Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mathstodon.xyz is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance for maths people. We have LaTeX rendering in the web interface!

Administered by:

Server stats:

2.8K
active users

mathstodon.xyz: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#securitytheater

4 posts3 participants0 posts today
Public *
Olivier Mehani

I need to alter some details with a money-adjacent entity. They want me to fill in a PDF form, accessible from the authenticated area of their portal.

They then complains that they can't authenticate the squiggle because “it's electronic” (Firefox can now sign PDF from within the browser, so why shouldn't I use that?).

They want a scanned manually signed printout of the form... because it's more authentic? ... And all that time, I need to hold on to my screams that I was in a strongly-authenticated web-session at the start of the dance...

Apparently, strong authentication rests on demonstrating access to a printer, a pen and a scanner.

#securityTheater
Continued thread
Public
🆘Bill Cole 🇺🇦

Yes, this is about MailMate being EXTORTED by Google but it's also about every other 3rd-party MUA and every major mailbox provider, because they have imposed a web-centric authentication and authorization system on the world which moronically relies on annual security audits of MUAs to certify them for use with the fragile snowflakes which behemoth mail systems apparently are...

#InfoSec#SecurityTheater
Public
🆘Bill Cole 🇺🇦

Fuck #Google and the garbage imitation of IMAP that they foist on users & fuck their #SecurityTheater of demanding CASA audits of every IMAP client before they allow it to do OAuth2.

If you use #GMail (or Google Workspace) you are actively supporting the enclosure of #email. Google does not want independent standards-compliant MUAs to touch their mail system. Google wants all of its users using their shit web interface or their shoddy apps. They want to own your email.

#InfoSec#Rant
Continued thread
Public *
🆘Bill Cole 🇺🇦

The iOS *app* works fine (using FaceID even) but the browser workflow has a "use phone" link and QR code, which sends the phone to a web page that wants to take a pic, but since the idiots at Jumio don't ASK for Camera access, iOS offers no means for me to give it to them.

It's stupid broken tools like this that make me wish I could bullshit well. Some slimeball sold this "service" to my CU, costing me money as a shareholder & it's junk.

#Jumio#MichiganFirstCU#SecurityTheater
Public *
🆘Bill Cole 🇺🇦

It has finally happened, my CU has decided that in addition to a password & a security question for every login, they need to use some scam outfit called #Jumio to get "enhanced identity verification" which seems to be nothing more than a 3rd-party cookie.

Totally broken for macOS & iOS in "lockdown mode." I can't even get Safari to accept the "Start verification" link as a link. Phone-based flow wants to take a selfie, but it doesn't ASK for camera access, so no.
#InfoSec #SecurityTheater

Public
Schneier on Security RSS

Rational Astrologies and Security

John Kelsey and I wrote a short paper for the Rossfest Festschrift: “Rational Astrolo... schneier.com/blog/archives/202

Schneier on Security · Rational Astrologies and Security - Schneier on SecurityJohn Kelsey and I wrote a short paper for the Rossfest Festschrift: “Rational Astrologies and Security“: There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational astrology. First identified by Randy Steve Waldman [Wal12], the term refers to something people treat as though it works, generally for social or institutional reasons, even when there’s little evidence that it works—­and sometimes despite substantial evidence that it does not...
#psychologyofsecurity#securitytheater#Uncategorized
Replied in thread
Public
OCTADE
Ah, good question. How can you trust that my public key is really my public key?

You can't. Or you can. It is up to you. Let me explain.

Because my web server is secured with a HTTPS connection with HSTS and you can view the LetsEncrypt SSL cert that secures the data request. Or does it?

And because it is also on the hockeypuck servers you can trust that is my key: https://keys.openpgp.org/vks/v1/by-fingerprint/B9B2A8EC2C4B20D2011CFEAA07E4A7FFF6585E8F

Or can you?

However, my web server is more trustworthy than PGP keyservers. Or is it?

How do you prove that the PGP key server didn't replace my uploaded key with one of their own? Where did you get the key fingerprint? How can you know that connection was secure and not MITM'd?

You can't. Unless you have met me face-to-face and gotten the key from my own hand in meatspace, there is always the possibility, however slight or great, that someone in the chain of trust can impersonate me and give you their fake key instead of mine.

That's what I mean about cryptography and security theater. It sounds cool to get PGP keys from a keyserver, but any key server can poison the keys with their own fakes. And any CA can poison SSL certs under a secret order from the government, or upon the directive of a corrupt person working in their company.

Ring of trust is supposedly there to avoid that problem with PGP. Good luck trying to get any industry hacks to sign your PGP key into their ring of trust.

See what I mean?

I suppose that LetsEncrypt or any CA could also poison a connection with a malicious SSL cert for a MITM. How would anyone know?

See what I mean?

At some point, you have to trust someone, and you have to take someone else's word to trust the next person in the chain.

And this is why you should never rely upon public key cryptography to secure information that could get you hurt, imprisoned, or killed. Anyone who says otherwise is selling you rope and a tree. Under no circumstances should you ever communicate death-defying information over a public network using public key cryptography. Just don't ever do that, not ever.

The only verifiable cryptographic security is when you own the keys, and you exchange them in meat space with the other party, encrypted with very strong passphrases, with many gigabytes of OTP key material. Any other method requires you to trust someone or trust that a trapdoor function doesn't have a secret weakness.

This requirement to trust someone to vouch for identity is why it is called a certificate AUTHORITY or ring of trust. You have to accept some authority to vouch for the authenticity of the key and the identity of its holder. But you can't prove it unless you are face-to-face with that person.

In the old days, it was common to have PGP key signing parties, where people met in person in groups to verify each others' identities then sign each others' keys.

I'm not a high value target. It is highly unlikely that anyone running a hockeypuck server or SSL CA would serve a fake key on my account. Hacking me would net zero dollars return, so I don't worry about it. If I had high value information to communicate it would be either in person or through a courier using one-time pad keys. I wouldn't touch PGP or any Internet cryptosystem for something like that.

#PGP #Encryption #CyberSecurity #SecurityTheater #Cryptography
SearchLive feeds
About