Security

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

Contrary to what is stated on the polyfill.io website, Cloudflare has never recommended the polyfill.io service or authorized their use of Cloudflare’s name on their website. We have asked them to remove the false statement, and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted.

Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

This was a fascinating and informative read. I hope the author makes progress on "creating an open-source project to de-cloud and debug smart home products"; I would love to contribute to something like that!

A more TLDR article about this: https://www.extremetech.com/defense/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

FAQs from the researchers: https://web.archive.org/web/20230130225254/http://www.cs.tau.ac.il/~tromer/acoustic/

cross-posted from: https://infosec.pub/post/5707149

I talk about a report I've made to MSRC in the beginning of the year regarding vscode.

It's a bit different. There's no in depth technical stuff, because I basically just reported the feature, not a bug.

Hi,

How can we (under Windows...) encrypt file (or stdout) asymmetrically ? (best will be with ECC)

I see I'm not alone with this question https://security.stackexchange.com/questions/86721/can-i-specify-a-public-key-file-instead-of-recipient-when-encrypting-with-gpg

Apparently with GnuPG (bin for Windows) it's not working the best, you have first to import the public key ..

And ideas, or alternatives ?

Thanks.

Hi,

If you don't know how work the chain of trust for the httpS

You might want to watch this video https://invidious.privacydev.net/watch?v=qXLD2UHq2vk ( if you know a better one I'm all ears )

So in my point of view this system have some huge concerns !

1. You need to relies to a preinstalled store certificate in your system or browser... Yeah but do you know those peoples ??!! it might seem weird, but actually you should TRUST people that YOU TRUST/KNOW !!

Here an extract from the certificate store om Firefox on Windows.

I do not know ( personally ) any of those COMMERCIAL company !

2. Of course we could use Self-certificate but this is not protecting against Man-in-the-middle_attack . Instead of using a chain (so few 3th party involved , so increasing the attack surface ! ) why not using something simpler !? like for example

• a DNS record that hold the HASH of the public key of the certificate of the website !
• a decentralized or federated system where the browser could check those hash ?

Really I don't understand why we are still using a chain of trust that is

1. not trusted
2. increase the surface of attack
3. super complex compare to my proposals ?

Cheers,

cross-posted from: https://programming.dev/post/5721685

“EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.