Categories
Software Security

EduTech Spyware is Still Spyware: Proctorio Edition

Spyware written for educational institutions to flex their muscles of control over students and their families when learning from their home computer is still, categorically, spyware. Depending on your persuasion, the previous sentence sounds like either needless pedantry, or it reads like tautology. But we need to be clear on our terms. Educational spyware is […]

Categories
Cryptography Software Security

Soatok’s Guide to Side-Channel Attacks

If you’re ever tasked with implementing a cryptography feature–whether a high-level protocol or a low-level primitive–you will have to take special care to ensure you’re not leaking secret information through side-channels. The descriptions of algorithms you learn in a classroom or textbook are not sufficient for real-world use. (Yes, that means your toy RSA implementation […]

Categories
Cryptography Software Security

GNU: A Heuristic for Bad Cryptography

If you see the letters GNU in a systems design, and that system intersects with cryptography, I can almost guarantee that it will be badly designed to an alarming degree. This is as true of GnuPG (and PGP in general) as it is of designs like the proposed GNU Name System (IETF draft) and cryptographic […]

Categories
Humor Software Security

Why Server-Side Input Validation Matters

Update (2020-04-29): Twitter has fixed their oversight. Anyone who set their custom gender to a long volume of text, should still have it set to a long volume of text. The original article follows after the separator. I was recently made aware of a change to Twitter, which exposes a new Gender field. If you’ve […]

Categories
Software Security

“Source Code Leak” is Effectively Meaningless to Endpoint Security

There are two news stories today. Unfortunately, some people have difficulty uncoupling the two. The Team Fortress 2 Source Code has been leaked. Hackers discovered a Remote Code Execution exploit. The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient […]