Archive for Security

Password Rules Are Bullshit

If we don’t solve the password problem for users in my lifetime I am gonna haunt you from beyond the grave as a ghost

Source: Password Rules Are Bullshit

911 Exploit Could Have Caused Grave Problems Across the US

Apple promises to fix a 911 exploit soon. Back in October, an iOS exploit caused thousands of iPhones to dial 911 without user input. The situation got so bad that some U.S. call centers almost went offline. These are the findings of a four-month government investigation, according to The Wall Street Journal.

Source: 911 Exploit Could Have Caused Grave Problems Across the US

What do Uber, Volkswagen and Zenefits have in common? They all used hidden code to break the law.

Coding is a superpower. With it, you can bend reality to your will. You can make the world a better place. Or you can destroy it.

You may be able to fool the regulators, the police, the judges. You may be able to fool the general public. And you may be able to go on doing this indefinitely without being caught.

But that doesn’t make it right.

Developers have great power. And they must use this power responsibly.

If you’re a developer, or working toward becoming one, I strongly recommend you read Bill Sourour’s article “The code I’m still ashamed of.”

And if someone asks you to build something that is clearly illegal?—?or downright evil?—?go to the press. The developers in all three of these cases could have done this and saved the world a lot of heart ache.


TeamSIK – Password-Manager Apps

Applications vendors advertise their password manager applications as “bank-level” or “military-grade” secure. However, can users be sure that their secrets are actually stored securely? Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?

In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.

Source: TeamSIK – Password-Manager Apps

A privacy-focused browser developer just bought Ghostery

Cliqz, the German developer of the privacy-focused browser of the same name, has acquired the tracker-blocking browser extension Ghostery and its development team from its creator, Evidon.

Partly owned by Mozilla, Cliqz will combine Ghostery’s technology with similar functions in its browser, but plans to continue development of the extension for other browsers too, it said Wednesday.

The sale will resolve an apparent conflict of interest for Evidon, which on the one hand provided the Ghostery extension to enhance privacy, and on the other sold aggregate information to businesses regarding which trackers users blocked. It will still obtain that aggregate information from Cliqz, but one step removed.

Source: A privacy-focused browser developer just bought Ghostery | Macworld

iCloud was quietly storing years of cleared browsing histories

This morning, a Russian forensics firm named Elcomsoft announced a way to extract years’ worth of web browsing records from Apple’s iCloud storage system, a method first reported by Forbes. Those records included site names, URLs, and when a given site was visited. Cleared browsing records are also visible in the records, although they are marked as “deleted” in the table. Mobile browsing records are also visible, although the sites themselves appear to be hashed in the most recent versions of iOS.

Source: iCloud was quietly storing years of cleared browsing histories – The Verge

12 Remote Code Execution flaws patched in Flash!

The Flash Player update fixes 13 vulnerabilities, 12 that can lead to remote code execution and one that allows attackers to bypass a security restriction and disclose information. Adobe is not aware of any exploit for these flaws existing in the wild.

seriously… retire it, block it, get rid of it

Source: Adobe Security Bulletin

Go to The Glass Room. If Black Mirror Had a Showroom, This Would Be It

I want to see The Glass Room everywhere there is an Apple Store. When you sign up for the latest social app, you should have to walk through The Glass Room. Going to SXSW should come with a ticket to a Glass Room exhibit. And anyone founding or working for a tech company should have to prove they’ve gone through this space and understood its meaning.

Source: Go to The Glass Room. If Black Mirror Had a Showroom, This Would Be It

These wireless earbuds transform the sounds around you and preview a future of in-ear computers

The Here One are headphones, but Kraft doesn’t like to call them that. He doesn’t even think Doppler Labs will be in hardware for the long run. Instead, like Bragi, he considers the Here One an in-ear computer — or “hearable” — and a platform for developers to build on. He wouldn’t say which developers the company has lined up already, but did say it’ll announce initial partners soon.

In non-salesman speak, he’s banking on hearables blowing up where smartwatches have fizzled, and trying to set Doppler Labs up as a leader in the Next Big Market after (or really, alongside) smartphones.

The Here One can talk to Siri or Google Assistant, make calls, and work with a few unspecified apps. The idea is to build those apps out, and make it so the computer in your ear can displace the computer in your pocket in more and more ways. (And if you pair it with an augmented reality headset, that might provide the visual aspect headphones inherently lack.)

Browsers are Deprecating Powerful Features on Insecure Origins

Google is removing geolocation support on insecure origins in Chrome

We want to start by requiring secure origins for these existing features:

As with gradually marking HTTP as non-secure, we expect to gradually migrate these features to secure-only, based on thresholds of usage, starting with lowest usage and moving towards higher. We also expect to gradually indicate in the UX that the features are deprecated for non-secure origins.

Source: Deprecating Powerful Features on Insecure Origins – The Chromium Projects


WebKit just removed geolocation support on insecure origins:


There is a broad industrial agreement that Internet connections should always be encrypted. The new Service Worker API requires HTTPS from the first. As per Mozilla developers’ proposal, several functionalities that need user permission, including the Geolocation, Notification, Fullscreen, Pointer Lock and Media Stream APIs, may also require HTTPS later.

Source: Insecure HTTP will be deprecated (Affecting) | Firefox Site Compatibility