572 stories
·
9 followers

Remember kids, if you're going to disclose, disclose responsibly!

1 Share
If you pay any attention to the security universe, you're aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I'm not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things.

There are however a bunch of people complaining about how Tavis and Google Project Zero in general tend to disclose the issues. These people are wrong, I've been there, it's not fun, but as crazy as it may seem to the ouside, the Project Zero crew knows what they're doing.

Firstly let's get two things out of the way.

1) If nobody is complaining about what you're doing, you're not doing anything interesting (Tavis is clearly doing very interesting things).

2) Disclosure is hard, there isn't a perfect solution, what Project Zero does may seem heartless to some, but it's currently the best way. The alternative is an abusive relationship.

A long time ago I was a vendor receiving security reports from Tavis, and I won't lie, it wasn't fun. I remember complaining and trying to slow things down to a pace I thought was more reasonable. Few of us have any extra time and a new vulnerability disclosure means there's extra work to do. Sometimes a disclosure isn't very detailed or lacks important information. The disclosure date proposed may not line up with product schedules. You could have another more important issue you're working on already. There are lots of reasons to dread dealing with these issues as a vendor.

All that said, it's still OK to complain, and every now and then the criticism is good. We should always be thinking about how we do things, what makes sense today won't make sense tomorrow. The way Google Project Zero does disclosure today was pretty crazy even five years ago. Now it's how things have to work. The world moves very fast now, and as we've seen from various document dumps over the last few years, there are no secrets. If you think you can keep a security issue quiet for a year you are sadly mistaken. It's possible that was once true (I suspect it never was, but that's another conversation). Either way it's not true anymore. If you know about a security flaw it's quite likely someone else does too, and once you start talking to another group about it, the odds of leaking grow at an alarming rate.

The way things used to work is changing rapidly. Anytime there is change, there are always the trailblazers and laggards. We know we can't develop secure software, but we can respond quickly. Spend time where you can make a difference, not chasing the mythical perfect solution.

If your main contribution to society is complaining, you should probably rethink your purpose.
Read the whole story
Flameeyes
4 hours ago
reply
Dublin, Ireland
Share this story
Delete

Security Update for the LastPass Extension

3 Shares

Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability.  This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.

  1. Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
  2. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
  3. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

We’ll provide further updates on the patch once complete.

Read the whole story
Flameeyes
1 day ago
reply
Dublin, Ireland
Share this story
Delete

LA Times and ads

1 Share

LA Times and ads



The LA Times is a good newspaper and is currently doing the best political coverage in California. They are also the most aggressive ad shoveling website I have ever seen. Their ad blocker blocker and paywall works, preventing me from reading articles.

Tags:

via Pocket <a href="https://nelsonslog.wordpress.com/2017/03/25/la-times-and-ads/" rel="nofollow">https://nelsonslog.wordpress.com/2017/03/25/la-times-and-ads/</a>

March 25, 2017 at 11:41PM

Read the whole story
Flameeyes
2 days ago
reply
Dublin, Ireland
Share this story
Delete

A Journey Into Capcom's CPS2 Silicon - Part 1

1 Share

A Journey Into Capcom's CPS2 Silicon - Part 1



Capcom's Play System 2, also known as CPS2, was a new arcade platform introduced in 1993 and the company call on bootlegging. Featuring similar but improved specs to its predecesor CPS1, the system introduced a new security architecture that gave Capcom for the first time a piracy-free platform.

Tags:

via Pocket <a href="http://arcadehacker.blogspot.com/2017/03/a-journey-into-capcoms-cps2-silicon.html" rel="nofollow">http://arcadehacker.blogspot.com/2017/03/a-journey-into-capcoms-cps2-silicon.html</a>

March 21, 2017 at 10:20AM

Read the whole story
Flameeyes
3 days ago
reply
Dublin, Ireland
Share this story
Delete

Chasing the First Arcade Easter Egg

1 Share

Chasing the First Arcade Easter Egg



It all started with a soon to be released project I am working on called “Fixing Gran Trak 10” about the first car racing arcade video game from 1974. I had completed the electrical repairs and was trying to interview as many people as possible who were involved with making the game.

Tags:

via Pocket <a href="https://edfries.wordpress.com/2017/03/22/chasing-the-first-arcade-easter-egg/" rel="nofollow">https://edfries.wordpress.com/2017/03/22/chasing-the-first-arcade-easter-egg/</a>

March 23, 2017 at 11:13PM

Read the whole story
Flameeyes
3 days ago
reply
Dublin, Ireland
Share this story
Delete

'Last Light On Cregennan & Cader' - Llyn Cregennan Snowdonia by Kristofer Williams

1 Share

'Last Light On Cregennan & Cader' - Llyn Cregennan, Snowdonia by Kristofer Williams

<a href="http://flic.kr/p/JsAd9Q" rel="nofollow">http://flic.kr/p/JsAd9Q</a>
Uploaded July 07, 2016 at 12:33PM

Read the whole story
Flameeyes
7 days ago
reply
Dublin, Ireland
Share this story
Delete
Next Page of Stories