Posts - Page 4

Today, GitHub published a write-up on a number of CVEs¹ in the npm packages tar and @npmcli/arborist. In their own words,

In 1984 the co-inventor of Unix, Ken Thompson, delivered a seminal speech in which he highlighted that you can’t trust code that you did not totally create yourself ¹. For a while, this lesson was largely ignored as open-source package registries like RubyGems, PyPI and npm grew rapidly. However, as we’re seeing more and more supply-chain attacks through software dependencies, the risks of using unvetted dependencies are becoming clearer.

Routing attacks on Tor occur when an adversary attempts to influence the route a Tor circuit takes in order to improve their chances of intercepting traffic. In January of this year, I wrote a literature review on this topic that I’m sharing here: PDF link.

Telegram defaults to unencrypted chats, so your messages are stored in plaintext on their servers. If you don’t want them to read your messages, you have to manually enable Secret Chats — but these don’t work for groups and require users to be online at the same time. A 2017 usability study found that many users thought they were using secure, encrypted chats when they were in fact sending all their messages in plaintext.

ProtonMail is one of the most popular security-focused email providers. Because email is not a particularly secure protocol, things like end-to-end encryption have to be bolted on top. To ensure interoperatiblity, an email provider must be able to send unencrypted messages to recipients who haven’t dived into the painful world of PGP.