Posts in Security

Configuring Key-Based SSH Access For Raspberry Pi

July 4, 2020

I am using a Raspberry Pi device for experimentation purposes, and I had to temporarily enable SSH on it via the public Internet, which can be a monumentally bad idea if the machine where the service is enabled is not properly secured. The problem is less related to SSH itself, and more to the default configuration which is used by some folks. That is - they use passwords to authenticate.

Preventing Key Leaks In Git Commits

January 20, 2020

When building tools that authenticate against other APIs, more often than not I need to manage private keys and secrets. The challenge is that sometimes it’s very easy to forget the fact that the key is sitting somewhere in a configuration file, and it will be accidentally checked in to the repository. With the proliferation of tools like trufflehog, that’s generally not a position you want to be in. A lot of services are being proactive about it, and when a leaked key is detected, it will be automatically revoked (notice how it someone attempted to use it within minutes of the leak).

It Is Time To Ditch SMS 2-Factor Verification

February 24, 2018

It’s 2018, and it’s time we understand that SMS 2-factor authentication is not a good way to double-check the users’ credentials. It’s been shown many times that phone numbers can be compromised.

Tech Support Scam Site - Beware Of Jammed Safari

February 6, 2018

Recently I’ve been reading a tech site on my iOS device when a new tab opened and went into the background - something I’ve seen before caused by rogue ads that are fetched via normal means (e.g. embedded in a legit page), so my next steps were not unusual - go to the tab and close it. Here is what I faced: Once the tab opened, I instantly recognized it as one of those tech support scams.

PSA - Do Not Make Your Nest Cam Public Just To Access The Stream

January 6, 2018

We really love the Nest Cam in our apartment. I was recently investigating how the Nest cam works from the inside, as I thought I could access the stream directly. The short answer - you can't, because the stream is behind DRM protection.

Get Ahead In A Wait List, Or How To Never Trust The Client

April 16, 2017

As a developer, it is always important to keep in mind one thing - never trust the client. Ever. The client is neither a completely secure entrypoint nor the source of truth moving upstream to the service. NOTE: This issue has already been addressed and the fix is live. Shout out to Kyle Rankin for being on top of things and responding to my email. So that brings us to January 8, 2017, when I discovered getfinal.

On Security, Exploratorium, and Phishing

October 25, 2016

If you don’t know what the Exploratorium is, I highly recommend you take a trip to San Francisco and include it in your list of places to see. Today, when I saw a blog post come up with their name in it, I didn’t expect a story about email phishing, but there it was.

Unencrypted IMAP Connection Is A Bad Idea – Here’s Why

August 25, 2011

There are plenty of people out there who are using IMAP-based accounts in various mail clients. Some of them are configured not to use an encrypted connection, and that is a serious problem. Not yet convinced? Take a look at this.