I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn't a particularly big number. A million seconds is about 12 days. A TOTP code changes every 30 seconds. Assuming the…
Continue reading →
The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all. Let's talk about the humble <meta> element. As its name suggests, it contains metadata about the document. A typical element might look like this: <meta…
Continue reading →
Here's something I didn't know - but should have, because it's obvious... Your screen's auto-brightness depends on your webcam. If, like me, you have a privacy cover - this happens: https://shkspr.mobi/blog/wp-content/uploads/2020/02/WebCamp-Cover.mp4 The MacBook I'm using doesn't have any lux sensors that I can see - most phones have a separate sensor which means the camera isn't in use all…
Continue reading →
tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But…
Continue reading →
Thames Water seem to love giving me a new account number each month. That would be fine, but each time they do, I have to manually add that number to my online account. I'm bored of being their data-entry monkey. So, when they rang today, I told them that I expected them to update my account. We had the normal back-and-forth and "let me speak to your manager" that accompanies anything deviating …
Continue reading →
Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can convince the search engine to spit out HTML, we can inject malicious content into…
Continue reading →
Like all security minded people, I use a unique email address for every service I sign up to. This week, I noticed I had started receiving spam to an email address associated with my Join.me account. Join.me is a screen sharing service now owned by LogMeIn. I signed up for a trial of Join.me back in 2012(!) and as far as I'm aware, never used it again. Checking my records, this piece of spam…
Continue reading →
I use a password manager. I have 2FA set up on everything. When an organisation asks me to set a recovery question, I generate a 32 character passphrase. I don't use my mother's maiden name or my first pet's birthday on anything sensitive. I monitor my email addresses for breaches, and I regularly check my credit file. I'm doing everything a geek can to protect their online life. Is it enough? …
Continue reading →
How can you quickly tune up your computer security? Dan Raywood - Contributing Editor at Infosecurity Magazine shares his wisdom with us. 🔊 💾 Download this audio file. If you're interested in an open source password manager, I'm happy to personally recommend BitWarden 🎧 Stick this Podcast Feed into your podcatcher. 🍏 Subscribe on iTunes. 🎵 Intro music "Gran Vals" performed by Bria…
Continue reading →
Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time you log in somewhere secure. This week, I've moved all my 2FA tokens…
Continue reading →
I've started using BitWarden - the open source password manager. As I've been binge-watching Marie Kondo, I thought it was about time that I deleted all the accounts that I no longer user. I got rid of dozens related to previous employers. I hope the passwords wouldn't work after I left but 🤷♂️. I scanned through the list and deleted old bank details, failed social networks, and obvious duplic…
Continue reading →
I've just got a set of wearable NFC tags, and I've discovered something interesting about the way data is stored on them. tl;dr Overwriting a tag can leave old data intact, and still readable. Here's the decoded memory layout of a tag with data written to it. In this case, a (failed) experiment at storing a JavaScript pop-up. # NDEF message: [00] D1 01 7D 55 00 64 61 74 61 3A 74 65 78 74 2F 68 …
Continue reading →
