Pillowfort… wut u doin’, man?
(With original credit here.)
Edited to add: From reports by other users, it seems Pillowfort isn’t doing any robust sanitization on usernames at all, allowing things like slashes and period and spaces that break their own UI. This is… not good. Weren’t they supposed to’ve done a “security audit” after their hack a few weeks back?
Former president Bill Clinton has contributed to a cyberthriller The President is Missing, the plot of which is that the president stops a cybervirus from destroying the country. This is scary, because people in Washington D.C. are going to read this book, believe the hacking portrayed has some basis in reality, and base policy on it.
Robert Graham on bad policy.
A good chunk of my day job is trying to communicate to non-INFOSEC people how various different INFOSEC threats, a) actually operate, and b) what actually works against them. It is, I would have to say, not an easy job. And it’s a not-easy job made all the more not-easy by the fact that pop culture depictions of hacking, viruses, and so on are all just so bad…
(Also: Bill Clinton co-wrote a Jame Patterson-branded extruded fiction product. What a world we live in.)
“Strong” passwords, HTTPS, backups… pretty much all security advice is garbage, whether it’s coming from a garbage administration or not.
In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.
Apropos of the Shop outage yesterday: It is trivially easy (albeit usually expensive) to strip SSL connections, and do it in a way most end-users won’t be able to detect.
James Mickens on machine learning, AI, and security.
From the keynote’s summary:
Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits.
So you know that scene in Independence Day where Will Smith uses a Mac to beam the virus onto the alien ship? The one that everyone lols about now?
Yeah well… what happens if aliens did it to us, instead?
The world expert on password analysis (no, really) looks at the “secret codes” posted by QAnon conspiracy trolls… and determined they’re very obviously just keyboard mashing. The methodology used to determine this is pretty interesting, too, and makes total sense when explained. You can even follow along yourself at home!
Also of interest: the “codes” were almost certainly generated by someone using a QWERTY keyboard, which probably means someone in the US (UK keyboards have slightly different symbol arrangements above the number keys, as do Russian keyboards that have joint Cyrillic/English layouts).
Data privacy is not like a consumer good, where you click “I accept” and all is well. Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.
Part of the problem with the ideal of individualized informed consent is that it assumes companies have the ability to inform us about the risks we are consenting to. They don’t. Strava surely did not intend to reveal the GPS coordinates of a possible Central Intelligence Agency annex in Mogadishu, Somalia — but it may have done just that. Even if all technology companies meant well and acted in good faith, they would not be in a position to let you know what exactly you were signing up for.
Zeynep Tufekci on risk.
Encoding a text-within-a-text by using almost-imperceptible changes in the shape of letters in a font.
