I reported this issue a long time ago. Got the same messages back from facebook as everyone else in the thread. I've reported other issues and always get the same thing back.
It sounds like Facebook Security gets a lot of pushback from the developers. Certain things like coffee shop attacks and a lot of other REAL ISSUES get no notice for a long time. It took up until last year to get a damn HSTS header.
I actually reported an issue today about a security practice they implemented completely incorrectly. I got a response back that it was not meant for any actual security.
In theory it's unacceptable, but in practice this is a big company with thousands of employees and a lot of moving parts. Small changes can be hard to make....which to get back to my original point is why facebook seems to just ignore a lot issues but keep the pipes open for the occasional big one.
Hope for the best but assume the worst. It's been a scary year in aviation.
I'm hoping future generations look at me crazy when I tell them aircraft and cars used to crash. Increased transportation safety and reliability is something I really want.
In 2012 there were 6 air crashes out of 37.5 million flights[1]. That's a safety level of 99.999984%. I think we all want 100% safety, but realistically that's about as close to perfect as we're ever going to get
What makes air travel scary is the way it's reported by the media. That's what we ought to be improving.
> but realistically that's about as close to perfect as
> we're ever going to get
Doubt it. My understanding is the majority of crashes are caused by human error; once we eliminate the human decision making, we should expect that to go down.
Maybe it's just perception bias because we hear a lot about crashes around the same timing, but we'll have to look at the data to see if planes indeed crashed way more than in previous years or not.
What I mean is the aviation incidents have been quite shocking and peculiar. Mh370 goes missing without a trace. Mh17 is shot down.
Then, it just so happens that several incidents all were clumped together. Foreign airliners crash at a much higher rate than US, but the manner which the two MH flights have gone down is very shocking for such a short period of time.
I'm still very curious how they plan to make money. I guess we will have to see...
In my opinion urban dictionary actually solves the same problem that Rap Lyrics is solving except instead of explaining a whole sentence urban dictionary explains one-a few words.
Email security is really bad. We have a lot of companies trying to roll out "secure email" every week.
There are a ton of problems to solve before one of these actually works, javascript crypto being the least (since HN likes to discuss it...). Backwards compatibility with old email protocols and insecure service is clearly a weak-link in any hypothetically secure service.
It would be nice to see a more distributed protocol...where the bulk of the world's email is holed up in a few company's data centers.
I'm working on an enterprise honeypot framework with an emphasis on internal honeypots that alerts a network administrator as soon as an attacker messes with it. An example would be a fake PHP myadmin page that alerts a security engineer as soon as it receives a POST request
It's closed source but I've finished the architecture for the software and a couple of the services (MySQL, Web, FTP). They are really cool in my opinion. I'm writing this in Java (yuck but great at the same time), so packaging each service as a Jar file makes deployment super super easy.
It's actually been really successful thus far (and really easy to write, only a few hundred lines). I think enterprises need to use more "trickery" in their security systems and I don't think a framework exists for this previously. It is really powerful to know that
if (honeypotTouched){
//critical alert
}
A lot of honeypot software is old and does not send you alerts when something bad happens to it. Most are external facing. I guess a better name for this is "canary". I got the idea my second time sitting through mubix's "Attacker Ghost Stories" talk.
That does sound pretty interesting, though I'm not sure if the enterprise folk would pay for it.
I know on my personal hosts I tend to grep the access logs for requests to /wp-admin, /phpmyadmin, and blacklist IPs that make request to them. I should probably just switch to using fail2ban to do the processing, but I like the notices posted to my internal xmpp server.
Hey I appreciate the response. I'm honestly not sure if they will buy it. If it's cheap enough and portable enough I feel it could be extremely effective in drawing attention from attackers.
If not I guess I'll just open source it and turn it into a con talk =).
This type story would make me hesitant to hire him after throwing his last employer under the bus (the usual response to this type of article). But with only one side of the story...you can't draw too many conclusions.
I checked his linkedin and it looks like he was at Pivotal from March to sometime recently. Lots of details are brushed over in this post so...maybe a more extensive post-mortem would be helpful.
Most employment or termination agreements I've seen have non-disparagement clauses that specifically prohibit this kind of post as well. (Although who knows if it would be enforced or could be enforced).
usually those kinds of contracts are presented with guaranty of a severence package or at least a single big check, which is supposed to ameliorate/attenuate any hard feelings. nobody can coerce you to sign something like that, and besides, the enforceability of those contracts is dubious (outside of normal libel/slander laws) so they want you to take the money and happily leave.
there's also supposed to be an exit interview in which you are told why you are being let go and the details of the above. this is also designed to prevent anger. people, even when losing their jobs, respond well to truth and money.
and in my experience it usually works fine, but in this case, it doesn't sound like either happened. or maybe he refused the contract and hence, refused the money. that's certainly possible.
In my experience over the past several years, I've seen lots of contracts and employment agreements for tech firms but very few non-disparagement clauses. I expect if he were terminated they would get one signed (or try to).
Gosh. I can't stand 1&1. When I was in undergrad I bought my first domain from 1&1 because I really had no idea where to buy them.
I've received phone calls from them for 4 years. The always end with "Yes sir, we will remove your number from our list"....so either I'm on a lot of lists or they are lying to me.
It's a data leak...very similar to snapchat's issue and the Apple iPad fiasco found by weev. It's pretty sad that an App with almost no functionality had any problem.
It's also interesting how these developers seem to repeat this exact mistake over and over. I don't understand how people don't see a public facing API call for mapping usernames to phonenumbers or phonenumbers to usernames as a bad idea...
Because security is not easy. Often when I ask these questions the responses range from not being worth bothering with because we still shop at Target, even though they've been hit, to just dealing with a breach after the fact, rather than being a little more proactive about it.
Like I said, security is hard. Microsoft is the only large corporate I know of with a published security development lifecycle, and while it's starting to benefit their products they're still not getting it 100% either. Security is also contentious, because doing it right means forsaking the idea of an MVP. It also requires design up front. And experience. These sorts of things are not exactly aligned with the hacker mindset, nor with startup culture.
Of course real, rock-hard security is hard to get right.
But it seems to me that the issue here is that some common sense security measure wasn't employed. The author didn't even think about what APIs he/she exposed. That's very different (and more irresponsible) than not designing a competitive and solid security system up front.
Absolutely security is hard...and it's also not what `Yo' is really worried about. If they have to worry about security, then they already hit it big and they can just fix the issue ex post leako.
On the one hand, 'Yo' was created in a day. Though maybe the author should've spent say a week on it.
On the other, it's been proven possible to ignore or botch security until you have to make a minor show of apologizing for it, without fear of consequence, if you've already gotten enough traction. Unfortunately, this only seems to prove to businesses that security is a fruitless endeavor, and a waste of effort better spent making sure the UI is shinier. On the third, i've had to explain to people and their startups that SQL injection and XSS even exists, much less that it's a problem worth dealing with now so there might also be an education issue.
I think the answer would probably be more things which are secure out of the box. In particular, frameworks and the languages themselves (I'm looking at you PHP) which interface with the web should default to secure as much as possible.
TextSecure is very open about the crypto protocol and provides details that independent researchers can evaluate. It's also made by a well-known expert that we trust to do it right.
Wickr is pretty shady about their protocol.
They also make me uneasy because they use the term "military-grade encryption" a couple times on their site. This is a pretty common snake-oil security term...so it makes me uneasy since the protocol details are nowhere to be found.
It sounds like Facebook Security gets a lot of pushback from the developers. Certain things like coffee shop attacks and a lot of other REAL ISSUES get no notice for a long time. It took up until last year to get a damn HSTS header.
I actually reported an issue today about a security practice they implemented completely incorrectly. I got a response back that it was not meant for any actual security.
In theory it's unacceptable, but in practice this is a big company with thousands of employees and a lot of moving parts. Small changes can be hard to make....which to get back to my original point is why facebook seems to just ignore a lot issues but keep the pipes open for the occasional big one.