NotesSequoia 15.1 now hard-locks out any app that is not approved by Apple, including a bunch of my old and well used utilities. They can be made to run by hacking underneath in BSD, but the situation is unsatisfactory for a computer that I consider is MINE.Unfurl
NotesMany MacOS users are probably used by now to the annoyance that comes with unsigned applications, as they require a few extra steps to launch them. This feature is called Gatekeeper and checks for an Apple Developer ID certificate. Starting with MacOS Sequoia 15, the easy bypassing of this feature with e.g. holding Control when clicking the application icon is now no longer an option, with version 15.1 disabling ways to bypass this completely. Not unsurprisingly, this change has caught especially users of open source software like OpenSCAD by surprise, as evidenced by a range of forum posts and GitHub tickets.FeedEmbedUnfurl
NotesCOMPUTERS ARE BAD is a newsletter semi-regularly issued directly to your doorstep to enlighten you as to the ways that computers are bad and the many reasons why. While I am not one to stay on topic, the gist of the newsletter is computer history, computer security, and "constructive" technology criticism.FeedUnfurl
NotesWe have entered an era of LLM democratization. By showing that smaller models can be highly effective, enabling easy experimentation, diversifying control, and providing incentives that are not profit motivated, open-source initiatives are moving us into a more dynamic and inclusive AI landscape. This doesnât mean that some of these models wonât be biased, or wrong, or used to generate disinformation or abuse. But it does mean that controlling this technology is going to take an entirely different approach than regulating the large players.FeedEmbedUnfurl
NotesOn Friday, Facebook announced that hackers had leveraged three separate bugs to collect 50 million usersâ so-called access tokens, which are the equivalent of digital keys to a Facebook account. With those tokens, hackers can take full control of usersâ Facebook accounts, but because of Single Sign-On, they can also access any other website that those 50 million users log into with Facebook.FeedUnfurl
NotesIâve been wanting to write about the Teensy and its application in security testing or some time now. Itâs extremely useful for executing scripts on a target machine without the need for human-to-keyboard interaction. It can be used to bypass auto-run, AV FeedEmbedUnfurl
NotesWith pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password.Unfurl
NotesThunderstrike is the name for the Apple EFI firmware security vulnerability that allows a malicious Thunderbolt device to flash untrusted code to the boot ROMUnfurl
NotesPasswords are broken. Inspired by Justin Balthrop's article Passwords are Obsolete token-based one-time password (OTPW) authentication is faster to deploy, better for your users, and more secure.Unfurl
NotesAn Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price.FeedEmbedUnfurl
Notes All of this is a long way of saying that I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough.FeedEmbedUnfurl
NotesToday, Green's academic dean contacted him to ask that "all copies" of the blog post be removed from university servers. Green said that the move was not "my Dean's fault," but he did not elaborate. Were cryptology professors at Johns Hopkins not allowed to say, as Green had, things like:Unfurl
Notes The question to me -- as an American and as someone who cares about the integrity of speech -- is how we restore faith in our technology. I don't have the answers to this question right now. Unfortunately this is a long-term problem that will consume the output of researchers and technologists much more talented than I am. I only hope to be involved in the process.FeedEmbedUnfurl
NotesAttackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.Unfurl
NotesItâs also worth pointing out that we do take certain technical measures to limit the data we collect. Weâve designed Persona so that the identity provider â including the fallback Identity Provider that we run â does not learn your browsing history. We consider that a good security practice, not specifically because of surveillance, but generally because collecting data without a user benefit just creates risk.Unfurl
NotesDave asks some great questions about why the people who had power over these networks didn't blow the whistle instead of some anonymous insider having to do it. Here's one possible answer.Unfurl
NotesID ToÂkens are litÂtle chunks of text which claim that some parÂticÂuÂlar perÂson wants to tell some parÂticÂuÂlar party out there that theyâre signed in and auÂthenÂtiÂcated by the IdenÂtity Provider that isÂsued the token.FeedUnfurl
NotesWe already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Hereâs our playbook on how to secure a REST API.Unfurl
NotesHereâs a reason why you shouldnât let anyone use your computer.
In your terminal, type:
security dump-keychain -d ~/Library/Keychains/login.keychainUnfurl
NotesIf you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, "Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you :b" At that point, the indignities you will sufferâand the horrific website images you may seeâwill be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection.Unfurl
NotesThe reason? Siri ships everything you say to her to a big data center in Maiden, North Carolina. And the story of what really happens to all of your Siri-launched searches, e-mail messages and inappropriate jokes is a bit of a black box.Unfurl
NotesThe Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth). Unfurl
NotesThe best memorial to the victims of 9/11, in Schneierâs view, would be to forget most of the âlessonsâ of 9/11. âItâs infuriating,â he said, waving my fraudulent boarding pass to indicate the mass of waiting passengers, the humming X-ray machines, the piles of unloaded computers and cell phones on the conveyor belts, the uniformed T.S.A. officers instructing people to remove their shoes and take loose change from their pockets. âWeâre spending billions upon billions of dollars doing thisâand it is almost entirely pointless. Not only is it not done right, but even if it was done right it would be the wrong thing to do.âFeedUnfurl
NotesThe best memorial to the victims of 9/11, in Schneierâs view, would be to forget most of the âlessonsâ of 9/11. âItâs infuriating,â he said, waving my fraudulent boarding pass to indicate the mass of waiting passengers, the humming X-ray machines, the piles of unloaded computers and cell phones on the conveyor belts, the uniformed T.S.A. officers instructing people to remove their shoes and take loose change from their pockets. âWeâre spending billions upon billions of dollars doing thisâand it is almost entirely pointless. Not only is it not done right, but even if it was done right it would be the wrong thing to do.â
Heaps of federal money, endless bureaucracy, and constant travel delays are the most visible by-products of the Transportation Security Administration. Too bad âincreased safetyâ doesnât fit on that list.FeedUnfurl
NotesLucky Supermarkets has removed the tampered card readers, which were made by VeriFone, in the stores known to be affected and says it is enhancing security of every credit and debit card reader in all 234 of its stores. Joseph Steinberg, CEO of the security company Green Armor Solutions, released a statement saying "Everyone should always check any device in which they insert/swipe a credit/debit/ATM card, or to which they touch their card, to see if it looks like it may have been modified/covered."Unfurl
NotesItâs a tough situation: On the one hand, being able to crack full disk encryption is vital for the prosecution of white-collar criminals, child porn ringleaders, pharmaceutical spam barons, and the curtailment of terrorism â but on the other, itâs quite satisfying to know that, perhaps at long last, we have a way of escaping the ireful eye of Big Brother. Where do you stand on FDE?Unfurl
NotesI have been on the road a lot in the past several months, and one thing I keep seeing is that folks are over-sharing. I am not talking about putting up those ribald pictures on your Facebook account, or forwarding those questionable email "jokes." But literally sharing your computer's data files across the hotel (and some airports too). Here is what my Mac Finder looks like at a Hilton that I was at earlier in the week (you can see that I am connected to several of my fellow travelers' PCs):Unfurl
Notes"Letâs talk about how to hijack HTTP traffic on your home subnet using ARP and iptables. Itâs an easy and fun way to harass your friends, family, or flatmates while exploring the networking protocols."Unfurl
Notes"A couple of years ago, web developers were banging their head against the first wall in Ajax: the same-origin policy. While we marveled at the giant step forward enabled by cross-browser support for the XMLHttpRequest object, we quickly bemoaned the fact that there was no way to make a request to a different domain from JavaScript. Everyone setup proxies on their web sites, which was the onset of a new host of open redirect problems, as a way to get around the restriction. Although developers were working around this limitation using server-side proxies as well as other techniques, the community outcry was around allowing native cross-domain Ajax requests. A lot of people are unaware that almost all browsers (Internet Explorer 8+, Firefox 3.5+, Safari 4+, and Chrome) presently support cross-domain Ajax via a protocol called Cross-Origin Resource Sharing."FeedUnfurl
Notes"Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their session in another context. This has significant advantages over logging in using a username/password: no need to type in credentials, no need to remember and renew password, no weak passwords etc."Unfurl
Notes"Lets say you want to use POP from your local machine to a remote machine, but don't have an SSL aware email client. What you can do is to have your machine talk to stunnel on the local machine, who then encrypts the packets and sends them another stunnel running on the remote machine, which forwards them in clear text to the POP server on that machine. "Unfurl
Notes"Perhaps you have wondered how predictable machines like computers can generate randomness. In reality, most random numbers used in computer programs are pseudo-random, which means they are a generated in a predictable fashion using a mathematical formula. This is fine for many purposes, but it may not be random in the way you expect if you're used to dice rolls and lottery drawings."Unfurl
Notes"No amount of statistical evidence, however, will make any difference to those who give themselves over to almost completely irrational fears. Such people, and there are apparently a lot of them in America right now, are in fact real victims of terrorism. They also make possible the current ascendancy of the politics of cowardiceâthe cynical exploitation of fear for political gain. ... It's a remarkable fact that a nation founded, fought for, built by, and transformed through the extraordinary courage of figures such as George Washington, Susan B. Anthony and Martin Luther King Jr. now often seems reduced to a pitiful whimpering giant by a handful of mostly incompetent criminals, whose main weapons consist of scary-sounding Web sites and shoe- and underwear-concealed bombs that fail to detonate."Unfurl
Notes"So the next time youâre using a hash function on anything, ask yourself: is any of the stuff Iâm hashing supposed to stay secret? If so, donât hash. Instead, use HMAC."Unfurl
Notes"This now familiar ritual distracts us from the real lesson, which is that we are not helpless. And since regular people will always be first on the scene of terrorist attacks, we should perhaps prioritize the public's antiterrorism capability â above and beyond the fancy technology that will never be foolproof. By definition, terrorism succeeds by making us feel powerless. It is more often a psychological threat than an existential one"Unfurl
Notes""Do you know why Israelis are so calm? We have brutal terror attacks on our civilians and still, life in Israel is pretty good. The reason is that people trust their defence forces, their police, their response teams and the security agencies. They know they're doing a good job. You can't say the same thing about Americans and Canadians. They don't trust anybody," Sela said. "But they say, 'So far, so good'. Then if something happens, all hell breaks loose and you've spent eight hours in an airport. Which is ridiculous. Not justifiable"FeedUnfurl
Notes"In plain English, what developers want to be able to do is be able to design assertions that can accept application models that implement the Resource or Role interface, and be able to apply some dynamic or custom logic to assess whether or not the given role has access to the given resource. ... For the purposes of this example, weâll take a simple concept: a user needs to be able to only edit their own blog post. The user in this case, would be our applications model for users. The actual class will implement the Zend_Acl_Role_Interface. We will also have a BlogPost model which will serve as the resource in question, thus implementing the Zend_Acl_Resource_Interface"Unfurl
NotesMust be a slow day on the OS X malware front. This is really reaching... "Whatâs interesting is that the author of this âgameâ flat-out says what it does on his Web site. Reading through the authorâs description, it seems that he has created this game/threat as some sort of artistic project. The aliens are your files and there are consequences for âkillingâ them."Unfurl
Notes"I abused the power and wasted the enormous trust capital gained by the NoScript add-on through the years to prevent Adblock Plus from blocking stuff on four internet domains of mine, without asking an explicit preemptive user consent." The rest of the blog entry is basically sorry-but-not-really.Unfurl
Notes"The Star-Telegram has a report on the tight security surrounding George W. and Laura Bushâs move into their Dallas home. Police officers have been turning away vehicles trying to enter the Preston Hollow neighborhood, âexplaining that it is closed to the general public.â"Unfurl
Apple Forces The Signing Of Applications In MacOS Sequoia 15.1 | Hackaday
Computers Are Bad
Open-Source LLMs - Schneier on Security
The Facebook Hack Is an Internet-Wide Failure | WIRED
Fun With Teensy - Security SiftSecurity Sift
TechnoSophos: Run Node.js apps on low ports without running as root
On Hacking MicroSD Cards « bunnie's blog
A Few Thoughts on Cryptographic Engineering: On the NSA
Crypto prof asked to remove NSA-related blog post | Ars Technica
A Few Thoughts on Cryptographic Engineering: A note on the NSA, the future, and fixing mistakes
ongoing by Tim Bray · On ID Tokens
Meet the men who spy on women through their webcams | Ars Technica
Does Airport Security Really Make Us Safer? | Culture | Vanity Fair
Hackers hit supermarket self-checkout lanes, steal money from shoppers
Passive RFID tag cloning
Cross-domain Ajax with Cross-Origin Resource Sharing | NCZOnline
RANDOM.ORG - True Random Number Service
thestar.com iPhone : The 'Israelification' of airports: High security, little bother
Google Online Security Blog: Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems