bolha.us

1 post1 participant0 posts today

Tim (Wadhwa-)Brown :donor:My cross-platform and cross-browser NTLM bug is public:<a href="https://issues.chromium.org/issues/40080133" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://issues.chromium.org/issues/40080133</a>Kudos to <a href="https://mastodon.social/@Bitquark" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@Bitquark</a> who reported it separately.Kudos also to <a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@torproject</a> and <a href="https://mastodon.social/@mozilla" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@mozilla</a> who did make efforts.<a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a>, <a href="https://infosec.exchange/tags/wontfix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wontfix</a>, <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>, <a href="https://infosec.exchange/tags/browserbug" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#browserbug</a>

Kevin Karhan :verified:<a href="https://infosec.exchange/@0x40k" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@0x40k</a> well, <a href="https://infosec.space/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Microsoft</a> to this day has a <a href="https://infosec.space/tags/Backdoor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Backdoor</a> in the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CryptoAPI</a> that <a href="http://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener noreferrer" target="_blank">remains unfixed to this day</a>...<ul><li>And since Microsoft doesn't acknowledge the concept of <a href="https://infosec.space/tags/consent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#consent</a> in <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Windows</a> (and doesn't even fake it!) and they are both <a href="https://infosec.space/tags/PRISM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PRISM</a> collaborators AND subject to <a href="https://infosec.space/tags/CloudAct" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CloudAct</a>, they <a href="https://infosec.space/tags/CantFix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CantFix</a> & <a href="https://infosec.space/tags/WontFix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WontFix</a> it!</li></ul>

Erik van Straten<a href="https://infosec.exchange/@zak" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@zak</a> <a href="https://fosstodon.org/@zenbrowser" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@zenbrowser</a> : a still unfixed vulnerability: if NOT using Touch ID, on some websites you may be able to sign in using a passkey WITHOUT authenticating locally - using biometrics or your passcode (screen unlock code).⛓️‍💥 This vulnerability also exists WITH Touch ID set up, provided that "Password Autofill" is disabled.BTW this vulnerability also permits access to: • <a href="https://icloud.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://icloud.com</a> • <a href="https://account.apple.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://account.apple.com</a> (When asked to provide your fingerprint, tap the X at the top right and tap in the "Email" field one more time).This is a HUGE risk for people who do not want to use biometrics: if a thief grabs their iPhone when unlocked, or watches them enter their passcode and later steals their iPhone, the thief can use ALL of the owner's passwords and some of their passkeys stored in the "Passwords" app (formerly known as iCloud Keychain).🎬 This increases the risks of theft as shown by WSJ's Joanna Stern in <a href="https://youtube.com/watch?v=QUYODQB_2wQ" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtube.com/watch?v=QUYODQB_2wQ</a>.👶 In addition, a (grand) child or anyone else who (shortly) borrows your iPhone/iPad may have access to more of your cloud-accounts than you're aware of.🔧 Workaround if you don't want to use biometrics to unlock your iPhone/iPad (this does not fix any problem if a thief learns (or successfully guesses) your passcode (screen unlock PIN or password):• Set up a Touch ID anyway, for example for your left pinky finger (if you're righthanded)• Disable "iPhone Unlock" in "Touch ID and Passcode" (visible in the first screenshot).• Use a safer password manager (such as KeePassium) than the Apple "Passwords" app (iCloud KeyChain).🚨 In any case:• Make sure that "Password Autofill" (in settings -> "Touch ID and Passcode") is set to ENABLED;• When you enter your passcode in a public place (such as a bar, bus or train), make very sure that nobody gets to see you enter it.<a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPhone</a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPad</a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vulnerability</a> <a href="https://infosec.exchange/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Apple</a> <a href="https://infosec.exchange/tags/WontFix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WontFix</a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iOS</a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPadOS</a> <a href="https://infosec.exchange/tags/passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#passkeys</a> <a href="https://infosec.exchange/tags/pasdwords" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pasdwords</a> <a href="https://infosec.exchange/tags/credentials" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#credentials</a> <a href="https://infosec.exchange/tags/iCloudKeychain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iCloudKeychain</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/Theft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Theft</a> <a href="https://infosec.exchange/tags/SecurityRisk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SecurityRisk</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonation</a>

Kevin Karhan :verified:<a href="https://gruene.social/@max" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@max</a> To <a href="https://gruene.social/@max/113872018769294131" rel="nofollow noopener noreferrer" target="_blank">quote you directly</a>:<blockquote>"[...] easy to use solutions that are at the same time private and secure. [...]"</blockquote><ul><li>The fact that <a href="https://mastodon.world/@signalapp" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@signalapp</a> requires <a href="https://infosec.space/tags/PII" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PII</a> like a <a href="https://infosec.space/tags/PhoneNumber" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PhoneNumber</a> which more often than not cannot be legally acquired anonymously makes it not <a href="https://infosec.space/tags/private" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#private</a>. </li></ul>It is easier, faster, cheaper and overall simpler to get someone setup with <a href="https://infosec.space/tags/XMPP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#XMPP</a> + <a href="https://infosec.space/tags/OMEMO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OMEMO</a> espechally if they don't have a <a href="https://infosec.space/tags/PhoneNumber" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PhoneNumber</a> and/or <a href="https://infosec.space/tags/ID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ID</a> to acquire a <a href="https://infosec.space/tags/SIM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIM</a>. And if you go and say, "Just buy a [insert country here] [e]SIM!" and expect <a href="https://infosec.space/tags/TechIlliterates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechIlliterates</a> without a <a href="https://infosec.space/tags/CreditCard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CreditCard</a>, <a href="https://infosec.space/tags/PayPal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PayPal</a> or other means of <a href="https://infosec.space/tags/OnlinePayment" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OnlinePayment</a> to fiddle around with some <a href="https://infosec.space/tags/eSIM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eSIM</a> if not having to get some <a href="https://infosec.space/tags/eSIMcard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eSIMcard</a> because they can only afford to maintain one SIM and can't spend triple-digits on a new devices then you completely missed the point!<ul><li>I can much faster and easier get TechIlliterates setup show them around - either in a <a href="https://mastodon.earth/@cryptoparty" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@cryptoparty@mastodon.earth</a> / <a href="https://chaos.social/@cryptoparty" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@cryptoparty@chaos.social</a> / <a href="https://infosec.space/tags/CryptoParty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CryptoParty</a> - style <a href="https://infosec.space/tags/classroom" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#classroom</a> / <a href="https://infosec.space/tags/seminar" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#seminar</a> or 1:1 tutoring than I can legally acquire and activate a new SIM in <a href="https://infosec.space/tags/Germany" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Germany</a> [since 07/2017]...</li></ul>It's not that I expect anyone to get <a href="https://infosec.space/tags/TechLiterate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechLiterate</a> within minutes, but similar to setting up a cordless DECT phone it's something one has to do once in 5 years and just have them put the password in a safe spot to retain... Point is that <a href="https://infosec.space/tags/Signal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Signal</a> <a href="https://infosec.space/tags/WontFix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WontFix</a> their setup and that was evidently clear even before <a href="https://mastodon.world/@Mer__edith" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@Mer__edith</a> succeeded <a href="https://infosec.space/tags/MoxieMarlinspike" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MoxieMarlinspike</a>: Their entire operation has a distinct <a href="https://infosec.space/tags/CryptoAG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CryptoAG</a> stench as it's an <a href="https://infosec.space/tags/unsustainable" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#unsustainable</a> <a href="https://infosec.space/tags/VCmoneyBurning" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VCmoneyBurning</a> party!<ul><li><a href="https://infosec.space/tags/CloudAct" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CloudAct</a> and the <a href="https://infosec.space/tags/NOBUS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NOBUS</a> <a href="https://en.wikipedia.org/wiki/NOBUS#Criticism" rel="nofollow noopener noreferrer" target="_blank">hegemony</a> ain't something that just got executed now (neither was <a href="https://infosec.space/tags/GDPR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GDPR</a> & <a href="https://infosec.space/tags/BDSG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BDSG</a>!)... </li></ul>A counterexample on how this could've been done are <a href="https://infosec.space/tags/Tor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Tor</a>, <a href="https://infosec.space/tags/eMail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eMail</a> and other truly <a href="https://infosec.space/tags/OpenSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenSource</a> as in <a href="https://infosec.space/tags/MultiVendor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MultiVendor</a> & <a href="https://infosec.space/tags/MultiProvider" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MultiProvider</a> standards. <ul><li>NOTHING compells Signal to <a href="https://en.wikipedia.org/wiki/Signal_(software)" rel="nofollow noopener noreferrer" target="_blank">demand PII</a>, run a <a href="https://infosec.space/tags/Shitcoin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Shitcoin</a> <a href="https://infosec.space/tags/Scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Scam</a> <a href="https://en.wikipedia.org/wiki/Signal_(software)#In-app_payments" rel="nofollow noopener noreferrer" target="_blank">aka.</a> <a href="https://infosec.space/tags/MobileCoin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileCoin</a> that even seasoned <a href="https://infosec.space/tags/TechLiterates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechLiterates</a> and <a href="https://infosec.space/tags/CryptoBros" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CryptoBros</a> <a href="https://www.youtube.com/watch?v=0DSGq9FQKU4" rel="nofollow noopener noreferrer" target="_blank">can't setup properly</a>, and in fact Signal using <a href="https://en.wikipedia.org/wiki/Signal_(software)#Controversial_use" rel="nofollow noopener noreferrer" target="_blank">phone numbers makes it trivial to discriminate against users and easier for them to identify them</a>!</li><li>If <a href="https://infosec.space/@kkarhan/113869305765533809" rel="nofollow noopener noreferrer" target="_blank">my reasoning</a> didn't resonate with you, then try helping i.e. undocumented migrants aka. "<a href="https://infosec.space/tags/SansPapier" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SansPapier</a>|s" to get setup with it without violating laws and/or ToS and/or needing an imported SIM which I'm shure most folks don't have on hand!</li></ul>Whereas it's trivial to get people setup on <a href="https://github.com/greyhat-academy/lists.d/blob/main/xmpp.servers.list.tsv" rel="nofollow noopener noreferrer" target="_blank">one of many XMPP servers I've personally tested</a>!<ul><li>Not to mention clients like <a href="https://monocles.social/@monocles" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@monocles</a> / <a href="https://infosec.space/tags/monoclesChat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#monoclesChat</a> and <a href="https://fosstodon.org/@gajim" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@gajim</a> / <a href="https://infosec.space/tags/gajim" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#gajim</a> are way more user-friendly and unlike Signal can also work perfectly fine over <a href="https://infosec.space/tags/Tor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Tor</a>, including <a href="https://infosec.space/tags/OnionServices" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OnionServices</a> as endpoints. </li></ul>AFAIK Signal doesn't even have an <a href="https://infosec.space/tags/OnionService" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OnionService</a> / <a href="https://en.wikipedia.org/wiki/.onion" rel="nofollow noopener noreferrer" target="_blank"><code>.onion</code></a> for their Website, much less any <a href="https://infosec.space/tags/API" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#API</a> enpoints to use it with!<ul><li>Them relying on <a href="https://infosec.space/tags/ClownFlare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ClownFlare</a> is just something that makes them even more <a href="https://infosec.space/tags/sus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sus</a> as there is <a href="https://en.wikipedia.org/wiki/Cloudflare#Controversies" rel="nofollow noopener noreferrer" target="_blank">no legitimate reason</a> to use a <a href="https://infosec.space/tags/RogueISP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RogueISP</a> like that.</li></ul> You're free to also provide evidence and supporting data to your arguments, rather then neighsaying against proven to be more secure and reliable [by virtue of decentralization] options like XMPP+OMEMO and/or <a href="https://infosec.space/tags/PGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PGP</a>/MIME. <ul><li>What gets my blood boiling is the constant <a href="https://infosec.space/tags/disinfo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#disinfo</a> by <a href="https://mstdn.social/@rysiek/113868777937162686" rel="nofollow noopener noreferrer" target="_blank">Signal</a> <a href="https://mstdn.social/@rysiek/113869169340313254" rel="nofollow noopener noreferrer" target="_blank">Fanboys</a> like <a href="https://mstdn.social/@rysiek" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@rysiek</a> who sell it like <a href="https://infosec.space/tags/DigitalSnakeoil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalSnakeoil</a> akin to <a href="https://infosec.space/tags/AntivirusSoftware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AntivirusSoftware</a>, because it's at best "<a href="https://infosec.space/tags/TechPopulism" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechPopulism</a>" and at worst <a href="https://infosec.space/@agturcz@circumstances.run/113868748895262202" rel="nofollow noopener noreferrer" target="_blank">will mislead "TechIlliterates"</a> with a <a href="https://infosec.space/@kkarhan/113868987217053362" rel="nofollow noopener noreferrer" target="_blank">false sense of security</a>, which in turn puts more users at risk.</li></ul>The proper fix is to actually assess the situation and acknowledge the risks and limitations as well as the very nature of communications, which means upgrading later is exponentially more painful, thus getting people properly setup once is way easier.<ul><li>Just because WE [ or rather <a href="https://mstdn.social/@rysiek" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@rysiek</a> in this case ] rather privilegued enough to not be hatecrimed in their current location doesn't mean this is the case for everyone. And having places like Signal rely on a "<a href="https://infosec.space/tags/CDN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CDN</a>" is just another red flag to me because questions like <a href="https://circumstances.run/@agturcz/113866980398547492" rel="nofollow noopener noreferrer" target="_blank">this one</a> just don't arise with <a href="http://monocles.chat" rel="nofollow noopener noreferrer" target="_blank">monocles.chat</a> as people can just exercise proper <a href="https://infosec.space/tags/SelfCustody" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SelfCustody</a> and just use Tor!</li></ul>Speaking of <a href="https://infosec.space/tags/monocles" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#monocles</a>: That business is at least <a href="https://infosec.space/tags/sustainable" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sustainable</a> because it's funded by users <a href="https://store.monocles.eu/produkt/monocles-starter-account/" rel="nofollow noopener noreferrer" target="_blank">(€2 p.m.)</a> which they can <a href="https://monocles.eu/more/#payment-section" rel="nofollow noopener noreferrer" target="_blank">pay anonymously</a>

Kevin Karhan :verified:<a href="https://zirk.us/@istuetzle" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@istuetzle</a> tue ich...Und wer sich drüber aufregt soll mir entfolgen und/oder deren <a href="https://infosec.space/tags/client" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#client</a> rekonfigurieren!<a href="https://infosec.space/tags/wontfix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wontfix</a> <a href="https://infosec.space/tags/ProblemSolved" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ProblemSolved</a>

Kevin Karhan :verified:<a href="https://mk.absturztau.be/@GNUxeava" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@GNUxeava</a> <a href="https://mk.absturztau.be/@puniko" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@puniko</a> just configure your client properly to not display a <a href="https://infosec.space/tags/hashtag" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hashtag</a> as such.<ul><li>If it can do that, nag the devs until they make that possible!</li></ul><a href="https://infosec.space/tags/NotMyProblem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NotMyProblem</a> <a href="https://infosec.space/tags/CantFix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CantFix</a> <a href="https://infosec.space/tags/WontFix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WontFix</a>

Recent searches

Search options

Administered by:

Server stats:

#wontfix