Posts by brotherelf 285 publicly visible posts • joined 16 Jun 2014
> They would have to steal your hopfully protected private key...
Well yes. The certificate is public anyway, the common parlance of "compromised certificate" can be a bit misleading there. (And no, a new certificate does not mean it must be a new private key.)
The extent to which you can protect the private key can be limited on servers you want to restart without human interaction.
>> Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats
> Not that clear - if there's a major certificate-based threat then 1 year is absurdly long.
They have a point, in a very roundabout way – remember the joke about the clock flashing on your microwave because you just can't be arsed to read up how to set it and you forgot from the last time around and you think it's really not that important? That's what certificate hygiene is. Wait till it fails, tell the customer to click ok, find out the guy who did it the last time retired, and then find out how to do it yourself, and forget until next time. Until it's frequent enough for you to actually learn (or automate away).
How is it a pain? Don't ask me, ask the people running dnssec-tools.org or mozilla add-on update servers, those being two examples that come to my mind of sites that ran around with expired LE certs for quite a while.
It's a fun sport if you're so inclined: compare the certificates in use with the public ledger of issued certificates. If the auto-renew doesn't work, who knows what else doesn't work on those servers.
Well, there is nothing that stops browsers from implementing relaxed rules for certain TLDs, for example the ones reserved for documentation and internal purposes, in particular when they resolve to RFC1918 IPs. (Chrome has a flag for that for localhost, IIRC.) Then you'd just need the use the domains you're supposed to use for this kind of thing, and you'd be set.
Wow would I be "happy" to pay 80€ every five years for a new passport. I think the fastest way through the checks is still to go to the machine, fail the test, and then go to the counter which does not handle the normal queues but only the express lane and the rejects from the automatic machine.
OTOH, the machine at ABZ let me in, even if it took long enough to verify the picture that I'm pretty sure that's farmed out to those companies that otherwise farm money in online games and solve captchas for spammers.
"which you then ignore as part of your daily checks"
FTFY. Because yup, I get that kind of mail, and 80% of the entries are stuck on "error" and I'm in no position to fix them and even when I tell the person responsible to fix it, I don't know how long it will take until it actually is fixed. Red tape at its flypapery best.
Well, the corporate attitude to the law is easy: the question is not whether it's legal or not. The question is whether the expected (in the stochastical sense) fine is larger or smaller than the extra revenue it generated.
(Do we have court decisions already on whether breach of GDPR falls under unfair business practices? Because which end user is going to go and bring the charges against GitLab?)
Which is why there'll be a flag for "culturally appropriating", most likely. And AIs to train for that, probably. Because surely the reason we've not solved the social problem of people being rude assholes by technical means is that we've just not tried hard enough.
Sorry, if it doesn't have an adjustable iteration count, it's not a modern password hash algorithm.
(And no, I don't make the individual UX/load/security tradeoff for every individual machine either, even though for local auth on a desktop, where the password is checked only on login/unsuspend/screenunlock, I could easily set the iteration count to the equivalent of half a second without any serious effect.)
> Nobody I ever met believes that Fermat really had a proof.
I'm not much of a believer in afterlife, but I get a chuckle out of the idea that Fermat's corner of hell, for whatever reasons, is everybody recognizing him, looking at his proof in the margin, and going "you forgot a minus at the beginning there, mate".
I hate to tell you, but there's protocols that are actually somewhat underspecified in terms of what encoding the password should be in, effectively reducing you to 7bit ASCII as common denominator. (HTTP Auth, I'm looking at you.)
And your hash-in-the browser scheme is somewhat flawed: whatever you give the service to recognize you by, that's de facto the password. The server can't tell if you use 2000 rounds of bcrypt every time to derive it from your first pet's maiden name or if it's just wgo4387gwheo34 by chance and you send that directly. Yes, you can build something like "Server tells the client to run X iterations, server runs N-X iterations and only has the N-iteration hash on file", which is basically challenge-response, but frankly, the answer to "the service has something like my password" is public key crypto, and that's even baked into TLS (client auth), and HTML5 had extra support for that by way of the keygen element, but browsers are actively removing those capabilities, and the UI was always pretty horrible, and server-side, it was always a bit of a dark art.
Possibly. "This endpoint allows you to retrieve a live feed of absolutely all uploaded files to VirusTotal, and download them for further scrutiny, along with their full reports."
It's not part of the free public API, but I've not investigated what amount of background checks they do for access to the for-pay private API.
I'll grant them this: CAA is a time-of-issue check done by good-faith actors (with working software – not everybody's is). Once the certificate has been issued by whoever, CAA doesn't mean anything.
And CT is along the same lines: a public time-of-issue message published by good-faith actors. Yes, doing that might be a pre-requisite for getting into root certificate stores. Do we have technical certitude that $bigCA does not have mechanisms to bypass CT, if a three-letter agency with signed warrants compels them? No. (It would be in their own interest, though, to make it technically impossible.)
The thing you are looking for is the now-defunct (Chrome dropped support, Edge did not get support so far) HPKP HTTP public key pinning, which did not take off, because it actually forces you to think about what you're doing for two minutes, or otherwise your website will be unreachable for long timeframes if you are unprepared for a key change. (Also, technically it had a TOFU risk.) The hordes of "I click deploy on cloud" have overrun the greybeards.
I'm sure it's handled as "anonymized quality control" in para 437 of the privacy statement that "you" had to agree on after you've already bought and paid for the device. (Whatever happened to the shrinkwrap EULA cases of the 90s?)
The other pertinent question, of course, is: does that imply consent by anybody in earshot? I see a future of "to opt out, please have a Genuine Google Android device with Bluetooth enabled on you at all times. This is necessary to transmit your opt-out decision to the device. Your location data may be stored and processed for privacy and quality control purposes."
I am fairly certain we can get "using voice-activated assistants in public spaces violates GDPR" quite easily, but that hammer might fall on the owner of the device, not the company that makes it, unless somebody pulls quite stunning tricks around how you've only licensed rights to use the software and don't own it.
I remember my compsci teacher looking over my shoulder, seeing me reading a nethack newsgroup, and telling me "I don't mind, but others might, be a bit less flagrant about it". But new posters who didn't bother to read first made that mistake, too, including the one guy whose lawyer father received a printout of the post by mail. (At that time, the provider would use the phone number as part of the message id, or something like that, and reverse phone search already existed.)
And the capital-S Shun you got in de.* if you dared post with an obvious pseudonym.
And the scary devil monastery.
Memories. My beard feels grey now.
Why, that already happened, when it got turned off-by-default in Windows long ago.
FWIW, I'm surprised that "we'll ship a different default config" warrants an article. Reading the leader, I expected it to be "this is now a compile-time switch that defaults to off", and frankly, I'd be not surprised at all if all major distros already ship a stronger default config.
Somebody tried that gmail "confidential message" feature on me a couple weeks back. And what do you know, it ticks all the boxes for phishing scams: HTML mail along the lines of "X sent you a message. Click here and log in with your google credentials for yourmail@otherdomain, but be quick, this mail will self-destruct in X hours."
I'm totally using that template next time I do awareness training.
But more OnT: didn't the same exact effing thing happen to iWhatnots about five years ago, where calendar invitations would be automatically added to calendar etc., even from the spambucket?
Yea, that's the ups and downs of it: user-updateable firmware is a security risk, but if you have a bug, it's a across-the-board recall. And it's not just them, Yubico had one or two in the past, and so did Nitrokey. (Nitrokeys have writeable firmware, but the programming pins are inside the case, which might make it the worst of both worlds?)
And of course, you have, by design, irretrievable secret key material or serial#s on the devices. It's a branch of IT that can become effing expensive, real quick. (It still might be the best we have right now, though?)
Yeah, until the maintainer gets an actual job and family that take time, and somebody else steps up to take over maintenance. Remember, it happened to respectable npm modules and WP plugins, too, there is zero reason to believe it wouldn't happen to filter list maintainers.
(And FWIW, isn't it "works as advertised"? You allow an add-on to frobnicate the source code of any and all web pages you visit, of course it can do pretty much anything with that and use covert channels to exfiltrate data.)
"Not established he was flagged". True, but:
I seriously doubt a random CBP officer would have recognized the dude enough to ask questions about his previous employment. So what magical government source does he pull information about past employment of Joe Random Citizen from, with zero notice. (Which means there's established workflows for this, which means it's under legal scrutiny -- this is not calling your buddy in the police force to ask about outstanding parking tickets of your daughter's new boyfriend.)
"shouting just fucking let me the fuck in you fucking fucked fuck-headed fucker"
I have long maintained that search engines should give better results based on the invective level of the query. Kind of like a shibboleth.
OTOH, I can see practical-sounding applications for that. As I recall form my visits to the UK, y'all have buses that require a breathalizer check to turn on, why not have voice recognition do the same? "*pling* I'm sorry you're already late for work, but you sound too angry to maintain road safety. A taxi will be arriving shortly."
I also have a HTTP response code for that: 420 insufficient chill.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
