WPalant

@WPalant@infosec.exchange

Wladimir Palant, software developer and security researcher, browser extensions expert. / searchable

#infosec #cybersecurty #cryptography #privacy

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Anniiii, to random

What are the odds of getting away with taking a no longer maintained licensed project, modernizing the parts that need modernization adding features and allowing people to use it for free (since it's just clientside, so all it means for me is a few requests to static files), without being willing to hand out the changes? Or am I better off just not allowing others to use it, so no one can demand the code legally?

WPalant,

@Anniiii If you merely wonder whether you’ll get away with it: yes, quite certainly. Legal conflicts around GPL-style licenses are rare, and there are much bigger fish getting away with their violations.

WPalant,

@Anniiii I’d certainly credit the original project.

Question is also whether it can really be determined from the outside that you’ve modified the code as opposed to extending it with plugins for example.

Anniiii, to random

Stupid question: assuming I enable http basic auth for a website, will fetch on that page send the respective auth headers if I fetch from the same origin? If not: is there a way I can make it do that?

WPalant,

@Anniiii Yes, and it is the default for same-origin requests. See https://developer.mozilla.org/en-US/docs/Web/API/fetch#credentials

Anniiii, to random

Kind of tempted to maybe split my account into one for just the tech stuff and one for the more personal/slice of life (and also the other follow-only stuff I post). Probably would make it easier for people to follow the part they care about, but also I'm kind of worried the tech account wouldn't get a lot of posts, at least currently, and the non-tech one would get pretty much no one actually caring enough to follow it, so eh.

WPalant,

@Anniiii toot.lgbt and strangeobject.space come to mind.

WPalant,

@Anniiii Never mind, strangeobject.space isn’t currently allowing registrations.

ergative, to random
@ergative@wandering.shop avatar

TFW you encounter a super-simple algorithm for converging on a Sierpinski gasket through randomly sampling from one of three perturbations of a random starting point on the plane, and realize you can spend 10 minutes in R and simulate it yourself:

WPalant,

@ergative Nice! Spent 10 minutes to create a JavaScript version of it that can run in the browser: https://palant.info/temp/sierpinski.html

I didn’t bother making the constants configurable, so this page is hardcoded to run a million iterations with quadratic dots (0.0001 side size).

You can view the source code of this page, it’s merely 50 lines of HTML, CSS and JavaScript all combined.

molly0xfff, to random
@molly0xfff@hachyderm.io avatar

fuck i love blogs. if i had nothing but time i would just read blogs all day.

WPalant,

@molly0xfff I’m mostly writing about security topics. Sometimes it’s multiple blog posts in a week, then again one in a few months. https://palant.info/

WPalant,

@joel WebMention and ActivityPub aren’t exactly the same thing.

I’ve added WebMention support to my blog three years ago. My experience matches the one in this post in some points but not others. I receive exactly zero spam for some reason and no mentions from Bridgy either. But I have to agree: there are only few mentions, and it’s usually from sites like lobste.rs so I barely publish any of those (I pre-moderate comments on my blog). All in all, the only reason it’s still running is that the maintenance effort is virtually non-existent.

@qkslvrwolf @molly0xfff

WPalant, to random

And we once again see the usual dynamics unfold. Organizations tend to elect women to lead them in times of crisis. When these women leave, the organizations are generally in a better shape. Yet the public will still blame all issues on them, including those which started well before they took over, all while completely ignoring the accomplishments. This is in stark contrast to the way male leaders are treated, who are generally getting credit even for the advancements that weren’t under their control but rather general societal developments for example or long-term effects of their predecessors’ actions.

gcluley, to Cybersecurity
@gcluley@mastodon.green avatar

Round 3 in the toothbrush DDoS debacle!

We thought it was all over... but the Swiss newspaper has come out fighting, blaming Fortinet for spreading untruths about a toothbrush botnet.

Will Fortinet return for Round 4, or is that a knockout punch?

https://grahamcluley.com/round-3-in-the-toothbrush-ddos-debacle/

WPalant,

@gcluley What the…

Ok, I’m leaning back and watching the show. 🍿

gcluley, to Cybersecurity
@gcluley@mastodon.green avatar

Tooth be told: Toothbrush DDoS attack claim was lost in translation, says Fortinet.

https://grahamcluley.com/tooth-be-told-toothbrush-ddos-attack-claim-was-lost-in-translation-says-fortinet/

WPalant, (edited )

@gcluley Quite frankly, I don’t really believe in a translation error. Why was a journalist from the economics resort even interviewing Fortinet in the first place? This isn’t a news article, it’s a paywalled article not motivated by a current event. It certainly looks like producing a threat scenario for the Swiss economy was the whole point of the article, and Fortinet was brought in to provide one. And it certainly seems that Fortinet was asked to create an exotic scenario, not your usual “hacked routers” kind but something people could better relate to. Given this setup, the addition “this scenario really happened” looks like an intentional misrepresentation of facts.

The description is awfully specific for a hypothetical scenario as well. Toothbrushes running Java? I think that was Sun’s marketing message roughly twenty years ago. Where did they dig it up?

I think Fortinet has some more explaining to do concerning their role in this deception.

WPalant,

@forceofhabit @gcluley I’m pretty certain that experiments with embedded Java are a thing of the past. One would expect some kind of Linux these days. If anything, there could be an Android device which strictly speaking also runs Java. But it would need more resources, so only plausible for the charging station, not the toothbrush itself.

gcluley, to Cybersecurity
@gcluley@mastodon.green avatar

The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world.

Tooth factor authentication couldn’t stop journalists from reporting this nonsense.

https://grahamcluley.com/the-toothbrush-ddos-attack-how-misinformation-spreads-in-the-cybersecurity-world/

WPalant,

@gcluley Just a note: there is a statement from Fortinet in https://www.bleepingcomputer.com/news/security/no-3-million-electric-toothbrushes-were-not-used-in-a-ddos-attack/. Yes, the whole thing is made up.

I see how a non-technical news outlet would mess up a story, mistaking a hypothetical scenario for a fact. But you are absolutely correct: it’s ridiculous that it took Fortinet so long to correct it. Don’t know about the stock price but it certainly doesn’t help their credibility.

evacide, to random
@evacide@hachyderm.io avatar

"How to tell if your toothbrush is being used in a DDoS attack" is a sentence that plunges me into the deepest, darkest infosec despair.

https://www.malwarebytes.com/blog/awareness/2024/02/how-to-tell-if-your-toothbrush-is-being-used-in-a-ddos-attack

WPalant,

@evacide Is this the answer?

https://www.youtube.com/watch?v=Vi_qFqdmqAQ

WPalant, (edited ) to random

Good article taking apart that “three million toothbrushes” story and concluding that it’s pretty certain to be merely a hypothetical scenario rather than something that actually happened. Much of the reasoning matches what I thought as well.

Edit: There is now a confirmation from Fortinet about this being a hypothetical scenario.

https://www.bleepingcomputer.com/news/security/no-3-million-electric-toothbrushes-were-not-used-in-a-ddos-attack/

Yes, it would have been hilarious. And we are still heading towards a world where millions of vulnerable toasters can do serious damage. But we aren’t just there yet.

GossiTheDog, (edited ) to random
@GossiTheDog@cyberplace.social avatar

The three million toothbrush botnet story isn’t true.

Here’s the original source of the story: https://archive.is/2024.01.30-203406/https://www.luzernerzeitung.ch/wirtschaft/kriminalitaet-die-zahnbuersten-greifen-an-das-sind-die-aktuellen-cybergefahren-und-so-koennen-sie-sich-schuetzen-ld.2569480

It’s simply a made up example. It doesn’t exist. It starts talking about NoName Ddosia, too, which also isn’t toothbrushes.

WPalant,

@mttaggart It’s exactly one line that’s invisible there. You can see it by switching to reader view. It’s the sentence about the damage going into millions, nothing else.

@GossiTheDog @barubary

paul, to random
@paul@tapbots.social avatar

What a weird story, something just doesn't add up. The only toothbrush I found that has any sort of WiFi technology is a $400 Oral-B model. So 3M people bought this thing and actually connected it to WiFi? Just doesn't sound plausible.
https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages

WPalant,

@paul Even assuming that these three million toothbrushes exist, they usually aren’t connected to the internet directly. Getting them infected with malware would be quite a feat. The most likely scenario would be the vendor infrastructure being compromised first. In which case there should definitely more details on the attack, not just some vague note that it happened at some point in time and space.

Oh, and Java-powered toothbrushes? Isn’t that like two decades late?

WPalant, to random

So many tech dudes commenting on https://infosec.exchange/@GossiTheDog@cyberplace.social/111880028533855800 with essentially “boys will be boys.” Each of them part of the problem that we have as a society and as an industry.

Being an old white man myself, let me tell you: no, men aren’t “inherently” likely to engage in behaviors that endanger others. We as a society encourage them to do it, by not holding them responsible. By inventing genetic or evolutionary “reasons” for their behavior. By expecting girls to care about others but excusing boys when they don’t. And so on, the list is long.

Just look at the dude with an ego so fragile, he spent $44 billion to build an echo chamber where nobody could contradict him. Now that everyone knows exactly what he stands for, did his millions of fans turn away from him? Did his enterprises go bankrupt because nobody wanted to do business with him any more? Did the media stop catching his every word like he is the next messiah? Nope, his whole life is one single upward failure.

Hold the assholes responsible. Don’t find excuses for their behavior.

Oh, and try not to be one of them yourself. It’s easy: surround yourself with people not afraid to tell you when you are wrong. And listen to them.

Anniiii, to random

Protip: If you care how I think about you, don't talk positively about btrfs in front of me. I'm allergic against advocates of poundland zfs, so I will like you a lot less afterwards(or just straight up block you depending on mood). If you want zfs just use zfs, not some crappy linux-only "alternative".

WPalant,

@Anniiii Well, maybe not that bad. But you have some extremely strong opinions about choices of software.

WPalant,

@Anniiii You forgot being maintained by Mozilla. 😜

Yeah, not that many. Not that many at all.

(Written by a happy user of eza and ripgrep. Not to mention Fedora and Firefox. And mount shows the root filesystem being formatted with btrfs which I honestly don’t care about as long as it works reliably.)

WPalant,

@Anniiii That’s quite a relief. Then I only have to worry about you yelling at me for aliasing grep to rg. 🤪​

WPalant,

@Anniiii I remember those. Didn’t they have Netscape 4 on those? It can run … gasp … JavaScript! 😱​

WPalant, (edited )

@Anniiii You could also just take my word for it. It has been a while, but I definitely did ran Netscape 4 on IRIX back in the day.

WPalant, to random

I guess I should be happy that the company provides a vulnerability disclosure program. But requiring that one logs in via a particular social network… Ugh.

WPalant,

Of course they never contacted me to confirm that the reports could be reproduced, regardless of what they promised. Given that we are talking about several severe vulnerabilities affecting millions of users however – I decided to send them a reminder that they have less than a month to go before publication. Unfortunately, experience tells me that without a reminder like that organizations tend to “forget.”

WPalant,

@Anniiii Oh, but they do! I merely cannot get past the login requirements. 😁

Well, they do have monetary rewards, but it doesn’t look like they make researchers sign any rules prohibiting them from publishing. So at least that much.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • rosin
  • thenastyranch
  • tester
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • tacticalgear
  • Youngstown
  • ethstaker
  • osvaldo12
  • slotface
  • everett
  • kavyap
  • JUstTest
  • khanakhh
  • ngwrru68w68
  • Leos
  • modclub
  • cubers
  • cisconetworking
  • Durango
  • InstantRegret
  • GTA5RPClips
  • provamag3
  • normalnudes
  • anitta
  • lostlight
  • All magazines
    •