I understand the urge to express free political speech, regardless of ideology. Like the rest of modern society, that now relies on technology that is not easily mastered, certainly not at the scale of Gettr. I feel some schadenfreude at the sheer weight of the Dunning-Kruger effect here yet no one deserves to have any more of their data leaked. https://threatpost.com/trump-gettr-social-media-hacked-day-1/167574/
Tag: security
Nonsense
Back on more of my old nonsense. Enjoying the upgrades.
Google’s reCaptcha cracked again
A couple of important points here. What was theoretically broken was the audio alternative option in reCaptcha. Bad but not as bad as it could be. What is probably worse, though, is that an exploit has been previously published of this same option, in fact using Google’s own voice processing API’s against it. Nothing about how Google can or will shore up this vulnerability.
Read More …
Deputy AG shows law enforcers still don’t get encryption
According to The Register, the US Deputy Attorney General is now saying that technology companies don’t need to install back doors in their encryption–provided they can reveal plain text of all secure communications on demand. Entirely misses the point.
Read More …
Flaw in Google bug tracker exposed reports about unpatched vulnerabilities
I am surprised we haven’t seen this kind of thing previously. No doubt it has happened before given the value to attackers of this kind of information. The issue was found by a bug hunter as part of Google’s bounty program. Good for them to include the infrastructure for their program as well as Google products and services.
Read More …
Thorough primer on threat modeling
Sean Gallagher at Ars does an admirable job of breaking down a security topic, threat modeling, that doesn’t get much attention outside of research and professional circles. This piece is a long read but well worth it, both to understand the tecnique and for all the references and practical advice.
Read More …
Let’s Encrypt to offer wildcard certificates for free
After only a year with a paid authority, I gladly switched to the free and open certificate authority that EFF helped stand up. I haven’t minded having to enter multiple alternative names on my certificate every time I renew (which is evert 90 days, a security feature of Let’s Encrypt.) Wildcards make an already fantastic resource that much better. Read More …
GnuPG project holding a fund raising rally
Gnu Privacy Guard, an open source crypto tool compatible with OpenPGP and laterally supporting dozens of different uses is trying to raise funds for a few months of some additional developers time. I use GPG daily, including signing and encrypting my mail, securing online chats, keeping my password store safe, and so much more. Please check it out and help if you can. If you want to know more ways to use GPG, find me on Freenode at #cmdln or keybase.
Read More …
New stewardship for Thunderbird
I stopped using Thunderbird some time ago in favor of the email client that is part of my Linux distribution. I recognize the importance of Thunderbird given how webmail has generally erode the ability for regular folks have to have secure and confidential email correspondence. I am glad to see the project find new footing and a means to sustain.
IoT security anti-patterns
Saw this on Boing Boing, thanks again to Cory. Junade Ali at CloudFlare catalogs a few practices implementing IoT devices that contribute to the overall poor state of security. Importantly, there are recommend alternatives that maintain or improve security. We clearly need more of this, alongside existing resources like the OWASP security guide, both for manufacturers and for expert users to effectively hole them to account.