Posts by jsmall@infosec.exchange
 (DIR) Post #AQmJTMUKGJkFVaOvRo by jsmall@infosec.exchange
       2022-12-19T21:55:57Z
       
       0 likes, 0 repeats
       
       It's incredible how often Wordpress developers insist "the core is really secure" in light of reports and timelines like the below. There's no patch yet btw.
       
 (DIR) Post #AQmKhdmEsYxl8a9VQ0 by jsmall@infosec.exchange
       2022-12-19T22:35:02Z
       
       0 likes, 0 repeats
       
       @smallsees Do agree with the one. Given that this is what a "security plugin" gets you.
       
 (DIR) Post #ARb9yWBVhSklPhRgzQ by jsmall@infosec.exchange
       2023-01-13T10:14:08Z
       
       2 likes, 2 repeats
       
       I thought I had a failed fan in my PC but turns out it was just winston snoring.
       
 (DIR) Post #ARb9yXmPljrqMRig9Q by jsmall@infosec.exchange
       2023-01-13T10:30:39Z
       
       0 likes, 0 repeats
       
       Look we're only three hours from #caturday OK
       
 (DIR) Post #ARzqvtlqVhQhWCTd3I by jsmall@infosec.exchange
       2023-01-24T10:54:04Z
       
       0 likes, 0 repeats
       
       @WPalant @nadim @bitwarden It's also interesting that I keep seeing zxcvbn come up, including today, given https://github.com/dropbox/zxcvbn/issues/290
       
 (DIR) Post #ASr8xBZZ28ToiI7RHE by jsmall@infosec.exchange
       2023-02-19T21:33:28Z
       
       1 likes, 0 repeats
       
       @filippo "Don't roll your own crypto" is how people end up using "crypto-js", because it's a "trusted" library, where they choose between 3DES, Rabbit, RC4, RC2 and AES and then follow the documentation to implement unauthenticated CBC mode.
       
 (DIR) Post #AUX6UPTf7DzVkbSJyy by jsmall@infosec.exchange
       2023-04-11T05:31:02Z
       
       0 likes, 0 repeats
       
       @mjg59 I would say to be prepared for the fact that there is no possible action you can take that won't involve a vocal group of people deciding to blast about "irresponsible disclosure".
       
 (DIR) Post #AVASe2KQwdaLxU3hqK by jsmall@infosec.exchange
       2023-04-30T05:24:31Z
       
       0 likes, 0 repeats
       
       @mjg59 I always found the part about Signal's prekeys being rated limited interesting. Rate limits are inherently difficult, if I had a bot army just download all your keys what happens? You've described a fallback to avoid a DoS, but if I keep that up long term don't I, as an attacker, just perpetually break PFS? Does sound like a hard problem.
       
 (DIR) Post #AYLGVYJuMvkyn4xur2 by jsmall@infosec.exchange
       2023-08-03T03:31:43Z
       
       0 likes, 0 repeats
       
       Currently a fight going on. How do you pronounce "Kerberos" ? I'm being told the K should have a C sound like in "censor".
       
 (DIR) Post #AsRCpZr4WRSwRJVdKq by jsmall@infosec.exchange
       2025-03-26T05:14:45Z
       
       0 likes, 0 repeats
       
       @hacks4pancakes The upside to inflation is that the $5 wrench attack has been completely solved.