I use a password manager. I have 2FA set up on everything. When an organisation asks me to set a recovery question, I generate a 32 character passphrase. I don't use my mother's maiden name or my first pet's birthday on anything sensitive. I monitor my email addresses for breaches, and I regularly check my… Continue reading →
How can you quickly tune up your computer security? Dan Raywood - Contributing Editor at Infosecurity Magazine shares his wisdom with us. If you're interested in an open source password manager, I'm happy to personally recommend BitWarden https://shkspr.mobi/blog/wp-content/uploads/2019/03/Dan-Security.mp3Podcast: Download (Duration: 1:24 — 853.4KB)Subscribe: Android Google Podcasts RSS
Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time… Continue reading →
I've started using BitWarden - the open source password manager. As I've been binge-watching Marie Kondo, I thought it was about time that I deleted all the accounts that I no longer user. I got rid of dozens related to previous employers. I hope the passwords wouldn't work after I left but 🤷♂️. I scanned… Continue reading →
I've just got a set of wearable NFC tags, and I've discovered something interesting about the way data is stored on them. tl;dr Overwriting a tag can leave old data intact, and still readable. Here's the decoded memory layout of a tag with data written to it. In this case, a (failed) experiment at storing… Continue reading →
Code-sharing site GitHub automatically sends email notifications to users. If you've commented on an issue, you'll get an email each time there's an update. That's pretty handy. It also allows users to reply by email. The reply is then automatically posted in the issue thread. Also handy. But a little dangerous. Lots of people have… Continue reading →
There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed… Continue reading →
Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and… Continue reading →
A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their… Continue reading →
Here's a curiosity which I found while stumbling through the Sony PlayStation store. The website loads internally hosted scripts using SRI (SubResource Integrity). Why? Does your work require you to swipe an ID card to access the building? That seems pretty normal. Does your work also remind you to keep your badge visible, and to… Continue reading →