"My team's intern just found a critical bug by shitposting in our codebase"
Found this story on LinkedIn and it made me laugh.
So our summer intern (who I'm 90% sure is a professional shitposter moonlighting as a dev) just saved our entire authentication service by being, well, an absolute agent of chaos.
Background: We have this legacy auth system that's been running since before TikTok existed. No one touches it. It's documented in ancient Sanskrit and COBOL comments. The last guy who understood it fully left to become a yoga instructor in Peru.
Enter our intern. First week, he asks why our commit messages are so boring. Starts adding memes to his. Whatever, right? Then he begins leaving comments in the codebase like:
// This function is older than me and probably pays taxes // TODO: Ask if this while loop has health insurance // Here lies Sarah's hopes and dreams (2019-2022), killed by this recursive call
The senior devs were split between horrified and amused. But here's where it gets good.
He's reading through the auth code (because "the commit messages here are too normal, sus") and adds this gem:
// yo why this token validation looking kinda thicc though // fr fr no cap this base64 decode bussin // wait... hold up... this ain't bussin at all
Turns out his Gen Z spider-sense wasn't just tingling for the memes. Man actually found a validation bypass that's been lurking in our code since Obama's first term. The kind of bug that makes security auditors wake up in cold sweats.
The best part? His Jira ticket title: "Auth be acting mad sus rn no cap frfr (Critical Security Issue)"
The worst part? We now have to explain to the CEO why "no cap frfr" appears in our Q3 security audit report.
The absolute kicker? Our senior security engineer's official code review comment: "bestie... you snapped with this find ngl"
I can't tell if this is the peak or rock bottom of our engineering culture. But I do know our intern's getting a return offer, if only because I need to see what he'll do to our GraphQL documentation.
|
PrivacyGuides.org
Privacy Guides is a not-for-profit, volunteer-run project that hosts online communities and publishes news and recommendations surrounding privacy and security tools, services, and knowledge.
This is a fantastic resource with lots of recommended tools and information on how they work.
|
Infosec on Mastodon - Increasing Bitwarden PBKDF2 Iterations
One of the communities which Mastodon has opened me up to is the "infosec" community. Security professionals focused on information and digital security. In regard to the issues with LastPass recently, I have been paying close attention. And based on the following discussion, today I logged into Bitwarden and increased the PBKDF2 iterations to 600,000.
Bitwarden notes below they are making 600,000 standard, but I wanted to do proactively also because this sort of change logs you out of Bitwarden, and so I wanted to do it and log back in when I wasn't in the middle of needing to be logged in and thus having to fully jump through hoops for.
|
"HTTPS Is Actually Everywhere"
The EFF has provided, for years, a number of useful privacy tools. In doing my previous post about my Firefox extensions I discovered that the EFF was sunsetting one I'd been using for years called 'HTTPS Everywhere' and that's because browsers now had that functionality built in.
Glad the technology moved central and was adopted!
|
(2014) "Choosing Secure Passwords"
Bruce Schneier, who I've linked to and discussed before, has a post from 2014 about choosing a good password.
My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence—something personal.
Here are some examples:
- WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow…doestcst = Wow, does that couch smell terrible.
- Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
- uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
|
LastPass was hacked and it is very bad for anyone who it affects
I was using LastPass until a few years ago. With news of this hacking, I am suddenly terrified that my account wasn't deleted by them. We will see.
|
A very interesting simple secure way of messaging or sending files, requiring no special software for recipient
A ‘Portable Secret’ is simply an HTML file that also contains:
- An encrypted payload
- Some Javascript that calls into the browser’s Web Cryptography APIs
Any (reasonably modern) web browser can open the file, even without an internet connection! If you know the password, you can recover the secret within.
|
Bitwarden enables passwordless authentication on the desktop / laptop
If you aren't using a password manager, please reconsider. Seriously.
This feature for Bitwarden is super cool and super important. It means you can make your passwords that much more secure while also having the convenience of not having to type a very long password, instead relying on your mobile phone to act as your key.
|
"The Quiet Invasion of 'Big Information'"
I recently removed Twitter and TikTok from my phone. Primarily because of productivity and not feeling I was getting the value I wanted from them. But also, partly, out of a concern of privacy.
I don't think removing those apps will make a substantial change in my digital footprint, and the reality is, I hardly make an effort to be anonymous online. I willingly answer questions from Google about my behaviors, both online and offline, for pennies ("When were you at Fred Meyer last?" or "Do you remember this YouTube video?")
This article, which is an excerpt from "Data Cartels" Sarah Lamdan is a grim reminder of what I largely already knew. These massive businesses which do, what to people just 30 years ago, would consider obscene observation and stalking, make huge profits because of it.
Despite being a billion-dollar data and information business—just one of RELX's brands, alone, has profit margins that rival Apple, Google, and Amazon's—RELX doesn't get the same level of public scrutiny that those other companies do.
We regularly hear, and most recently in conjunction to Musk's Twitter moves, that if you're not paying for it - you, yourself, are the product. But the truth is you are already the product. No matter what we do, where we go, we are being tracked.
My mother-in-law was frustrated about getting texts for political candidates in Washington state even though she lives in Florida. She has a very small online footprint, but I suspect it's big enough. I didn't want to make her worried, so I glided over some of the details, but I noted that I suspect her phone was registered on a tower or network here in Washington and that that was recorded and then sold to the political marketers for this campaign.
I truly think we are approaching an epoch change in regards to online privacy and data, though it will be messy and, honestly, likely Sisyphean with too much already being out there and too many freedoms already lost.
I'm adding the book to my steadily growing pile of "things I need to read eventually."
Data Cartels by
|
Researchers use fluid dynamics to identify audio and video deepfakes
The first step in differentiating speech produced by humans from speech generated by deepfakes is understanding how to acoustically model the vocal tract. Luckily scientists have techniques to estimate what someone – or some being such as a dinosaur – would sound like based on anatomical measurements of its vocal tract.
We did the reverse. By inverting many of these same techniques, we were able to extract an approximation of a speaker's vocal tract during a segment of speech. This allowed us to effectively peer into the anatomy of the speaker who created the audio sample.
|
Could a nonprofit digital security organization work?
A recent discussion on HackerNews about the Bitwarden funding round included something which I found a very compelling idea and have been thinking about it for the past two days. The idea was a nonprofit that managed and provided privacy and security tools. I find this compelling because it would, ostensibly, remove the slippery capitalistic slope and hopefully ensure a service users could trust.
The closest example I know of is Mozilla, makers of the Firefox browser (my browser of choice.) And they do provide a number of tools in this realm such as password management (though, only through the Firefox browser) as well as email protection (when you don't want to give your real email, they provide a redirection) and even a VPN tool.
My first bit of criticism is that with few exceptions, these tools funnel through Firefox and are not standalone offerings. Which, in the larger scope, is a minor thing as more and more computer-based activities become online-based driven through the web browser. The biggest pain point, and the reason I don't use Firefox's built in password manager, is that I also utilize it for credentials which I need outside of the browser. So, for example, I have Bitwarden's desktop client installed on my mobile phone and laptop.
My other criticism of them (in the vein of this discussion, admittedly I do not know enough to know if this is really a problem.) Organizationally, they utilize a corporation within their nonprofit structure. There is a very good chance that there is a sound reason for this that has to do with taxes or benefits, etc. though for people like myself it seems like a way to just make more money without the restrictions of a nonprofit. A cursory Google search says the top reason is to "separate activities from the parent company," which I interpret as being: "So we can make more money."
My resistance, and the entire reason a nonprofit seems interesting, is that it removes the capitalistic incentives for the company and lets it focus on the moral incentives. The downside being the criticism which I saw in the HN conversation, this is a demotivator for employees. If they joined it as a 'startup' then they have financial motivations which likely are being rewarded by the Bitwarden VC funding round, for example.
Perhaps this entire idea is pipe dream, but I find it an enticing one. I'd love to start this sort of nonprofit and try to develop it into a sustainable for-good enterprise.
|
Bitwarden gets a $100M investment
I use Bitwarden as my password manager of choice. However, I am very nervous seeing this news because that investment means the company is under even more pressure and scrutiny to make money back for its investors. I left LastPass because they started doing shady stuff in the name of making money and I worry we're on the road to that same event for Bitwarden.
|
A technical write up explaining why using VPNs on iOS devices comes with concerns and can leak your data and identity
VPNs on iOS are broken. At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server. But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers.
|
Hacked 101
This was originally a post I wrote on Facebook for my friends and family. I had a person close to me get their Facebook account hacked and it caused others who are not technologically inclined to be scared it might happen to them. So, this was my effort to try and answer their questions about it and what they can do.
Intro
This is a LONG post. I’m going to try and break it up but it goes into roughly four sections:
- Introduction
- How does someone hack me?
- What do I do if I get hacked?
- What else can I do to protect myself?
Some of you will go “I don’t understand technology” and skip this post. Please don’t. If you have questions, please ask! I guarantee you aren’t the only person with that question. I will answer any and every question on this topic.
|
"New Gmail Attack Bypasses Passwords And 2FA To Read All Email"
Bolding below is mine for emphasis.
According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all.
Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.
|
"Fear, Uncertainty, and Period Trackers"
I was pointed to this essay by Bruce Schneier's blog. Bruce is one of the foremost digital security experts and he was right, this is an excellent essay which basically highlights at period tracker app data is a red herring. If you are concerned about someone finding out about your pregnancy, etc., there are a myriad of ways and things to be worried about which are more important than the apps and their data. OpSec is a thing in so much of our lives, and the internet makes it very hard.
|
