I dumped Chrome a few years ago and switched to Firefox. Now I'm thinking it may be time to dump Firefox as well. So, what do I use? Any suggestions? What about Vivaldi?
This profile might be incomplete.
Open on infosec.exchange Dan GoodinSite::
Personal infoAbout:
Reporter covering security at Ars Technica. DM me on Signal: +1650-440-4479.
Wall 9 posts
I dumped Chrome a few years ago and switched to Firefox. Now I'm thinking it may be time to dump Firefox as well. So, what do I use? Any suggestions? What about Vivaldi?
Show previous comments
@dangoodin "To uncover the side channel, the researchers reverse-engineered the Infineon cryptographic library, a heavily fortified collection of code that the manufacturer takes great pains to keep confidential." Security through obscurity. If I remember correctly Tropic Square commented on this when they were launching their effort to develop a open and transparent security chip. I'll try to find that blog post. @dangoodin I'm generally not a big fan of freaking out over side channel attacks. In particular I get irked when they frame it as "oh you just need physical access for a few minutes!" I did training on this for PCI device certification and it required $100k+ worth of equipment and lots of custom automation to perform that analysis. No one is carting around a Xeon workstation, high-bandwidth SDR, and antennas to do this to you on the street. @dangoodin Do I really have to read the entire PDF to know if "ECDSA" includes ed255119 or not?
Show previous comments
@dangoodin @dangoodin It's a shame only one of the many keys were revealed, so while you can now at least boot whatever free software you want, the UEFI itself cannot be freed.
@dangoodin Thank Darwin that was the only blunder compromising Secure Boot and we can absolutely trust it otherwise. (Are typewriters still being made? I had a very fine electric typewriter with small edit buffer I gave away in the 90s. Now it would be worth thousands :-) @dangoodin But, like, the way we're supposed to be like, thanking GM for stopping. I wish upon them perennial bowel discomfort
Show previous comments
@dangoodin I' sort of wonder if a reason for someone to put malware on github is to steal developers' GPG keys, which would allow one to compromise a lot more than a single library or application. Folks need to take this more seriously. Make sure you’re checking the source of your dependencies. Check for signed commits. Inspect the source code. Open source is provided as it is. It’s your job as the “consumer” to validate and weigh the risks.
Show previous comments
If you use a Windows or Linux device, it's vulnerable to a new post-exploit attack that can remotely install an undetectable backdoor at the UEFI level. Updates from just about every vendor available today. Impressive work from @matrosov and the rest of Binarly.
Show previous comments
Has there been any discussion as to how these attacks interact with TPM/PCR-based system integrity checks? My understanding is that even if this method were used to bypass Secure Boot protections/etc, that behavior would still result in modified PCR measurements and would be detectable in any subsequent boot processes that rely on TPM-sealed secrets? (for instance, disk encryption) It should be clear now that it was and remains a catastrophic mistake for people to view privately owned social media platforms as any kind of public resource. People didn't know better a decade ago. They have no excuse now.
Show previous comments
@dangoodin People *should* have known better a decade ago; we went through this same thing with AOL back at the turn of the century. I'm afraid the necessity of open platforms and decentralization is something people are going to have to re-learn every generation. @dangoodin By “privately owned” do you mean privately held companies or any corporate ownership? I’m not sure what the viable alternatives are. @dangoodin I’d go further and say _any_ automated platform that relies on advertising for revenue will always end up deeply enshitified as they have to chase “engagement”. And what engages most is outrage. So we end up with systems, that by design, drag you further and further in the world of grift and crazies. People following me for cybersecurity content: Chris Bing, one of the most distinguished reporters on this beat, recently joined the Fediverse. Chris has broken way too many stories to count and also has valuable insight into all things related to hacking. Please follow him. And please boost for reach.
Show previous comments
@dangoodin Meanwhile, like a good little consumer, I’m anxiously waiting for the next generation Kindle Oasis so I can trade in my current one. |
@dangoodin LibreWolf. It’s what Firefox should be: https://librewolf.net/
@dangoodin mullvad browser
@dangoodin librewolf?