Profile cover photo
Profile photo
Todd Knarr (Jrral)
If it were easy, they wouldn't need to pay me to do it.
If it were easy, they wouldn't need to pay me to do it.
Todd's posts

Post has shared content
I think one of the big things here is that people panic just because someone on the phone claims to be with the government. If they really are with the government and it's something that must be handled right this instant, it'll be Federal agents at your door and not a bureaucrat on the telephone. Thank them, hang up and if you're still unsure look up the agency's number and call them to check on any problems.

Post has shared content
There's two things that need done to stop this:

1. Enforce compliance with RFCs 3704 and 2827 at the ISP level and up.

2. Design routers to provide separate wired and WiFi networks specifically for IoT devices, networks without Internet connectivity.

Unfortunately those things require action by parties who aren't impacted by the problem, so they're unlikely to happen.

Oh, addendum specific to this attack:

3. Block access to the DNS port outbound from the WAN side except for access by the router. Machines on the local network should be using local DNS.
The giant mess that is the so called "Internet of Things" is officially out of control - and it's getting worse every day, as more woefully insecure, junk devices pour online and almost no one cares.

The internet is now truly a part of the fabric of our society - not just Spotify and Facebook but real infrastructure and core services. Yet it can be taken down by disgruntled teenagers harnessing the power of idiots and their unnecessarily wifi connected crap.

Yet hardly anyone seems to care!.

Something to investigate: using the hardware cryptographic storage on Android to handle certificate-authority key generation and signing. Also the possibility of using micro-PC hardware to provide a cheap consumer- and small-business-grade hardware cryptographic key store and signing module.

Post has attachment
Version 1.1 can now display QR codes for scanning into other authenticator apps.

Post has shared content

Post has attachment
PyAuth v1.0.0 first production release. Everything appears to work reliably and the database encryption's active. The ability to generate and read provisioning URIs and QR code images is planned.

Here's an interesting question: how do you validate that the two parties to a messaging session are talking to who they think they are when they haven't had any prior contact and you don't want to store any information about which user controls any particular endpoint device anywhere except on that device (or another device that same user controls)? The goal is to both prevent MITM attacks on the connection initiation sequence and to prevent meaningful traffic analysis.

The only solution I can think of involves a relatively-secure (any party monitoring it doesn't share information with any party monitoring the messaging session) out-of-band communications channel (eg. email, SMS) which provides sufficient authentication of the parties' identities and over which they can agree on authentication nonces for the messaging session initiation sequence.

Post has attachment
I think what Google's doing is recognizing a financial truth: just as there's a minimum you need to live on, there's a maximum you need to live on. There's a point where your income's sufficient to get everything you need and everything you really want without worrying about whether you can afford it this month. Everything above that doesn't really change your standard of living, it just gives you raw material to make more money you don't have anything useful to spend on. Google's reached that point and, rather than continuing to hoard ever larger piles of cash, it's taking aim at what it sees as problems in the economy and blowing large holes in them. It has to be satisfying on a visceral level to see a business sector where the incumbents are ripping off consumers and, rather than just gripe about it, pick up the phone and order the economic equivalent of an arclight strike on those incumbents. And when doing that also expands the opportunities for your very profitable advertising business in the process? Nobody could pass that up.

Post has attachment
I can attest that this story likely isn't false or exaggerated. I've seen exactly this happen far too often. It always seems to stem from upper management a) not having the background to understand technology themselves and b) insisting on trusting others like themselves (lacking in technical background) over the technical people who were hired because they understood the technology. I've never understood the second one. I can understand why a business executive wouldn't have a technical background, but why in the world would they insist that people with no business background trust them with business decisions because they do have the background and simultaneously refuse to extend the same courtesy to people in other fields.

Post has attachment
Version 1.4, added support for updating DKIM records via the CloudFlare and AWS Route 53 DNS APIs. Includes a script for listing out CloudFlare zone IDs.
Wait while more posts are being loaded