag: infosec

Oh Pillowfort, no.

Pillowfort… wut u doin’, man?

(With original credit here.)

Edited to add: From reports by other users, it seems Pillowfort isn’t doing any robust sanitization on usernames at all, allowing things like slashes and period and spaces that break their own UI. This is… not good. Weren’t they supposed to’ve done a “security audit” after their hack a few weeks back?

2018-12-20T09:01:46+00:0020th December, 2018|Tags: fandom, infosec, pillowfort, social media, tech|

Cyberfaking.

Former president Bill Clinton has contributed to a cyberthriller The President is Missing, the plot of which is that the president stops a cybervirus from destroying the country. This is scary, because people in Washington D.C. are going to read this book, believe the hacking portrayed has some basis in reality, and base policy on it.

Robert Graham on bad policy.

A good chunk of my day job is trying to communicate to non-INFOSEC people how various different INFOSEC threats, a) actually operate, and b) what actually works against them. It is, I would have to say, not an easy job. And it’s a not-easy job made all the more not-easy by the fact that pop culture depictions of hacking, viruses, and so on are all just so bad

(Also: Bill Clinton co-wrote a Jame Patterson-branded extruded fiction product. What a world we live in.)

2018-06-26T11:16:25+00:0019th December, 2018|Tags: infosec|

HTTPS is still bullshit, part one million.

In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.

  1. So long as they’re being served from a site that also uses HTTPS. Which pretty much everyone does nowadays, even malware vendors, largely thanks to Google pushing the technology to sell more analytics products. ^
2018-06-15T07:06:03+00:005th December, 2018|Tags: infosec, ssl, tech|

Bad life choices.

James Mickens on machine learning, AI, and security.

From the keynote’s summary:

Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits.

2018-09-10T08:24:52+00:005th September, 2018|Tags: infosec, tech|

Psuedorandom.

The world expert on password analysis (no, really) looks at the “secret codes” posted by QAnon conspiracy trolls… and determined they’re very obviously just keyboard mashing. The methodology used to determine this is pretty interesting, too, and makes total sense when explained. You can even follow along yourself at home!

Also of interest: the “codes” were almost certainly generated by someone using a QWERTY keyboard, which probably means someone in the US (UK keyboards have slightly different symbol arrangements above the number keys, as do Russian keyboards that have joint Cyrillic/English layouts).

2018-08-15T08:45:17+00:0015th August, 2018|Tags: culture, infosec|

Common goods.

Data privacy is not like a consumer good, where you click “I accept” and all is well. Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.

Part of the problem with the ideal of individualized informed consent is that it assumes companies have the ability to inform us about the risks we are consenting to. They don’t. Strava surely did not intend to reveal the GPS coordinates of a possible Central Intelligence Agency annex in Mogadishu, Somalia — but it may have done just that. Even if all technology companies meant well and acted in good faith, they would not be in a position to let you know what exactly you were signing up for.

Zeynep Tufekci on risk.

2018-02-06T09:46:40+00:0024th July, 2018|Tags: infosec, privacy|