Snapchat: API & Security
Update 3: In 2014 the FTC filed a complaint against Snapchat for their failure to provide the level of security they promised. The findings listed below were sent to the founders of Snapchat, that email was quoted in the FTC compliant as proof that Snapchat was aware of these issues. Update 2: The Snapchat API has changed to address the issues I pointed out to them – and the new API has issues as well.
Read more…Monitor iPhone HTTP(S) Traffic with Fiddler
For a research project I decided that I needed to monitor the traffic to and from my iPhone – both HTTP and HTTPS. Having had so much luck with Fiddler in the past, it was the first place I looked. There are a number of posts on this topic, but few that provide a clear and complete picture of what’s needed. So I wrote one. First, install the latest version of Fiddler, then install the iOS-compatible certificate generator.
Read more…LinkedIn: A little common sense
The fact that LinkedIn was breached has been well covered and confirmed, but in their confirmation they said something that I personally found insulting, more than anything else: It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases. So, they just recently started salting their hashes?
Read more…Piracy is not Theft
For many years now groups like the MPAA and RIAA have tried to convince the public that piracy (that is, copyright infringement) is theft – and many people have come to believe this, but it’s not true. In reality, copyright infringement is far more analogous to trespassing than it is to theft in its core concepts – and even moreso in the digital world. To make it clear, I am looking at this from a largely historical perspective, looking at the origins of copyright and how it was intended to be used.
Read more…Slipping Past LastPass
Update: LastPass has confirmed that they’ll address this issue in the next release. Update 2: LastPass has addressed this issue in their new v2.0 release. There is still a way to bypass the password prompt in Chrome, but they will address that in the next release. Overall, it looks like we can close the books on this one. I’m a big fan of LastPass – it’s a great service that has impressed me every step of the way.
Read more…MiniPwner
I recently finished building my first MiniPwner – a tiny OpenWrt-based system for pen-testing. At only 2.25 x 2.25 inches, the device plus battery is still extremely small – it easily fits in a pocket, and could be hidden anywhere. The device is based on the TP-LINK TL-WR703N, which uses a 400Mhz Atheros AR7240 CPU – not exactly a power-house, but enough power for standard pen-testing (or even just as a super-portable linux box).
Read more…Gpg4win & IDEA
Huge PGP files, an ancient version of PGP, and errors every time they tried to decrypt a file – that was my completely unexpected challenge on Friday. Dealing with file processing issues really isn’t part of my job description, but I’m the closest thing my company has to an expert when it comes to encryption, so the task fell to me. After looking at the options and issues to get the server upgraded to a non-stone-age version of the PGP software, the easiest answer looked like decrypting the files with GPG – it wasn’t as easy as expected, but I did get some useful information that may help others.
Read more…Detecting .NET 4.0 Remotely
While preparing to deploy an internal application I started to wonder if all of the workstations were properly configured – after a quick search I found a number of methods for detecting the .NET framework locally, but I didn’t find any clean options that worked remotely. Thankfully I found a post with a few detection methods, one of which was using WMI from VBScript – which gave me the inspiration I needed:
Read more…A month with DuckDuckGo
It wasn’t long after Google went live that they became my search engine of choice – with the only other (somewhat) viable option being Yahoo, it was an easy choice. In the years since then, I’ve not questioned that choice, but now that Google is focusing on killing features and building little-used social features, the time seemed right to see if there are better options. So a month ago I began an experiment, I committed to using DuckDuckGo for a month – here’s what I’ve found.
Read more…Absolute Deniability
ZeroBin (code) is a new and interesting piece of software to compete with services such PasteBin – largely in response to PasteBin’s new aggressiveness in removing objectionable posts. For PasteBin, it’s easy to see why their policy changed – currently they can’t deny knowledge of what they are hosting, it’s plain-text and easily scanned (look at this if you don’t believe me). ZeroBin on the other hand has taken a very different approach – to not just have plausible deniability, but absolute deniability.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.