Posts by WPalant@infosec.exchange
(DIR) Post #AbBtzOjVcD4lEYaicS by WPalant@infosec.exchange
2023-10-27T09:14:26Z
1 likes, 0 repeats
Ok kids, today we learn: “crypto” is short for “cryptosporidium,” a parasite causing diarrhea. #crypto #web3https://arstechnica.com/health/2023/10/the-uk-is-bursting-with-diarrheal-disease-cases-3x-higher-than-usual/
(DIR) Post #Ac4eZzVl89td0LCSDw by WPalant@infosec.exchange
2023-11-22T18:27:10Z
1 likes, 0 repeats
@jpaskaruk @threatresearch Feel free to read the article:“fallback navigation systems are also corrupted, resulting in total failure.”
(DIR) Post #Ac4ed6kefTUMKQeZjk by WPalant@infosec.exchange
2023-11-22T18:41:08Z
0 likes, 0 repeats
@jpaskaruk @threatresearch There certainly is a human in control, which is why there have been no serious incidents so far. But fact is: air travel is way safer today than it was in the past, thanks to the many systems checking every decision. That is very necessary when traveling at 900 km/h. Fallback plans exist but these aren’t a proper replacement.And the article mentions it already: spoofing GPS positions is way more dangerous than merely jamming GPS reception. The airplane crew can deal with the situation, provided that it recognizes the threat. If it doesn’t, really bad things might happen.
(DIR) Post #Ac4ed8ixKlJmRjsFMm by WPalant@infosec.exchange
2023-11-22T18:51:55Z
1 likes, 0 repeats
@jpaskaruk I was born in a country with a very manual approach to power grid regulation. I remember very regular power outages throughout my entire childhood.Yes, reliance on automated systems has its downsides, such as exposure to hacking attacks. But these automated systems are there for a reason. They do a far better job than humans ever could. And the solution is properly securing them, not putting humans back in charge.
(DIR) Post #AcZH5xwY7YEWPPCbce by WPalant@infosec.exchange
2023-12-07T13:43:23Z
1 likes, 0 repeats
Trying out the new “Cookie Banner Blocker” in Firefox, this is something I’ve wanted for a long time. For reference: it is supposed to automatically reject cookie banners.German website: ❎ nopeBritish website: ❎ nopeUS website: ✅ yepOk, on the first glance it appears to be powered by a US-centric list. Better than nothing.
(DIR) Post #AcZH5zMSqgYao4Koee by WPalant@infosec.exchange
2023-12-07T13:46:01Z
1 likes, 0 repeats
Ah, there is a hidden cookiebanners.service.enableGlobalRules setting. Enabled this one and now it is:German website: ✅ yepBritish website: ❎ nopeUS website: ✅ yepBetter.
(DIR) Post #AcZkcyrmbgnhUz4GdU by WPalant@infosec.exchange
2023-12-07T14:00:26Z
1 likes, 0 repeats
I was probably being somewhat unfair. Got the list (https://github.com/mozilla/cookie-banner-rules-list/blob/main/cookie-banner-rules-list.json), it’s 471 entries and plenty international domains. The list also seems to be somewhat outdated however, so in a bunch of cases it knows how to locate the opt-in button but not the opt out (the British website I tested is one of those cases).
(DIR) Post #AcZkd114c7Q8ANQiOW by WPalant@infosec.exchange
2023-12-07T14:55:42Z
1 likes, 0 repeats
Gotta love how Mozilla does things. Yes, their cookie banner list isn’t perfect yet. But they have a public repository for the list (https://github.com/mozilla/cookie-banner-rules-list/) and I can create pull requests. And while these aren’t merged yet, I can add my own rules to the cookiebanners.listService.testRules preference. I suspect that I will use that a lot in future.
(DIR) Post #AcZkd5kb0oD8qil7uC by WPalant@infosec.exchange
2023-12-07T18:31:09Z
1 likes, 0 repeats
For reference: Firefox UI will currently only allow enabling the Cookie Banner Blocker in Private Browsing mode. In order to enable it in regular browsing, one needs to change the hidden cookiebanners.service.mode setting to 1. And: yes, this is experimental and everything, so there might be glitches.
(DIR) Post #ArUNgD9aO1Duy0GyAa by WPalant@infosec.exchange
2025-02-18T06:34:29Z
1 likes, 0 repeats
I have been introduced to the obscure Linux failure condition called “unbalanced btrfs filesystem.” That’s when you have more than 100 GiB free on your hard drive, yet the file system will refuse operations like renaming a file, claiming that you have no space left. Which comes out of the blue, without any kind of prior warning. And you first have to search past all the unhelpful articles explaining how to remove unused files, until you find that the issue is specific to the btrfs filesystem and with some luck can be cured by running some obscure commands (yet these commands also tend to refuse working because … 🥁🥁🥁 … you have no space left).It’s 2025 and Linux still does that to people…
(DIR) Post #AsOMEnuViYsHNuLFIm by WPalant@infosec.exchange
2025-03-24T11:33:43Z
1 likes, 0 repeats
Well, who am I to argue with hCaptcha that land turtles don’t swim in the sea? Unlike me, our new AI overlords actually know what “being human” means.
(DIR) Post #AuLpFYRxSGy9LQU3RQ by WPalant@infosec.exchange
2025-05-22T11:42:24Z
0 likes, 1 repeats
“Though the researchers claim they’ve anonymized the data”There we go again. There is no way to anonymize two billion messages, short of removing their content entirely.https://www.404media.co/researchers-scrape-2-billion-discord-messages-and-publish-them-online/
(DIR) Post #AyTszrPeBSPp1IRRTc by WPalant@infosec.exchange
2025-09-22T19:30:08Z
1 likes, 1 repeats
Now #Thunderbird is running a user survey asking whether Thunderbird would benefit from “AI” features. Please don’t waste time on this crap, there is plenty of work to be done on improving Thunderbird but this isn’t it.
(DIR) Post #AybzLdV3YLsOe12rk8 by WPalant@infosec.exchange
2024-01-18T12:25:12Z
0 likes, 1 repeats
German law is making security research a risky business.Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html
(DIR) Post #AybzLimFvpbb0o8AkK by WPalant@infosec.exchange
2024-11-09T08:51:18Z
0 likes, 0 repeats
And the second instance confirms the ruling. 🙄 There will be more instances but this is disappointing.Apparently, the matter of the publicly available password wasn’t discussed at all. It was all about illegitimate access to data, regardless of inadequate data protection. Guilty in the sense of the law.This law was about to be adjusted, defusing it for security researchers. Unfortunately, with the German government breaking up it’s unclear whether that change can still happen. It’s pretty much a given that the next government won’t be interested in fixing this issue.Source: https://www.heise.de/news/Modern-Solution-Berufungsgericht-bestaetigt-Schuld-des-Sicherheitsforschers-10007090.html
(DIR) Post #AybzLnglffBcFEbMO0 by WPalant@infosec.exchange
2025-09-26T18:59:38Z
0 likes, 0 repeats
Unfortunately, there is no happy end to this story. Reminder: a consultant was hired to figure out an issue with an application made by Modern Solution. He found hardcoded database credentials in the application (via the advanced hacking tool called text viewer), connected to the database and realized that it stored the data of all customers – not merely that of his employer. He reported the vulnerability to Modern Solution who decided to press hacking charges against him.The German Federal Court of Justice declined to look at the case, meaning that the previous instance’s decision stands: he is guilty. As the previous instance explained, that’s because he didn’t stop when he realized that he had access to other people’s data but decided to document the extent of the issue with screenshots.Unfortunately, finding security vulnerabilities without the vendor’s consent (meaning e.g. bug bounties or being hired explicitly) is a legal minefield. That’s why I prefer looking at stuff running locally on my device, and if I ever have to hit a server I try to avoid any deviations from requests which could occur “naturally.” It doesn’t matter how harmless your request was meant be. If you hit a bug that deletes the data of a million customers: good luck proving your innocence. You can of course claim that the vendor’s bug is to blame, but the vendor can explain how this could have never happened during regular use of the system and your unauthorized penetration test is at fault.Different countries have different rules placing the boundary between “regular use” and “hacking.” German law is rather restrictive here, and without a Federal Court ruling no improvements are coming. In fact, not even staying on your hardware is sufficient to be on the safe side, in some cases you might become liable here as well (thank you, movie industry).Either way, this means that the next time you find hardcoded credentials in an application (database, Firebase, cloud storage bucket), your choices are rather limited. You can observe how the application uses these credentials, and once you have sufficient reason to suspect that these credentials allow access to more data than your own you report this bug to the vendor. Of course without any proof the vendor will downplay the issue. If you are lucky (which is unlikely) they will at least fix it.Using the credentials yourself to “look around” now definitely constitutes “hacking” under the German law – there is a password, hence there is a protection being circumvented. So getting proof and staying on the legal side isn’t possible at the same time.In the meantime people who will abuse the vulnerability can verify it in two minutes. And enjoy the vulnerability staying around for a long time, since the vendor who built this certainly won’t fix it without a nudge from outside.
(DIR) Post #B0z050eD4Gd5aYq492 by WPalant@infosec.exchange
2025-12-06T19:59:24Z
1 likes, 0 repeats
@plragde @irene That’s why the burden of speaking up cannot be on the women – the men need to be doing it, noticing, pointing out and correcting injustices in the current system. Because we can afford doing it. There is very little risk in it for us.
(DIR) Post #B1PPsIHVqLjlQtmHmi by WPalant@infosec.exchange
2025-12-09T14:14:16Z
0 likes, 1 repeats
Nice, BSI tested password manager security and their analysis actually makes sense: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/DVS-Berichte/passwortmanager.pdf (German).Two questions are particularly interesting: can the vendor access passwords (5/10 no) and is the entire storage encrypted (3/10 yes). Which leaves 1Password, Keepass2 Android and KeePassXC usable without reservations, while Avira Password Manager and Firefox Password Manager are usable with some concerns (the former uses crypto that cannot be verified, the latter requires a main password to be set explicitly). The other five tested products (Chrome Password Manager, mSecure, PassSecurium, SecureSafe, S-Trust) should not be used.Not exactly news to me but good to see this confirmed – and good to see a proper analysis rather than grabbing low-hanging fruit for some bullshit statements.#PasswordManager #security
(DIR) Post #B1X8vjQhUFNR0oYya8 by WPalant@infosec.exchange
2025-12-22T10:48:07Z
0 likes, 0 repeats
In my first article on the PPPP protocol I said:“Even if the encryption key weren’t easily extracted, it is mashed into four bytes which become the effective key. So there are merely four billion possible keys.”I am now doing a more thorough analysis of the way keys are being mapped to effective keys. And I was very wrong, I’m already down to only ~1.1 million possible effective keys. 🤦♂️Edit: Now down to half that number: ~570k possible keys. Judging by my experiments this is getting close to the real number, though there are still some more restrictions to these keys to be considered.(I’m trying to see whether https://github.com/pmarrapese/iot/blob/master/p2p/lansearch/lansearch.py can be made to deal with “encrypted” PPPP communication without knowing the key being used.)
(DIR) Post #B1X8vkkaZmsd6msNDk by WPalant@infosec.exchange
2025-12-23T02:30:08Z
0 likes, 1 repeats
I’ve fixed a mistake in my experimental setup, and now the experimentally determined number of effective keys and the calculated number match closely enough. So ~540k effective keys is going to be the final number. That’s the strength of PPPP “encryption,” almost exactly 19 bit. And only if you ignore the glaring known plaintext vulnerability.Now the big question is: do I publish that blog post between the holidays? Probably a bad idea…