* Posts by uqrxur

12 publicly visible posts • joined 1 Jun 2016

Raspberry Pi Pico cracks BitLocker in under a minute

uqrxur

stop this nonsense

Until journalists stop relaying stories on how to defeat Bitlocker installations without a password or PIN, we will keep reading stories of random guys defeating BitLocker installed on a device without a password or PIN.

Year after year.

Mozilla's midlife crisis has taken it from web pioneer to Google's weird neighbor

uqrxur

3% is actually an enormous number

IMO, comparing Firefox with other browsers is like comparing a Debian installation to a Windows 11 retail computer: they shouldn't be compared because they don't offer the same service.

Chrome and Edge are gateways to their respective editor's ecosystems, with web functionality as a "module". Firefox is a web browser that also permits access to editor's ecosystems who still run on web protocols.

What the author fails to recognize is that 3% of the entire population of users is actually an enormous number once we start talking about the very small population of users who care about their privacy.

I think this would have been a very much better article if the author had framed the discussion a bit differently: "Amongst the population of users who care about their privacy, Firefox is the most widely adopted browser."

Which brings me to my second point. By failing to frame the questions correctly, these articles tend to do even more damage towards products like Firefox because they signal naive or more vulnerable users that "nobody uses Firefox", which is a very different message than "almost everyone who cares about this topic uses Firefox".

Google 'wiretapped' tax websites with visitor traffic trackers, lawsuit claims

uqrxur

why sue Google?

Just asking: why sue Google? Web agencies gladly put Google Analytics code in all their websites, sometimes without their client's approval.

I don't see the logic in suing Google instead of the tax services companies, and the article seems to miss this point, too. Any help?

Microsoft Azure OpenAI lets enterprises feed corporate secrets to ChatGPT

uqrxur

Re: As the saying goes around here...

"And shouldn't are be is?"

Yes, it should. But hey, we are long past the times during which we are supposed to speak/write correctly.

‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app

uqrxur

Re: Shift left? shift right?

It refers to the systems development lifecycle, which is often represented as a timeline that starts with inception or analysis, and ends with deployment or release.

Many managers tend to postpone security efforts up towards the end of this lifecycle, where they typically hope to solve the security issue with just a cheap penetration test, or worse, with a magic bullet security scanning tool. (The situation is even worsening at the moment with many companies increasingly relying on bug bounties.) This is what is referred as "pushing right".

On the other side you have some companies that try to address the security issue earlier in the cycle, sometimes even at the beginning of the lifecycle. This typically translates into identifying security requirements from the beginning of a project, identifying and addressing security or privacy threats directly during the design phase and setting up reliable tools/APIs/frameworks that prevent most vulnerabilities from even entering into the coding phase. All these are often referred to as "pushing left".

Voila, hope it helps :)

'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

uqrxur

Re: We take the protection of our customers’ data very seriously.

I wouldn't presume subresource integrity to be already a mainstream defense, but the absence of a CSP header and the script loaded from untrusted sources would typically qualify for an act of negligence on a website like BA's.

Now I'm not sure the CEO should be the one losing seat for this.

I'd need to know whether

1) security threat modelling teams did not spot the threat or issued poorly crafted warnings to the website project team,

2) whether some project manager skipped the requirement because "security stuff" or

3) whether a developer cheated by marking it "done" or

4) whether the security testing team didn't spot or follow up the issue or

5) wether the fix made it to the code and somehow did not end up on the website.

6) etc.

In such cases, root cause a analysis is key to understanding who or what processes were responsible to allow improvement. If BA just fires one person over this then we'll know they aren't doing RCA correctly.

I still cross paths with security testing teams that can't issue anything more detailed than a "setup a CSP header" instruction without explaining why or what should be in the header.

Hacker publishes GitHub secret key hunter

uqrxur

How does it counterbalance...

Looks very nice academically but I wonder how it counterbalances with simple string based searches on variable names for "known" patterns? (i.e.: 'key', 'pwd', 'secret', 'token', etc.) that get improved on time. Who wants to run a comparative analysis? :)

Don't use a VPN in United Arab Emirates – unless you wanna risk jail and a $545,000 fine

uqrxur

Re: Don't like the idea of slave labour? Don't go on holiday to the UAE

Same here, I have a list of countries with ethics I can't accept for freelancing gigs. Ironically, the US have entered that list three years ago, after I realized what goes under "federal tax".

uqrxur

Re: Interesting

Web servers don't geolocate you. That's not how it works.

Browsers use an API that is located client side (that most humans find attractive to enable to feel less miserable when surfing) which determines the geolocation of the phone by calling its internal local geo- services (A-gps,gps,wifi SSIDs enumeration, etc.). The result if this lookup is then transmitted to the web service.

Consequently, your IP is not involved at all. It's only involved when you explicitly disable all geo services in your phone, and only then, "Google" will use an IP lookup, because there's nothing better.

If activating a VPN really hid your location, millions of VPN users would immediately stop using VPNs because "Pokemon Go" or "Tinder" or "Google Maps" wouldn't work.

Most human beings want to feel anonymous without the hassle of being anonymous.

Containers rated more secure than conventional apps

uqrxur

Re: big caveat there

When the comment brings more useful information than the article...

Dev boss: What will Microsoft do with Windows 10 Mobile? Surprise – it's for work!

uqrxur

Re: Surface?

Microsoft's strategy has never been to give consumers the product they want but rather ask what product you want and give you something a little bit different and constrained.

Windows 10 is an exact example of this: listen to everyone, build this dream product. Then, destroy the concept of privacy (even though people were quite clear about that), make it free (even though people asked cheaper, not free), then streamline it across multiple platforms such as continuum (consumers love this) but constraint it just enough so that users can't run the applications they need.

That's Microsoft. Awesome products, with a catch.

Samsung: Don't install Windows 10. REALLY

uqrxur

Re: If proof is needed...

Then... How would you explain Microsoft's inability to create functioning drivers for its own surface book notebook? (Aka sleep of death bug)