ddz.bsky.social
I drink amari and I know things. $ddz
LMDDGTFY: https://duckduckgo.com/?q=dino+dai+zovi
NYC/BK
130 posts
1,699 followers
112 following
Regular Contributor
Active Commenter
comment in response to
post
I have never once run a phishing sim. I refuse to use the word. I put it in air quotes and say scam by text or email etc
Tech and cyber has been about deflecting blame to anyone else but themselves- which is what sims are. Blaming people when the system they use should protect against issues.
comment in response to
post
👋
comment in response to
post
This is the way ;)
comment in response to
post
PRF in WebAuthN is going to enable epic things
comment in response to
post
Fraud is such a broad thing, hard to answer. But I think better forms of digital and cryptographic proofs of selective identity information would help. For example, cryptographic proof of personhood, while still remaining anonymous would help reduce amount of bots and such on social media.
comment in response to
post
That is true that it is not cool, but the shift to EMV also happened in the US with cardholders not being liable for fraudulent charges by law. I'm not sure what the laws were in AU, but wonder if that was only the situation in EU/UK?
comment in response to
post
Any plans on supporting Confidential VMs (e.g. AWS Nitro Enclave, AMD SEV-SNP, Intel TDX) w/ TamaGo unikernels?
comment in response to
post
The way that I think about it is that the systems that I think about the security of have grown larger and more complex. Being Security DRI for Square's EMV launch in 2014 was really educational. True to my roots, I found EMV smartcard parsing mem corruption bugs in our firmware before it shipped :)
comment in response to
post
Well, in the US, cardholders haven't been liable for fraudulent charges since 1974's Fair Credit Billing Act, which meant issuers owned fraud losses. This created the incentive for the EMV liability shift, which was created by contractual agreements between issuers, acquirers, terminal vendors, etc.
comment in response to
post
Oh, and then try to get people to manually enter PAN+CVV for a CNP (Card Not Present) transaction? If people pay with Apple Pay or something like it, then it also isn't replayable card data and processing it reveals thief's identity. But I'm sure some people will enter their PAN+CVV, some will not.
comment in response to
post
How exactly would that work and what card or payment data would it compromise? Even with offline auth (not used in the US, but used in other countries), there really isn't anything that can be done with the cryptograms. You can only send them to issuer/acquirer as a merchant and then you are busted.
comment in response to
post
There are various PCI PTS compliance aspects around the reported version string and requirements for a delta review on changes to anything within the security perimeter. The version string often refers to the functionality within that perimeter, which may not have been where vuln was or was fixed.
comment in response to
post
Here is an example of various compromises of an Android-based Point-of-Sale system, but note how they describe that they *weren't* able to interfere with anything handled by the secure processor:
blog.stmcyber.com/pax-pos-cves...
comment in response to
post
The above is a stark, stark contrast to the classic magswipe POS machines with a simple magstripe reader attached to a general-purpose Windows host, which sent full swipe track data in the clear to it.
comment in response to
post
Theoretically possible, but any EMV POS has to meet PCI PIN Transaction Security (PTS), which means that it is effectively a tamper-responsive Hardware Security Module that happens to run an application to accept payments. Payments acceptance state machine is supposed to be on secure co-processor.
comment in response to
post
It turns out that replacing the static payment authz tokens (PAN, CVV) with smartcards that generate non-replayable cryptographic payment authorization messages e2ee'd to the card issuer made infecting points of sale effectively useless.
comment in response to
post
What "works" means for some categories of infosec products:
EDR: detects a non-zero number of attacks, doesn't detect an unspecified number of other attacks
IAM: provides users access to resources, and also provides it to an unspecified number of other users (possibly malicious)
:)
comment in response to
post
The reason why things like algo won't work is that it trades your trackable home IP for a trackable cloud provider IP, which doesn't address privacy goals of not being trackable across different destination sites and visits across time.
comment in response to
post
One way to get this would be making the first tier a cloud node that you run which runs an Oblivious HTTP or MASQUE proxy (does not terminate TLS) and cycles cloud IPs periodically. The second tier would be a CDN (Cloudflare or Fastly) for performance and obscuring home IP, essentially.
comment in response to
post
I haven't really sketched it out yet, but the key principle to implement is information splitting by having two tiers. The first knows who you are (sees real IP or has account info), but not the destination of your traffic. The second does not know who you are, but does know destination of traffic.
comment in response to
post
Sometimes and most likely, yes. I have been meaning to set up some personal infra to do roughly the equivalent of iCloud Private Relay from Linux, but haven't gotten to it yet.
comment in response to
post
Fair, that is arguably more about privacy than security. For security, modern browser + OS has TLS applied pervasively enough that I don't actually worry about the security of my traffic except by middle-nodes that terminate and re-reestablish TLS.
comment in response to
post
Partially; it currently only covers traffic from Safari, not API traffic from apps on your device. So decent for preventing tracking across web by ads, but doesn't cover making apps that don't need to be personally identifying, personally identifying by having them just interact with a backend svc.
comment in response to
post
It's simple: in the move from dial-up Internet to a pool of IPs to home broadband, my home IP address became effectively personally identifying information. It's a privacy violation sending that to every site I visit when actual IDV is not strictly necessary. I want RFC 9458 Oblivious HTTP proxy.
comment in response to
post
... and you can celebrate from NYC (Condor) to SF (Conversation).