I am using a Raspberry Pi device for experimentation purposes, and I had to temporarily enable SSH on it via the public Internet, which can be a monumentally bad idea if the machine where the service is enabled is not properly secured. The problem is less related to SSH itself, and more to the default configuration which is used by some folks. That is - they use passwords to authenticate.
When building tools that authenticate against other APIs, more often than not I need to manage private keys and secrets. The challenge is that sometimes it’s very easy to forget the fact that the key is sitting somewhere in a configuration file, and it will be accidentally checked in to the repository. With the proliferation of tools like trufflehog, that’s generally not a position you want to be in. A lot of services are being proactive about it, and when a leaked key is detected, it will be automatically revoked (notice how it someone attempted to use it within minutes of the leak).
It’s 2018, and it’s time we understand that SMS 2-factor authentication is not a good way to double-check the users’ credentials. It’s been shown many times that phone numbers can be compromised.
Recently I’ve been reading a tech site on my iOS device when a new tab opened and went into the background - something I’ve seen before caused by rogue ads that are fetched via normal means (e.g. embedded in a legit page), so my next steps were not unusual - go to the tab and close it. Here is what I faced: Once the tab opened, I instantly recognized it as one of those tech support scams.
We really love the Nest Cam in our apartment. I was recently investigating how the Nest cam works from the inside, as I thought I could access the stream directly. The short answer - you can't, because the stream is behind DRM protection.
As a developer, it is always important to keep in mind one thing - never trust the client. Ever. The client is neither a completely secure entrypoint nor the source of truth moving upstream to the service. NOTE: This issue has already been addressed and the fix is live. Shout out to Kyle Rankin for being on top of things and responding to my email. So that brings us to January 8, 2017, when I discovered getfinal.
If you don’t know what the Exploratorium is, I highly recommend you take a trip to San Francisco and include it in your list of places to see. Today, when I saw a blog post come up with their name in it, I didn’t expect a story about email phishing, but there it was.
There are plenty of people out there who are using IMAP-based accounts in various mail clients. Some of them are configured not to use an encrypted connection, and that is a serious problem. Not yet convinced? Take a look at this.