* Posts by NikNakk

6 publicly visible posts • joined 8 Sep 2015

Shine on: Boffins bedazzle Alexa and her voice-controlled assistant kin with silent laser-injected commands

NikNakk

Re: This is news?

Ars Technica and Wired published articles on this 9 months ago:

https://www.wired.com/story/lasers-hack-amazon-echo-google-home/

https://arstechnica.com/information-technology/2019/11/researchers-hack-siri-alexa-and-google-home-by-shining-lasers-at-them/

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too

NikNakk

Re: Is there any advantage left by using commercial certs?

Great though Let’s Encrypt is, it does not offer Organization Validated or Extended Validation certificated. Commercial organisations that want to have those (particularly the latter which shows up differently in many browsers) will need to keep buying commercial certificates. For the rest of us, Let’s Encrypt seems to work really well and makes configuring HTTPS on supported web servers pretty painless.

Security bods disclose lock bypass bug in iOS

NikNakk

The article on full disclosure makes it clear that this only works on the iPhone 6S/6S plus since it relies on 3D Touch. Those of us with older hardware aren't affected. It's also worth noting that the phone the FBI were trying to access was an iPhone 5C.

Little warning: Deleting the wrong files may brick your Linux PC

NikNakk

Re: So, exactly...

As has been stated, these are not files on your hard drive. Doing a wipe of the hard drive using a partition manager won't touch them. The problem comes with trying to wipe the contents of a virtual file system that is mapped to the firmware variables.

Australian government urges holidaymakers to kill two-factor auth

NikNakk

Re: 2FA is so poorly supported

PayPal make it difficult, but it is possible to use 2FA on mobile.

Firstly, you have to use device-based 2FA rather than SMS. You can get a physical key, but I use the VIP Access mobile app on iOS. There are details (with slightly out-of-date screenshots) at https://www.paypal-community.com/t5/Tips-from-Moderators/PayPal-Security-Key/td-p/433633 .

Then, when using it on mobile, you have to enter your password and then the 6 digit code from the device or app **appended** onto the end of the password.

So if your password was 'fasd91"kfasP' and the 6 digit code was '913763' you'd type 'fasd91"kfasP913763' as your password.

Gloves on as Googler deposits foul zero-day on Kaspersky lawn

NikNakk

To b fair to Kaspersky, the fix was announced and deployed within 24 hours of disclosure, and for end-users with automatic updates enabled (as they are by default), the patch will have been in place before this article was published. It also seems that Ormandy's public disclosure was sufficiently vague to have made exploitation in that brief window unlikely.

Given that almost all software will be found at some point to have security vulnerabilities, if anything Kaspersky's rapid response has increased my respect for the company.