Profile cover photo
Profile photo
Kyle Moffett
Just Another Linux Hacker (and C, Python, Perl, Shell, ASM, ...)
Just Another Linux Hacker (and C, Python, Perl, Shell, ASM, ...)

Kyle's posts

Post has attachment
Hey +Glenn Fleishman, why are you writing articles suggesting that people disable the auto-updater used by Chrome?

I know it had a bug that caused spurious pop-ups if the user had Google Earth installed (which was quickly fixed), but your suggestion is incredibly irresponsible given today's security environment; it leaves users who follow your instructions exposed to a variety of known attacks for years afterwards (typically until they next replace their computer).

The large amount of attack "surface area" in a modern browser, even one with as many countermeasures and as much defense-in-depth as Chrome has, virtually guarantee that there are still bugs lurking, and users need to receive patches as quickly as possible once the bugs become publicly known.

Please fix your article to recommend against disabling the auto-updater used by Chrome.

Post has attachment
We just had a terrible experience with +American Airlines​; my wife is on crutches and the flight attendants crowded her, kicked her crutch, and then yelled at us when we were trying to get our bags stowed and they didn't like the way we stowed the crutches (which we need during flight). Rather than offering a heartfelt apology, they just got defensive and accusatory about how they just worked for the airline, they couldn't fix anything or whatever.

American, you had a great chance to have a wow moment; the staff could have asked if we needed help, given my wife lots of room (that is the point of pre-boarding, right?) and helped us get the crutches stowed in a safe manner. For extra stars you could have even tried to get us moved forward a few rows so my wife didn't have to crutch all the way to the back of the plane. Instead, your attendants repeatedly stressed out my wife to the point of tears, never even once offered to help, and then refused to get out of our faces when we told them we just wanted to be left alone.

We're not happy passengers :(

Post has attachment
We visited small village primary school while in Fiji for our honeymoon; despite having nothing more than rainwater cisterns for drinking water, they had more advanced education about vaccines than at least a dozen posh private schools in California.

Does it count as a "first world problem" if the second and third worlds are doing it better?


Papa John's customer support, after I complained about the fact that their website is really broken on Chrome:

"If you are using a Mac computer please use Mozilla/Firefox browser.  The  Safari browser does not display our website properly, nor does Google Chrome."

What is this, 1999?

Post has attachment
For some reason, congress thinks that adding an unreversible remotely-activated killswitch to every cellphone in the US is a good idea:

While the idea of solving cellphone theft is a good one, the suggested implementation would be an absolute disaster.

Like many of you, I'm concerned about what might happen should a hostile foreign government, organized criminals, or terrorists compromise the security of this proposed system and disable every cellphone at once.

Instead, I think Congress should create a national database of stolen phones and require mobile operators to de-activate such phones and report all attempts to reactivate them to the police.  That would almost completely eliminate the black-market resale value of stolen phones without the huge risk of the killswitch.

I'd encourage you to click through to PopVox and let your congresscritters know what you think!

Post has attachment
Ugh... why are the credit-card companies planning to roll out "EMV credit card" technology in the US when it doesn't even actually fix credit-card fraud?  Oh, right, because this way they can pin the retailers with the liability for the fraudulent charges instead of being stuck with it themselves.  Worse, under the new EMV system if your card is stolen and used by a thief who swipes your pin, the charges are assumed valid by default.

The PayPal CEO had his nice shiny EMV-enabled credit card stolen and used for a massive shopping spree.

Really, this is dumb... We've had the technology to basically end all in-person credit-card fraud for years now.  If you spent ~$100billion today you could swap all the credit cards with smartcards (~$3 each) and all the readers with smartcard readers (~$10 each), you could:
  (1) Guarantee that the card was physically present at any retailer where it was used.
  (2) Include a periodically-updated digital certificate issued by the credit-card company directly on the card, allowing completely-offline purchases by cardholders in good standing.
  (3) Enable next-generation encrypted NFC payments with the same device (extra ~$10 per card).

Real smartcards (as opposed to this insecure EMV crap) are basically impossible to copy or forge unless you have $1M+ to throw at the problem.  Given that this would basically end a ~$190-billion per year fraud problem, it seems like a no-brainer.

If they wanted to do away with the cardreaders entirely and undercut Square, they could even make a mobile payment app that uses NFC to communicate with the card and authorize transactions.

Eventually, when the smartcard readers and NFC devices become ubiquitous enough, you could even fix the online payment fraud situation.

Somehow, I don't see the lethargic last-decade's-technology credit-card industry actually figuring this out any time soon.

United Airlines customer "service" is completely worthless.  They have official company policies (cited to us on the phone by "Monica" from Houston) which prevent customer service agents from offering any kind of compensation over the phone to their Premier customers, even if they have cancelled your flight due to maintenance and rebooked you 3 days later.

After waiting for over an hour in the Premier service line at the airport, the people there told us they couldn't compensate us, and that we needed to call customer service.  When we called Premier Customer Service we were told we should have been offered compensation by the person at the airport, and that they were not allowed to offer us anything or even transfer us to the compensation department.

We were scheduled to fly in to Columbus, Ohio on Saturday evening, but we were rebooked for Tuesday at 6PM; understandably we decided to rent a car and drive from where we were stranded in Chicago.  They offered us hotels, but none of the options allowed pets despite the fact that we paid them $250 round-trip to replace our carry-on with a 6lb cat.

Apparently, even if you are a Premier member the only compensation you can get is by filling out the anonymous form on their website; there's nobody you can get on the phone.

The only time I've ever had a worse airline experience was when I was stranded all night in an open-air airport in Costa Rica.

Post has attachment
"Integrity First
Service Before Self
Excellence in All We Do"

These are the core values of the US Air Force, in which my family has proudly served for generations.  My grandfathers, my father, my uncle, my cousins, and now my sister.

Yet now we find out that the Office of Special Investigations (OSI) has been violating every one of those values in the course of their investigations, recruiting cadets to break academy rules and snitch on their friends and then hanging them out to dry when they are caught doing the very things they were ordered to do:

If this is how the next generation of Air Force officers is being trained, then I am dismayed and profoundly worried for the future of the Air Force and the US armed forces as a whole.

Post has shared content
'nuff said...
The packet capture shown in these new NSA slides shows internal database replication traffic for the anti-hacking system I worked on for over two years. Specifically, it shows a database recording a user login as part of this system:

Recently +Brandon Downey, a colleague of mine on the Google security team, said (after the usual disclaimers about being personal opinions and not speaking for the firm which I repeat here) - "fuck these guys":

I now join him in issuing a giant Fuck You to the people who made these slides. I am not American, I am a Brit, but it's no different - GCHQ turns out to be even worse than the NSA.

We designed this system to keep criminals out. There's no ambiguity here. The warrant system with skeptical judges, paths for appeal, and rules of evidence was built from centuries of hard won experience. When it works, it represents as good a balance as we've got between the need to restrain the state and the need to keep crime in check. Bypassing that system is illegal for a good reason.

Unfortunately we live in a world where all too often, laws are for the little people. Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process. In the absence of working law enforcement,  we therefore do what internet engineers have always done - build more secure software. The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.

Thank you Edward Snowden. For me personally, this is the most interesting revelation all summer.

Post has attachment
Wow, this is pretty compelling research.  I'd vote to spend $20 billion on eliminating lead contamination in a heartbeat.
Wait while more posts are being loaded