Notices by SwiftOnSecurity (swiftonsecurity@infosec.exchange)

GDPR is what Europe has instead of God

UX designers who eliminated the filesystem from user consciousness in name of simplicity ruined the world and are morally culpable for shriveling minds of children who are unable to tackle the challenges of today thanks to a choice sold as advocacy for the user but was ultimately motivated by control of a disempowered customer.

Here's my belief about the Cyber Security industry.
It shouldn't need to exist. It is not ordained from the heavens that computers are unwieldy and insecure by default or the measures taken to secure them so burdensome.
But they are. That is the world in which we live and things that need to be done should be done well and have the most good achieved for the most people.
The hyper-fixation on "F500" companies due to their immense resources is a scourge. It is natural outcome, but it is not natural by need. Everybody else needs cyber security more. It is existential for them. Bills due on the month their office cannot work. This is so often reduced to a comfort when it comes to the privileged. A credit line on being good for it because they have assets to weather the storm and an impossibility of punishment scaled to their failure.

End-to-End encrypted chat apps don't help when you're chatting with the FBI

(Via @klong)

https://www.businessinsider.com/fbi-says-agents-thwarted-plot-take-out-marylands-power-grid-2023-2

(Archived from @shanselman)

The Furby source code is public and heavily commented. For example, it turns the microphone off when the motors are running.

Furby was the 1998 version of ChatGPT and tons of people thought it actually slowly learned English words. The NSA was alarmed. However it turned out the "learning" process was just on a timer and the "microphone" only triggers on loud sounds.
https://archive.org/details/furby-source

Note it is very common to hear that even if you pay the ransom, the decryption may not fully work. Ransomware is unusual software doing very unusual things to files it doesn't own. It will screw things up on production systems. There is no alternative to good backups.
https://www.malwarebytes.com/blog/news/2023/01/software-provider-denied-insurance-payout-after-ransomware-attack

LASTPASS NEWS ALERT AND COMMENTARY:
LastPass attackers know your name and billing address and all websites you have saved passwords for, and if your master password isn't sufficiently strong may be possible to brute-force open everything on attacker's machines.

PLEASE READ BEFORE PROCEEDING: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

The fact LastPass doesn't encrypt website URLs is a known flaw it appears they never fixed on purpose, going back almost 6 years:
https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032

This eventual possible security breach was planned-for as part of LastPass' design for username and password protection. This doesn't break the core offering.
But it has stripped away multiple layers of protection and will hasten my looking at @bitwarden

It's impossible to be completely secure in a massive offering. However I have always disagreed with their decision to not 100% encrypt all metadata, and this event shows that was a foolish choice when seen against the inevitable of the entropy our complex electronic systems.

In the end, a password manager is still right choice in comparison to alternative. And a cloud-native offering like LastPass strongly hedges against data loss by normal users trying to manage their own vault. That is an undersold primary risk, not hackers. Still, very disappointed.

Current password setup:
- Primary vault is LastPass with 2FA
- Core fallback "key" accounts like email that allow pw reset are only in a KeyPass db file with 20char password, synced via OneDrive+2FA.
- This is then further backed-up with BackBlaze, using 40char encryption key