PayPal doesn't care about 2FA security


Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security. I was minded recently to switch on 2-Factor-Authentication (2FA) for all my […] Read More

Disclosed - Lifx Security Issue


I love my Lifx Bulbs. They're a quick and easy way to retrofit Internet connected goodies into a smart-home. One of the best things about them is their open API. Sure, you can use IFTTT if you want something easy - but us 1337 hax0rs want an API and Lifx provides it. The API is […] Read More

Designing a Home Network for Hostile Devices


I've written before about just how many Internet connected gadgets I have. I've also blogged about my dodgy WiFi lightswitches which send data back to China. Every IoT device you put in your home brings a certain level of risk to the other devices in your network. For example, my Smart TV and my Lifx […] Read More

Minimum Viable XSS


Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic. *ahem* […] Read More

BMW are sending their software updates unencrypted


The BMW i3 is an amazing electric car - let down by very shoddy software. That's a huge problem - software runs our lives and, if it is defective, it can ruin us. We used to have separate categories of device: washing machines, VCRs, phones, cars, but now we just have computers in different cases. […] Read More

A School For Scandal


The UK's official web infrastructure is in a shockingly poor state. I've been doing some light digging into the security of UK Schools' websites. As I've written about ad nauseum, the Government takes almost no interest in the way some of its official websites are managed. The Department for Education is particularly inept when it […] Read More

When GOVUK is NSFW


I don't particularly like picking on the security of Government websites. I do it a lot - but I always feel guilty about besmirching the good name of the many talented people who work in the Civil Service. Today's flaw, however, is a particularly basic mistake which simply shouldn't be allowed to happen by any […] Read More

Responsible Disclosure - XSS Flaw at LetsSaveMoney.com


Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug. It's a depressingly familiar story - […] Read More

Wildcard Email Domains and New TLDs


Nominet has, after much prevaricating, launched its latest money grubbing venture plan to revolutionise the UK Internet industry. Rather than having fusty old example.co.uk or example.org.uk businesses can go straight for example.uk - Mind = BLOWN! There are, of course, some obvious downsides to this plan. It's always been the case that people could register […] Read More

Notes on Digital Surveillance


Earlier this year, I attended a lecture given by Alan Rusbridger - the outgoing editor of The Guardian - entitled "The World After Snowden." Held at Oxford University, and attended by journalists, technologists, and former spies - it was an exceptionally interesting talk and provoked a lively debate over dinner. In light of the publication […] Read More