# Security

Told ya so.
Monday, September 26, 2022

Do you know why your mobile phone has a camera? There are two major reasons:

  1. Engagement; whenever you share a snapshot, it becomes a vehicle on which ads can ride piggy back into your social circle.
  2. Upselling to cloudservices; pictures are quick to take, may carry sentimental value and, most importantly, burn through internal storage like wildfire. Most aren’t worthy of getting printed and framed, but making it easy for people to connect with their inner compulsive hoarder, also makes them slowly lock themselves into the platform that provides external storage.

Speaking of free storage and lock-in effects. Looks like Google decided that enough is enough and to indiscriminately prune Drive by running a lossy image compression algorithm on decade old pictures, ruining mementos of precious moments and upsetting users in the process. Really, no sympathy there. Letting Silicon Valley the gatekeeper of your data means, your data will (eventually) work against you. Always has been, always will be.

Sunday, August 21, 2022

Ah, here’s a great article for people, thinking it’s a good idea to build their (digital) lives around their smartphone.

Saturday, August 6, 2022

I keep telling people not to use 2FA when the second factor is a telephonenumber.

Well, Twitter just demonstrated why that’s a bad idea by exposing 5.4 million accounts. Phishing, Grand parent scam, SIM swap, … tons of fun to be had on a industrial level.

Saturday, May 7, 2022

Ah, in today’s news: more propaganda for this FIDO crap. My advice here would be: if your password is part of someone else’s business case, just say no.

Tuesday, April 5, 2022

Github Push Protection

Security made by Microsoft

Saturday, March 19, 2022

Ah, NPM has been hit again by another dev putting rogue code in one of his modules. This time to protest the war in Ukraine by deleting files on machines with a Russian IP address.

Of course, this kind of thing could hit all programming languages with a package management system, but it seems to primarily happen with NPM. Why? Simple, JavaScript was never intended to be used for anything but DOM manipulation. It’s a toy programming language without a type system and the lack of that makes it a popular choice for beginners and career jumpers. As a result, there are plenty of programmers out there, who can barely stitch together software by copy&pasting solutions from Stackoverflow (but still insist on being employable, after finishing a coding bootcamp).

When that’s your culture, it follows that your package repository gets littered with tons of trivial modules by obscure developers, looking for a fast and easy way to build a portfolio. Of course, they don’t get the desired exposure, when their module becomes a second or third level dependency in someone else’s project, but they do get leverage by being able to break things on a scale.

Sunday, December 12, 2021

Well, since Log4J has just blown up with an Armageddon level remote code execution bug and a lot of people are unhappy about having to take their servers down, I’d like to reiterate that if an open source component is mission critical for you, then consider contributing back by paying for support.

Friday, March 12, 2021
Friday, September 25, 2020

Huh, the Windows XP source code allegedly leaks and all security experts are concerned. Imagine if the same happened to the Linux source code… oh, wait!

Seriously, we had a consensus for years, that security by obscurity is a bad idea. So if accidentally going open source is a concern now, then maybe that’s a reminder that Microsoft products have always been dangerous, shouldn’t have been used to begin with and it’s high time to migrate away from the Windows platform (yes, that’s costly and annoying, but don’t tell that having your business shut down because you rely on an unreliable system isn’t).

Sunday, June 28, 2020

I’m always stunned when watching a movie/TV show in which a criminal makes a final call, then breaks the phone and throws it away in order to get rid of incriminating evidence. Yeah, sure, burner phones exist to be disposed of, but why break them? Your telco has a record of the phone call and if the police found the wreckage (your telco also knows which radio mast you have been connected to, when making that final call), they could desolder the internal storage from the mainboard - NAND flash chips can be quite resilient. They are also very bad at actually erasing data (when you delete a file, the operating system just marks the storage space as available again. If you truly want to get rid of a file, then you would first have to overwrite it with random garbage. However, writing to NAND flash is slow and wears the chip down - the controller tries to avoid that).

Yeah ok, that’s a problem for criminals, not law abiding citizens. You have nothing to hide - except maybe the credentials for your Google account, online banking…

Something, one should probably keep in mind when selling a used phone: doing a factory reset means all data on the phone is lost — unless the new owner has specialized equipment.