wrw

@wrw@infosec.exchange

I work on the ugly bits that nobody loves. These days in infosec, mostly appsec, occasionally (and previously) as a developer.

I'm a Victorian but that doesn't make me old fashioned. I do drink them.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

dangoodin, to random

Canadian Prime Minister Justin Trudeau has identified an unlikely public enemy No. 1 in his new crackdown on car theft: the Flipper Zero, a $200 piece of open source hardware used to capture, analyze and interact with simple radio communications.

On Thursday, the Innovation, Science and Economic Development Canada agency said it will “pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.” A social media post by François-Philippe Champagne, the minister of that agency, said that as part of the push “we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

In remarks made the same day, Trudeau said the push will target similar tools that he said can be used to defeat anti-theft protections built into virtually all new cars.

“In reality, it has become too easy for criminals to obtain sophisticated electronic devices that make their jobs easier,” he said. “For example, to copy car keys. It is unacceptable that it is possible to buy tools that help car theft on major online shopping platforms.”

https://arstechnica.com/security/2024/02/canada-vows-to-ban-flipper-zero-device-in-crackdown-on-car-theft/

wrw,

@dangoodin

If you're Canadian, this is exactly the sort of thing you should email your MP to complain about. Hopefully if enough people do that we can get this nonsense stopped before useful security research tools become unavailable to Canadian security researchers.

wrw, to random

Apropos of nothing:

"Updates suck, we all acknowledge that. This is the least bad way of doing them with the team and tools we have. Sometimes we have to do annoying stuff when we're employed to do a job. In your case that's deciding between clicking on an 'update now' or 'later' button. Whereas my pain is real."

wrw, to Canada

The Canadian government is proposing banning software defined radios. I can only presume because they don't understand how anything works.

https://ici.radio-canada.ca/nouvelle/2047799/vols-vehicule-interdiction-gadgets-piratage

wrw,

@adamsdesk

I can only point at the fact that Pablo Rodriguez is mentioned in the article, and that every Internet thing he touches seems to be incredibly stupid. I don't know if he's the source of their bad technology legislation, or merely advised by people who are really bad at it, but I definitely find it suspicious that his name seems to come up whenever something dumb happens.

Em0nM4stodon, to privacy

I just would like to point out that
none of the accounts I was forced to create for job applications so far had any options for multi-factor authentication or for deleting the account.

And all of the accounts I was forced
to create for job applications so far required to enter very sensitive information that was completely unnecessary to require.

Don’t. Do. This.
Please. Stop.

wrw,

@Em0nM4stodon

My experience at a very large telecom was that HR routinely got away with IT, data, and software practices that were against security policy. And when called on things like safe storage of PII, were somehow immune to their clear policy violations.

I don't know if it's like that everywhere, but I suspect more often than we'd like to think.

wirepair, to random
@wirepair@mastodon.social avatar

YAML is the new XML.

wrw,

@wirepair

But what if there was a way to bring the misfeatures of XML to YAML?

https://yamlscript.org/

wrw,

@C8H10N4O2 @wirepair

On the one hand, I want to point this out to the author (an ex-coworker from way back) who's a really smart guy and makes cool technology things. On the other hand, I kinda want to keep quiet until there's some kind of mass adoption just for the continued job security of having an entirely new bug class become prevalent.

briankrebs, to random

There's a huge disconnect for me rn in the IT space. Companies love to talk about an increasing deficit of smart, talented and skillful people available to help defend the cybers. Welp, a lot of those people are somehow now seeking gainful employment bc they've been laid off. Which is just nuts to me given the sheer scale, resources and effort our adversaries are throwing at everything now.

p.s. AI isn't going to fix anyone's security problems. If anything, it's going to compound them by orders of magnitude (at least in terms of data governance).

wrw,

@jerry @briankrebs

Put enough people with the required skills out of work for long enough and I suspect we'll see the consequences in a rise in cybercrime.

History has plenty of examples of the consequences of laying off all your mercenary soldiers and leaving them to fend for themselves.

briankrebs, to random

Canadian Man Stuck in Triangle of E-Commerce Fraud

A Canadian man who says he's been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve "triangulation fraud," which occurs when a consumer purchases something online -- from a seller on Amazon or eBay, for example -- but the seller doesn't actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.

https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-triangle-of-e-commerce-fraud/

wrw,

@briankrebs

It's going unsaid in your story, but there's a fair bit of history of the RCMP treating first nations folks accused of crimes with an assumption of guilt that wouldn't be applied to other people. A few of the details about how he was arrested and how the investigation was done definitely make me lean towards thinking that's also a factor.

boris, to random
@boris@toolsforthought.social avatar

I don’t really know what I would recommend for an Evernote replacement.

I’d start with asking what people use it for. My impression of basic Evernote usage is that your operating system bundled notes app is probably fine?

I still feel we need to know more about common workflows in this category we call “notes”

https://mathstodon.xyz/@ddrake/111607808968890914

wrw,

@kboyd @boris @boris

Seconding obsidian as a replacement. It just works without any enshitification.

mattblaze, to random
@mattblaze@federate.social avatar

I often lament the relative lack of breaking news and emergency information here. An enthusiastic shoutout to @w7voa , who is single-handedly the exception that tests the rule here.

wrw,

@mattblaze @w7voa

On the Canadian side @justinling was similarly quick to post relatively nuanced coverage. I'm happily following both of them and glad to see Mastadon becoming useful for following stories like this.

Em0nM4stodon, to random

If you don’t offer a livable wage to your interns,

It means you are only offering internships to people privileged enough that they don’t need a livable wage to survive. This needs to be considered more by organizations.

wrw,

@Em0nM4stodon It seems like it's especially egregious in charities and "social good" organizations. Organizations that should know better what the consequences of unpaid internships will inevitably be for representation in the organization.

...and yet "We can't afford to pay a fair wage"

ZebKing, to news
@ZebKing@mastodon.online avatar

There aren't many Canadian "reporters" on Mastodon, and it seems even fewer report international news. Those that come close to anything "investigative" or worthy of the title, 'journalist' seem to be an even smaller number.
Here's the challenge... Can you share the Mastodon handle of ANY Canadian journalist that we should all follow and celebrate?

wrw,

@ZebKing

Erin Kissane probably counts as a journalist by some metrics

https://mas.to/@kissane

I haven't seen anyone mention pressprogress yet

https://mastodon.online/@pressprogress

kurtseifried, to random

Having socialized healthcare was nice while it lasted.

https://www.cbc.ca/news/canada/edmonton/alberta-health-services-leaked-documents-1.7021667

Alberta is planning to dismantle its provincewide health provider and may sell off its publicly owned continuing-care facilities, say leaked cabinet briefing documents released by the Opposition NDP.

NDP Leader Rachel Notley says the proposal to break up Alberta Health Services would give complete political control over all health decisions to Premier Danielle Smith's cabinet.

She says it would also bring chaos to the system and open the door to more privately delivered care.

"[The United Conservative Party government] created this crisis, and now they want to blow up our health-care system completely," Notley told Smith and the UCP caucus during question period Tuesday.

"What is wrong with you people?"

Earlier Tuesday, Notley released to reporters photocopies of a computer slide deck outlining details of the government's promised revamp of the health system.

Notley said the documents were sent to the NDP anonymously.

A senior government source told CBC News the slide deck is authentic and about six weeks old.

"Is the premier actually committed to what's outlined in these leaked documents?" Notley asked Smith during question period.

"One hundred per cent committed," Smith replied.

——-

Goddamnit.

wrw,

@kurtseifried

Well now I know how BC is going to solve its healthcare worker shortage.

Bing_Chris, to random
@Bing_Chris@mastodon.social avatar

Will the US ever truly compete with china on cyber and have the NSA create a song?
https://youtu.be/kbBKPqOh6DU?si=VAtW_WsTIF3EQARy

(^just discovered this amazing video from the launch of the cyberspace administration of china)

wrw,

@Bing_Chris

Don't worry, Canada's CSE have exactly the song you're looking for

https://youtu.be/8cOBw32jmgU?si=IcvNwU-4TUSFR4eT

kurtseifried, to random

So myself and @joshbressers were recently told about "We Feel Like We're Winging It: A Study on Navigating Open-Source Dependency Abandonment." (https://courtney-e-miller.github.io/static/media/WeFeelLikeWereWingingIt.dc3c76d3b3c2d12f4fee.pdf) for which I have several comments:

  1. You should read it
  2. "We feel like" is probably not needed in the title, we are in fact winging it. Most people have never even thought about this topic, let alone come up with a plan for it
  3. If you'd like to contribute an interview so they have another data point please contact cemiller@andrew.cmu.edu

TL;DR: It's 11pm, do you know where your Open Source dependancy chain developers are? If you do that's almost certainly a GDPR violation.

wrw,

@kurtseifried @pvn @joshbressers

I think CPAN, FreeBSD ports, and RPM all appeared within a few years of each other, and probably count as the first attempts to manage open source dependencies. They are also where the first problems with competing dependency management showed up for a lot of people. I remember all the issues dealing with system packaged versions of perl modules and dependencies that were inevitably broken vs the ones that CPAN would assemble (and test) correctly for you. Nothing has really changed about that since the mid 90s (and I'm sure someone older than me will explain why the problem existed before that as well), because the problem of convincing everyone to use the same dependency management solution is a human problem rather than a technology one. Programmers love bike shedding, and dependency management (and build systems in general) is the ultimate bike shed.

Same as it ever was

ryanc, to random

There are security engineers who work in online advertising who do not use ad blockers and this confuses me.

wrw,

@ryanc @uint8_t @gsuberland

I remember having to write the backend for that, and figuring out how to deal with SSL detection on the crossdomain.xml request it made because it would use the same port.

wrw,

@ryanc @uint8_t @gsuberland

Ugh, cursed definitely sounds like the right word.

kurtseifried, to random

I feel like future warfare is really gonna suck if you don’t have a good solid, industrial base for remote control toys. Also, you might want to be investing in autonomous toys.

wrw,

@kurtseifried

...and flight sims

thetyee, (edited ) to random
@thetyee@mstdn.ca avatar

It’s a strange experience to be working at an independent journalism outlet in Canada right now.

This month was a perfect example.

A word from The Tyee’s publisher, Jeanette Ageson. 🧵

https://mailchi.mp/b59eeaa2ae85/independent-media-is-making-strides-but-its-future-is-under-threat-9073450

wrw,

@jfmezei @thetyee

I'll second that, as someone involved in local journalism. The issue is that our government is making stupid laws to suit the old Canadian media oligopoly.

Even if Meta and Google had rolled over and paid the danegeld the minister for Postmedia demanded, that would have still doomed all of us smaller players to competing with an oligopoly funded forever despite their retreat from actual news reporting. At least now hopefully they will die and organizations that actually care about delivering local journalism can figure out new business models and distribution channels for the future.

dangoodin, to random

Ugh. Google has patched yet another 0day in yet another media-encoding library that's nearly ubiquitous. Libvpx is in a ton of Linux projects (citation: https://pastebin.com/TdkC4pDv). Wikipedia says it's used by YouTube, Netflix, Amazon, JW Player, Brightcove, and Telestream. It also appears to be used in iOS.

If anyone has reasons to think this vulnerability is limited to Chrome, please let me know. Preliminarily, though, I'm inclined to think this is yet another vuln under active exploit that's going to make a ton of software vulnerable to RCE exploits.

The 0day is tracked as CVE-2023-5217.

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

wrw,

@dangoodin

Doesn't seem limited to Chrome given Mozilla's latest security release

https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/

malwaretech, to random

Does anyone ever wonder how rich they'd be if every time they foiled a ransomware attack companies who would have paid the ransom instead gave you some of the ransom amount. I think I'd actually be a billionaire lol

wrw,

@malwaretech That's pretty much the business model for anti-ad-fraud companies.

"Pay us not to pay them"

CarlG, to random
@CarlG@esq.social avatar

@mmasnick at Techdirt gets it right by exposing the hypocrisy of media companies complaining about links to their articles, then complaining when those links are taken down.

Canadian media demanded a law to require social media to pay if they linked to news articles. Social media responded by removing links, now they are complaining about that!

Their position: "Meta and Google linking to news is anticompetitive. But also not linking to news is anticompetitive."

https://www.techdirt.com/2023/08/22/canadian-media-orgs-said-that-meta-linking-to-news-was-anticompetitive-now-they-say-not-linking-to-news-is-anticompetitive/

wrw,

@CarlG @mmasnick

The best part is how badly this has gone for the Canadian media oligopoly. They (Postmedia, Torstar, Bell, etc) all had deals with Google and Meta that already paid them, based on the hopeful belief that something similar to the Australian outcome would happen via the legal recognition of existing deals. But they got greedy and tried to forcibly take more via their friends in government writing legislation to take that loophole out.

So that recognition of existing deals didn't happen, and now Google and Meta have stopped those existing deals. The Canadian government is saying that it might take until 2025 to sort out how payments will work, Meta and Google are either blocking links or threatening to block links to news sources, and in the meantime the media oligopoly gets nothing. Plus Meta appears to be getting out of the news distribution business entirely, so there will likely never be any money from them again.

There's probably some sort of moral here, but who cares. Screw these greedy assholes.

thetyee, to random
@thetyee@mstdn.ca avatar

“I find it astonishing that we are at this stage of the crisis and the owners of Facebook and Instagram have not said, look, we’re trying to make a point with the federal government, but it’s more important that people are safe,” said Premier Eby.

https://thetyee.ca/News/2023/08/23/Facebook-News-Ban-Risking-Lives-In-Wildfires/?utm_source=mastodon&utm_medium=social&utm_campaign=editorial

wrw,

@thetyee

This is a problem entirely caused by the federal government. It's within their power to change the law, or revoke it entirely. They're choosing not to.

In the meantime Meta is going to run their site in compliance with the law. Our politicians asking them to do otherwise, is effectively asking them to break the law and pay the penalties associated with doing so.

lcamtuf, to random

And this is what happens to a broadhead that hits a ballistic vest.

The blades used to be straight, now in a corkscrew pattern. Dunno why.

wrw,

@lcamtuf

Some broadheads are designed to spiral as they cut to increase the size of the wound, and of course the arrow itself is spinning. I've seen something similar happen to a broadhead shot into a mat.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • InstantRegret
  • magazineikmin
  • thenastyranch
  • modclub
  • everett
  • rosin
  • Youngstown
  • slotface
  • ethstaker
  • mdbf
  • kavyap
  • osvaldo12
  • DreamBathrooms
  • anitta
  • Durango
  • ngwrru68w68
  • tester
  • khanakhh
  • love
  • tacticalgear
  • cubers
  • GTA5RPClips
  • Leos
  • normalnudes
  • provamag3
  • cisconetworking
  • JUstTest
  • All magazines
    •