I attended Layer 8 Conference 2019 (June 19, 2019)
I attended the 2019 Layer 8 Conference, all about social engineering and OSINT. I learned a lot, and heard many fascinating stories.
How to erase your phone quickly and reversibly (February 12, 2017)
You may find yourself in a situation where, in order to protect the private data on your phone — as well as the data on all the services accessible from your phone — from imminent seizure, you will need to erase that phone as quickly as possible. In such a situation, you may be unable to spare the attention necessary to fiddle around in the guts of your phone’s utility applications, hunting for its rarely used self-destruct command.
Dead passwords: a live example (June 25, 2016)
My favorite domestic American airline, JetBlue, just signed me up for a program called Travel Bank, which allows its customers to receive and manage redeemable credit from the company. I know this because they sent me three emails about it, just now: one to introduce me to the program, one to inform me that they added $50 credit to it because of a cancellation I had to deal with yesterday, and one with my new account’s password.
Your passwords are already dead (April 8, 2016)
To a first order of approximation, no service that uses password-based authentication treats your password as a secret. If you’ve used the web for several years and accrued the typically uncountable number of user accounts across myriad websites, then I can confidently estimate that half of those websites store your password without encryption, such that anyone who helps run that service can read it at will, and can share it freely.
Thinking about passwordless web logins (October 13, 2013)
I’m beginning to pull together a new client project with a public-facing component, something I haven’t had to build from scratch in a long time. Much of my web consulting over the last several years has involved extensions to existing sites, or building tools for use strictly within a single organization. As such, it’s been a long time since I’ve last had to think about how to handle user authentication in a way that’s both secure and friendly to “walk-in” customers, people who aren’t using the website because they’re literally being paid to do so.[^1]