Ctrl.blog

You can’t throw out your worn-out USB security keys when you can’t recall what locks they’re for. Physical security tokens come with their own problems.

An easily-spoofed iframe embedded onto every random online merchant’s websites is not a safe place to enter my bank password! Is it really BankID‽

I’ve been an SELinux complexity apologist for years. Lately, I’ve concluded that every implementation with difficult-to-configure policies is just unmanageable.

OpenCore lets you run the latest MacOS on unsupported Apple legacy hardware (and PCs). But software that bypasses security restrictions requires a lot of trust.

I found an open redirect vulnerability in the Libravatar specification. An open-source avatar hosting API could be abused to redirect to untrusted websites.

Opening a pull request is all it takes to get a GitHub patch URL that’s indistinguishable from patches/commits that are a part of an open-source GitHub project.

A review/critique of the complexity, security, and unpredictable user experience of modern feature-laden copy–paste clipboards in today’s operating systems.

Superfeedr tried securing its website with HTTPS and HSTS, but failed to apply it correctly. User emails and credentials are sent in plain-text on the first login.

An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.

A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software.

Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets.

Plan for the day your password manager stops working. Even if it’s a cloud service! Backing up your password manager is harder that it sounds.