The limits of General Purpose Computation

A pet cat typing on a computer keyboard.

Should my bank be able to block me from using their Android app, just because my phone is rooted? I'm reluctantly coming to the conclusion that... yeah, it's fair that they get to decide their own risk tolerance. Sage of the Internet, and general Sooth Sayer, Cory Doctorow once gave an impassioned speech on "The […]

Continue reading →

How do you stop people accessing data they shouldn't?

A padlock engraved into a circuit board.

I used to work in a call centre for a Very Big Company. Every week, without exception, we'd get a bunch of new starters to train. And every week, without exception, a newbie would be fired after looking up a famous person's data. This was in the days before GDPR. There was a lot less […]

Continue reading →

Responsible Disclosure: arXiv - redirect on login

A padlock engraved into a circuit board.

Suppose you are sent a link to a website - e.g. https://example.com/page/1234 But, before you can access it, you need to log in. So the website redirects you to: https://example.com/login?on_success=/page/1234 If you get the password right, you go to the original page you requested. Nice! But what happens if someone manipulates that query string? Suppose […]

Continue reading →

How to generate a Base32 TOTP secret string on a Mac

A padlock engraved into a circuit board.

I needed a way to generate a TOTP secret using a fairly locked-down Mac. No Brew. No NPM. No Python. No Prolog, COBOL, or FORTRAN. No Internet connection. Just whatever software is native to MacOS. As I've mentioned before, the TOTP specification is a stagnant wasteland. But it does have this to say about the […]

Continue reading →

Responsible Disclosure: Abandoned Buckets and Billing Emails

Error saying the bucket does not exit.

A few weeks ago, I received a billing email from my phone provider O21. While glancing at it, I noticed all the images were broken. Viewing the source of the email showed that they were all coming from http:// mcsaatchi-email-preview.s3.amazonaws.com/o2/... What happens if we visit that domain? Ah, the dreaded "The specified bucket does not […]

Continue reading →

Book Review: If It's Smart, It's Vulnerable - Mikko Hyppönen

Book cover. The author's photo is distorted by electronic interference.

This is a curious book. It starts out as a look at the security of everyday objects, but quickly becomes a series of after-dinner anecdotes about various security related issues. That's not a bad thing, as such, but a little different from what I was expecting. There's no doubt that Mikko walks the walk as […]

Continue reading →

␃␄