Chimoney is a new "multi-currency wallet" provider. Based out of Canada, it allows users to send money to and from a variety of currencies. It also supports the new Interledger protocol for WebMonetization. It is, as far as I can tell, unregulated by any financial institution. Nevertheless, it performs a "Know Your Customer" (KYC) check on all new account in order to prevent fraud. To do this,…
Continue reading →
My friend Sal has written a book! I was lucky enough to get early access to it. Code, Chips and Control is an in depth look at cyber security. And I do mean in depth - this literally starts at the silicon wafer level! It isn't just about the trivial logic bugs which so often get exploited; this goes into the geopolitics of supply chains, the physics of satellite hackings, and the history of…
Continue reading →
Many many years ago, I did some work for the NHS. As part of that, I was given access to certain GitHub organisations so that I could contribute to various projects. Once I left that job my access was revoked. Mostly. A few weeks ago, I received this email from GitHub. On the surface, this is a sensible email. They want all their members to only have strong 2FA and I still had SMS configured …
Continue reading →
I maintain a a test-suite for TOTP codes. It contains a bunch of codes which adhere to the specification, some of which stretch it to breaking point, and some that are completely invalid. These codes are a good starting point for checking whether a 2FA / MFA app works correctly. Proton have release a swish new authenticator app for Android, iOS, Mac, Linux and Windows. Sadly, their open source…
Continue reading →
I've written before about the nascent WebMonetization Standard. It is a proposal which allows websites to ask users for passive payments when they visit. A visitor to this site could, if this standard is widely adopted, opt to send me cash for my very fine blog posts. All I need to do is add something like this into my site's source code: <link rel="monetization"…
Continue reading →
Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad? Let's take a look at details of the vulnerability: An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. Recently, the UK brought in some laws aimed…
Continue reading →
For boring and totally not nefarious reasons, I want to read all the data contained in my passport's NFC chip using Linux. After a long and annoying search, I settled on roeften's pypassport. I can now read all the passport information, including biometrics. Table of ContentsBackgroundRecreating the MRZPython code to generate an MRZCan you read a cancelled passport?Cryptography and other…
Continue reading →
There are two sorts of people in the world; those who know they are stupid and those who think they are clever. Stupid people use a password manager. They know they can't remember a hundred different passwords and so outsource the thinking to something reasonably secure. I'm a stupid person and am very happy to have BitWarden generate and save fiendishly complex unique passwords which are then…
Continue reading →
Terminology is hard. Computer terminology is even harder. Humans are animals who just love to classify things. We have a fundamental need in our delicious meaty brains to put things into conceptual buckets. This, I think, leads to some unfortunate consequences when our categories don't match up with other people's categories. For example, take this news story and this journalist's response to…
Continue reading →
There's a disturbing article in The Guardian about a person who was on the receiving end of a successful cybersecurity attack. EE texted to say they had processed my sim activation request, and the new sim would be active in 24 hours. I was told to contact them if I hadn’t requested this. I hadn’t, so I did so immediately. Twenty-four hours later, my mobile stopped working and money was wit…
Continue reading →
Some ideas are timeless. Back in 2004, an anonymous genius set up "FobCam". Tired of having to carry around an RSA SecurID token everywhere, our hero simply left the fob at home with an early webcam pointing at it. And then left the page open for all to see. Security expert Bruce Schneier approved of this trade-off between security and usability - saying what we're all thinking: Here’s a guy w…
Continue reading →
There's a new Web Standard in town! Meet WebMonetization - it aims to be a low effort way to help users passively pay website owners. The pitch is simple. A website owner places a single new line in their HTML's <head> - something like this: <link rel="monetization" href="https://wallet.example.com/edent" /> That address is a "Payment Pointer". As a user browses the web, their browser takes …
Continue reading →
