Minimum Viable XSS


Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic. *ahem* […] Read More

BMW are sending their software updates unencrypted


The BMW i3 is an amazing electric car - let down by very shoddy software. That's a huge problem - software runs our lives and, if it is defective, it can ruin us. We used to have separate categories of device: washing machines, VCRs, phones, cars, but now we just have computers in different cases. […] Read More

A School For Scandal


The UK's official web infrastructure is in a shockingly poor state. I've been doing some light digging into the security of UK Schools' websites. As I've written about ad nauseum, the Government takes almost no interest in the way some of its official websites are managed. The Department for Education is particularly inept when it […] Read More

When GOVUK is NSFW


I don't particularly like picking on the security of Government websites. I do it a lot - but I always feel guilty about besmirching the good name of the many talented people who work in the Civil Service. Today's flaw, however, is a particularly basic mistake which simply shouldn't be allowed to happen by any […] Read More

Responsible Disclosure - XSS Flaw at LetsSaveMoney.com


Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug. It's a depressingly familiar story - […] Read More

Wildcard Email Domains and New TLDs


Nominet has, after much prevaricating, launched its latest money grubbing venture plan to revolutionise the UK Internet industry. Rather than having fusty old example.co.uk or example.org.uk businesses can go straight for example.uk - Mind = BLOWN! There are, of course, some obvious downsides to this plan. It's always been the case that people could register […] Read More

Notes on Digital Surveillance


Earlier this year, I attended a lecture given by Alan Rusbridger - the outgoing editor of The Guardian - entitled "The World After Snowden." Held at Oxford University, and attended by journalists, technologists, and former spies - it was an exceptionally interesting talk and provoked a lively debate over dinner. In light of the publication […] Read More

PGP Encrypt Twitter DMs with Keybase


This is a quick tutorial on how to encrypt your Twitter messages using PGP with the help of Keybase.io. I read an article yesterday which seemed to imply that Twitter was mangling PGP encrypted messages (albeit unintentionally). There is a minor bug in Twitter's web interface - but PGP seems to work perfectly in apps. […] Read More

Virgin Media's Free WiFi Sharing Comes With A Cost


Virgin Media, the UK's semi-national cable broadband provider, is rolling out a WiFi sharing service - although it's not quite as altruistic as it may seem. Here's the email being sent to subscribers - followed by some commentary on what this means and whether it's a good idea for you to opt-out. Let's ignore them […] Read More