# Security

Told ya so.
Saturday, November 19, 2022

A reader wants to know: why is FIDO(2) crap?

Passwords are inherently insecure, so we are told (not they aren't). It would be better to BUY into FIDO (no, it wouldn't).

Thursday, November 10, 2022

David Sch├╝tz found a great lockscreen bypass bug on the Google Pixel. All you have to do is to hot swap the SIM card with one, you know the PUK of. Type in three wrong PINs, then just enter the PUK and the phone goes straight to the home screen.

Imagine that this is something, the FBI fought Apple with tooth and nail for.

There’s a reason why I keep telling people not to bother with lockscreens, but rather consider their phones to be a portable version of the computers in a public library.

Saturday, October 8, 2022

The Indian scam continues

I know you should not answer junk mail, but hey, I was bored…

Saturday, May 7, 2022

Ah, in today’s news: more propaganda for this FIDO crap. My advice here would be: if your password is part of someone else’s business case, just say no.

Tuesday, April 5, 2022

Github Push Protection

Security made by Microsoft

Saturday, March 19, 2022

Ah, NPM has been hit again by another dev putting rogue code in one of his modules. This time to protest the war in Ukraine by deleting files on machines with a Russian IP address.

Of course, this kind of thing could hit all programming languages with a package management system, but it seems to primarily happen with NPM. Why? Simple, JavaScript was never intended to be used for anything but DOM manipulation. It’s a toy programming language without a type system and the lack of that makes it a popular choice for beginners and career jumpers. As a result, there are plenty of programmers out there, who can barely stitch together software by copy&pasting solutions from Stackoverflow (but still insist on being employable, after finishing a coding bootcamp).

When that’s your culture, it follows that your package repository gets littered with tons of trivial modules by obscure developers, looking for a fast and easy way to build a portfolio. Of course, they don’t get the desired exposure, when their module becomes a second or third level dependency in someone else’s project, but they do get leverage by being able to break things on a scale.

Sunday, December 12, 2021

Well, since Log4J has just blown up with an Armageddon level remote code execution bug and a lot of people are unhappy about having to take their servers down, I’d like to reiterate that if an open source component is mission critical for you, then consider contributing back by paying for support.

Friday, March 12, 2021
Friday, September 25, 2020

Huh, the Windows XP source code allegedly leaks and all security experts are concerned. Imagine if the same happened to the Linux source code… oh, wait!

Seriously, we had a consensus for years, that security by obscurity is a bad idea. So if accidentally going open source is a concern now, then maybe that’s a reminder that Microsoft products have always been dangerous, shouldn’t have been used to begin with and it’s high time to migrate away from the Windows platform (yes, that’s costly and annoying, but don’t tell that having your business shut down because you rely on an unreliable system isn’t).

Sunday, June 28, 2020

I’m always stunned when watching a movie/TV show in which a criminal makes a final call, then breaks the phone and throws it away in order to get rid of incriminating evidence. Yeah, sure, burner phones exist to be disposed of, but why break them? Your telco has a record of the phone call and if the police found the wreckage (your telco also knows which radio mast you have been connected to, when making that final call), they could desolder the internal storage from the mainboard - NAND flash chips can be quite resilient. They are also very bad at actually erasing data (when you delete a file, the operating system just marks the storage space as available again. If you truly want to get rid of a file, then you would first have to overwrite it with random garbage. However, writing to NAND flash is slow and wears the chip down - the controller tries to avoid that).

Yeah ok, that’s a problem for criminals, not law abiding citizens. You have nothing to hide - except maybe the credentials for your Google account, online banking…

Something, one should probably keep in mind when selling a used phone: doing a factory reset means all data on the phone is lost — unless the new owner has specialized equipment.