Share this page!

matt blaze Profile picture
Twitter logo
14 Oct, 8 tweets, 2 min read
Don’t encode SSNs of people in the HTML of publicly available webpages. And if you do, don’t call the cops if someone notices and (quite responsibly) warns you.
Also, don’t tweet stuff that makes you look like an idiot.
I tweeted this through a multi-step process, by the way.
The whole thread is just full of terrifying wrongness that should send anyone who understands computers running for the state line.
I should probably congratulate the governor for not working in references to HIPAA, RICO, or CDA 230.
Governor continues to double down, apparently on the theory that the combination of “complex behavior”and “noticing something you didn’t intend for people to notice” plus “being a newspaper the governor dislikes” constitutes “unauthorized access” under Missouri law.
I’d be surprised if this particular case actually results in criminal charges, but that’s not the only harm. The state’s highest official is using the authority of his office to discourage good faith reporting of serious security vulnerabilities, a terrible message to be sending.
October is “cybersecurity awareness month”, except in Missouri, where it’s evidently “shoot the messenger month”.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with matt blaze

matt blaze Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattblaze

matt blaze Profile picture
10 Oct
This case reads like a spy novel, and also illustrates the limits of cryptography. He set up encrypted communication and dead drops with a foreign government (even calling the endpoints “alice” and “bob”), but was actually communicating with the FBI.

justice.gov/opa/press-rele…
My guess for COUNTRY1 is France: has subs, independent enough that someone might approach but friendly enough to rebuff the approach and cooperate with the US, not English speaking.
A couple things jumped out at me. As soon as the FBI got the package from COUNTRY1, they clearly took it VERY seriously. Within just a week they had analyzed the SD card and sent an initial response to the Proton account.
Read 9 tweets
matt blaze Profile picture
5 Oct
1. A proper computer science education includes the study of physical security and locks.

2. An angle grinder was absolutely the right thing to do here. Server cages are cheap.
I just hope they wore safety glasses and other appropriate PPE.
Fortunately, angle grinders aren’t yet networked.
Read 4 tweets
matt blaze Profile picture
4 Oct
Imagine if FB owned AWS (or something with a similar footprint) right now.
“The Internet was designed to survive a nuclear war” has always been a myth, but it’s wronger than ever after decades of quiet centralization.
A really bad takeaway from this would be “look how badly FB was engineered”. They no doubt made some (serious) errors, but they’re about as technically good as anyone is at their scale.
Read 6 tweets
matt blaze Profile picture
3 Oct
Spending a lazy sunday afternoon testing faraday bags for phones. (Preliminary results so far: You don’t always get what you pay for, but you never get what you don’t pay for.)
Motivated by the fact that iPhones officially can’t be powered off, which, even if they implement really good privacy protections, will inspire other manufacturers to try similar things, often less carefully.
Some quick preliminary results, testing at 1, 2, 3, 4 , 5 and 6GHz: The expensive (~USD 40-60) phone-size bags from Mission Darkness (sold on Amazon) and EDEC (online store) work reliably well: >60dB attenuation at 1M distance, IF closed properly.
Read 13 tweets
matt blaze Profile picture
1 Oct
I knew this was coming eventually, but it finally happened. I asked a class today, as I periodically do, “how many people here have a landline phone at home” and the answer was zero.
“Plain old telephone service”, used to mean the once ubiquitous 48V,20ma local loop. The kids today think it means a cellphone with no data service.
That Apple origin story about Woz and Jobs financing the company by selling Blue Boxes for making free long distance calls requires a lot more explanation than it once did.
Read 4 tweets
matt blaze Profile picture
24 Sep
There’s going to be all sorts of analysis of the AZ “audit” report that’s being officially released tomorrow, which is more attention than it deserves. But at least this exercise in low-rent clownery reached the same conclusion about the outcome as the adult audits did.
Again - and this is the critical take-away here that I fear will be lost in the noise - the “Cyber Ninja Audit” has nothing in common with the rigorous Risk Limiting Audits recommended by experts (and which should be done after every election routinely).
Meaningful election audits are a well-defined process that provides quantifiable assurance that the reported outcomes match the ballots cast. The AZ fiasco, on the other hand, was an open-ended attempt to cast doubt on a valid outcome. And it failed even at that.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @mattblaze has new unrolls!

Check out other threads from @mattblaze!

Read all threads by @mattblaze

:(