kurtseifried

jerry , 23 hours ago to random

Here is a short summary of the US presidential debate

video/mp4

jerry , 2 days ago to random

OooOooooO the heartburn regret of eating the whole order of Chang’s spicy chicken right before bed 🤢

jerry , 11 days ago to random

I find it endlessly fascinating that the place with arguably the most data privacy protections (EU) are working to hard to remove the ability to protect one’s data (via breaking e2e encryption)

kurtseifried , 11 days ago to random

So should we not do things unless they are perfect?

NO! OF COURSE NOT! ARE YOU INSANE?!?!?!?!

But maybe we should consider doing things that move the security needle from empty to ... less empty (full would be a dream). Find out with @joshbressers and @kurtseifried on the #osspodcast https://opensourcesecurity.io/2024/06/16/episode-433-should-openssh-block-misbehaving-clients/

There is no TLDR, it's a mess.

jerry , 21 days ago to random

The new factors for authentication
Something you wish you were
Something you want
Something that hurt you

jerry , 25 days ago to random

[Thread, post or comment was deleted by the author]

kurtseifried , 25 days ago to random

Should you redirect HTTP to HTTPS for a website? What about for APIs? @joshbressers and @kurtseifried thought this was a reasonably simple question and... well... as usual it turns out to be quite complicated and nuanced. Find out on the #osspodcast at http://opensourcesecurity.io/2024/06/02/episode-431-redirecting-http-to-https/ TL;DR: we should really make HTTPS the default, not HTTP for new stuff. I'm also still not sure how I feel about the cult of backwards compatibility (especially in light of the RJ tab toots).

molly0xfff , 1 month ago to random

just realized i've had the mollywhite.net domain for over 10 years(!!)

related sneak peek into an upcoming piece: i firmly believe that if you're going to spend money on one thing online it should be a domain, particularly as online identity gets more fragmented. as platforms come and go, you can always find me there.

#domains #web

jerry , 1 month ago (edited 1 month ago) to random

The number of active Mastodon accounts continues to drop, including here on Infosec.exchange, however it’s dropping slower than elsewhere. According to https://fedidb.org/software/mastodon we are the number 4 (soon to be number 3) most active instance. I’m not sure whether to be happy or sad.

jerry , 1 month ago to random

The sheriff is out doing very low flybys to try to get people out of the water today due to strong rip currents. It’s not working so well.

elilla , 1 month ago to random

jerry , 1 month ago to random

I get 1password from from work... now that I am being kicked out, I need to figure out if I want to stay with 1Password... (and pay for it) 🤔

kurtseifried , 1 month ago to random

Remember when an entity (that totally isn't China) used #Blackcat #ransomware to cripple UnitedHealth in the US? Good news, Canada is catching up, one of our main pharmacy chains in western Canada just got shut down "due to an operational issue" https://www.cbc.ca/news/canada/british-columbia/london-drugs-closure-western-canada-1.7187615 @briankrebs

kurtseifried , 2 months ago to random

@pluralistic Revenue Canada's terms and conditions of use is beyond draconian, like you can't even hit "save page" in your browser or even cut and paste without violating it:

"You agree that you will not use any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services."

https://www.canada.ca/en/revenue-agency/services/e-services/digital-services-individuals/account-individuals/preview-account-terms-conditions-use.html

And it's not like you can really opt-out of using this website/service (well I mean some people do, but that rarely ends well for them).

pluralistic , 2 months ago to random

Give the people what they want

#mobile #mcommerce #AppsAreCrap #AppsAreWebPagesSkinnedInEnoughIPToFelonizeMods #privacy #AccountFatigue #AppFatigue

kurtseifried , 2 months ago to random

Hey @lcamtuf regarding https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

"In today’s world, if you have the technical chops and the patience to pull this off, you can easily land a job that would set you for life without risking any prison time."

What prison time? If they exploit it, yes that's classical hacking, but if they create the backdoor and then sell it to a company or government... what specific laws have they broken?

A zealous prosecutor could definitely make a case around:

"or causes to be communicated, delivered, or transmitted, ... to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;"

But I'm not finding any specific statutes that ban the creation of a back door, and I know first hand of many commercial software entities that put backdoors/default accounts in, often at the customers request, e.g. "admin123" in a label printing software package to allow over rides, or an accounting package on a SCO server with an admin account that had a password of the companies+address name spelled backwards with alternating capitals so they could help provide adjustments and so on.

pluralistic , 3 months ago to random

Hard to overstate how enshittified and botshitted Google Maps has become. Went looking for my local locksmith on Gmaps. Maps shows 20+ fake locksmith referral scam outlets and doesn't even register the real locksmith, despite it being fully visible in Street View.

Instead, a red pin on the shop identifies it as a fake locksmith scammer. The real locksmith - which has been there SINCE 1942 (!!) and is a verified merchant - doesn't even show up.

Google Maps, showing the storefront for Golden State Lock as an empty building.