I see what you are doing

Jack Cook has a great post about a side-channel attack on web browsers. He explains the attack very well and illustrates it with some nice hands-on examples that run the browser. What I like most is that he outlines how he developed the attack by simplifying a more complex approach and applying AI to the results. It’s quite sobering in its simplicity and power. Really well done. If you have any interest at all in this sort of thing, give it a read.

Read More

Privacy is not an option

This research by The Mozilla Foundation shows an appalling lack of attention to privacy and security concerns by auto makers. I can’t decide whether is is surprising that Tesla ranked the worst. On one hand, they are (or should be) more attuned to privacy and security concerns since they are Silicon Valley oriented company. On the other hand, they seem to aggressively push the limits of technology in ways that aren’t always positive for consumers and the general public.

Read More

So glad I left

I’m really glad I stopped using Lastpass and deleted my account. It sounds like even after the security issue, they were misleading to customers and have done nothing to improve matters. Bitwarden continues to work really well for me. I’ve used it on iOS, Mac and Linux and it works great everywhere. The Firefox plugin is handy and does what it’s supposed to. No complaints at all. I hope they don’t get acquired.

Read More

Ditch it

LastPass was bought by a private equity company. As is often the case, that change of ownership heralded a change in the business model. Usually, these changes are not beneficial to customers. Since the acquisition, LastPass has raised prices and had a very significant security breach. I dropped it early last year after they changed the subscription plan and switched to Bitwarden. Bitwarden has worked really well for me and I would recommend it to anyone looking for a cross-platform password solution.

Read More

Another one spills the beans

T-Mobile US had 100 million user accounts compromised. I think this is about the millionth time I’ve heard of a major company getting personal data about customers (you know, the little people) stolen. I’ve got some personal skin in the game on this one as I’m a T-Mobile customer. I’m not to pleased that I’ve read about this in many places online but have yet to be contacted directly by T-Mobile telling me what is going on.

Read More

Unsafe at any bitrate

Edward Snowden says in a blogpost that “an out-of-control Insecurity Industry” is responsible for turning your iPhone into a “potentially lethal threat”. He has a point. The company he cites in the post, NSO Group, produced software that enabled Saudi Arabia to murder Jamal Khashoggi. NSO Group claims on their website that: NSO creates technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.

Read More

Hit 'em with policy!

The White House released a statement on improving cybersecurity for critical infrastructure control systems. That’ll really show those Russians we mean business! It’s better than nothing and the goals are laudable, but until some real regulations are established to enforce application of standards, the “sector-specific critical infrastructure performance goals” will continue to be unmet. Some stiff penalties for failing to meet the standards could make a difference. More importantly than the penalites which corporations often treat as a cost of doing business, it might engender a change in attitude much like the safety cultures now present in most manufacturing environments.

Read More

Slow down script kiddies and other malcreants

The null program is a really great blog written by Chris Wellons. He has a great amount of interesting stuff on a wide array of programming topics. One that caught my attention recently, is Endlessh: an SSH Tarpit. Essentially, what he is proposing is a very simple and low cost way to slow down unsophisticated attacks on Internet facing servers. If you’ve ever had an Internet facing server with port 22 open, you can immediately see the value of this.

Read More