Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. Links removed, because the site has disappeared. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug. It's a depressingly familiar…
Continue reading →
Nominet has, after much prevaricating, launched its latest money grubbing venture plan to revolutionise the UK Internet industry. Rather than having fusty old example.co.uk or example.org.uk businesses can go straight for example.uk - Mind = BLOWN! There are, of course, some obvious downsides to this plan. It's always been the case that people could register misspellings of domains and…
Continue reading →
Earlier this year, I attended a lecture given by Alan Rusbridger - the outgoing editor of The Guardian - entitled "The World After Snowden." Held at Oxford University, and attended by journalists, technologists, and former spies - it was an exceptionally interesting talk and provoked a lively debate over dinner. In light of the publication of the disastrous Investigatory Powers Bill, I've…
Continue reading →
This is a quick tutorial on how to encrypt your Twitter messages using PGP with the help of Keybase.io. I read an article yesterday which seemed to imply that Twitter was mangling PGP encrypted messages (albeit unintentionally). There is a minor bug in Twitter's web interface - but PGP seems to work perfectly in apps. So, I want to demonstrate how it can be done successfully. I've written this …
Continue reading →
Virgin Media, the UK's semi-national cable broadband provider, is rolling out a WiFi sharing service - although it's not quite as altruistic as it may seem. Here's the email being sent to subscribers - followed by some commentary on what this means and whether it's a good idea for you to opt-out. Let's ignore them mispelling my name - and concentrate on the technical details. From September, …
Continue reading →
Twitter have just released Periscope for Android. I'll do a full review of it later (tl;dr it's Qik with worse resolution) - but for now, I want to focus on the sign up process. You can only sign in with Twitter. That's fine, it's a Twitter product. So I pressed the sign-in button and this is the screen I saw. Is that the Twitter mobile website embedded into the app or is it a phishing…
Continue reading →
I had dinner with the outgoing editor of The Guardian the other night. Clever chap, sure he'll go far in life. The Guardian is very hot on security. Many of their writers have PGP keys which they publicly advertise. In theory, that's great (complaints about PGP notwithstanding) - but the reality shows just how tricky it is to act in a security conscious manner. Have a look at Alan's Twitter…
Continue reading →
2025 Update - Bitly removed the ability to create emoji links, so some of these links are now dead. Facebook rewrite URLs with Unicode in the path - this is not best practice and could be dangerous. It is possible to create a URL like http://bit.ly/😀 - the Unicode characters are valid in the path. The URL Encoded representation is : bit.ly/%F0%9F%98%80 Facebook mangles these URLs in such a wa…
Continue reading →
(These bugs were responsibly disclosed on 7th December 2014, and were reported fixed on 9th December 2014. I sought & received permission to make these findings public.) I love the idea of Keybase.io. It's a site which takes a lot of the hard work out of encryption. I've discovered (and responsibly disclosed) a minor vulnerability with their web service. It doesn't lead to anyone's details…
Continue reading →
Responsible Disclosure This flaw was reported to both Google and Opera on 23rd October 2014. Background International Domain Names are great! They open the web up to the whole world and allow me to own a domain like 莎士比亚.org. But they are a constant battleground in the fight for security. Homograph attacks are when someone uses two letters or symbols which look the same, to fool a user into v…
Continue reading →
It is a truth universally acknowledged, that an ISP in possession of a good Internet connection must be in want of a customer. One would think that, in these capitalist times, ISPs would compete over who could provide the fastest speed, the best service, and the lowest price. Sadly, in the UK, our ISPs seem to compete on who can be slightly less awful than each other. Last night, I did what…
Continue reading →
Private Eye is the only "Dead Tree" publication I buy. I think its satire misses the mark more often than not - but its investigative journalism and general muck-raking are second to none. The Eye has reluctantly been drawn into the digital age. It has a piss-poor website run by the sort of "tired and emotional" gnomes who struggle with concepts like sanitising user input. EXCLUSIVE Push…
Continue reading →
