It was 20 years ago today
> It’s amzing to think I’ve been doing this whole blog thing for a whole twenty years.
> But despite all the code changes, the actual storage format has not changed one bit in all twenty years.
Defense in depth against SSRF vulnerabilities with the EC2 Instance Metadata Service
> Today, AWS is making v2 of the EC2 Instance Metadata Service (IMDSv2) available. The existing instance metadata service (IMDSv1) is fully secure, and AWS will continue to support it. But IMDSv2 adds new “belt and suspenders” protections for four types of vulnerabilities that could be used to try to access the IMDS. These new protections go well beyond other types of mitigations, while working seamlessly with existing mitigations such as restricting IAM roles and using local firewall rules to restrict access to the IMDS. AWS is also making new versions of the AWS SDKs and CLIs available that support IMDSv2.
Eh, seems this could have been better from the start, but oh well.
The Google Squeeze
> OTAs have always been a special case when it comes to Aggregation Theory; like Aggregators, they serve customers on a zero marginal cost basis, and they have power over supply (hotels, primarily) by virtue of delivering them demand. The hangup for me is how they acquire that demand: first and foremost from Google.
> This arrangement between OTAs and Google has long been beneficial to both sides. Google drives traffic to the OTAs, which can monetize that traffic via commissions extracted from suppliers.2 Google, meanwhile, not only receives relevant results it could serve to customers, but also makes billions of dollars from OTAs buying search ads.
Bypassing GitHub's OAuth flow
> What happens if we send an authenticated HEAD request to https://github.com/login/oauth/authorize? We’ve concluded that the router will treat it like a GET request, so it will get sent to the controller. But once it’s there, the controller will realize that it’s not a GET request, and so the request will be handled by the controller as if it was an authenticated POST request. As a result, GitHub will find the OAuth app specified in the request, and grant it access to the authenticated user’s data.
Help me, framework!
Wonders of the Internet
> There wasn’t any indication of what it had been part of, or what it was for, but it did have the marking PART 2198768 on the back, so I handed that to The Goog.
> And the result was instantaneous and unequivocal: it belongs to my refrigerator. Specifically, it goes in the back of the freezer compartment to keep food from falling down into the back and blocking the drainage path.
At the Times, a Hesitance to Hyperlink
> There’s a joke in the journalism industry: It’s not news until the New York Times says it is. This is because the Times often reports stories that other outlets already have without any acknowledgment that they’re doing so.
Relearn CSS layout
> If you find yourself wrestling with CSS layout, it’s likely you’re making decisions for browsers they should be making themselves. Through a series of simple, composable layouts, Every Layout will teach you how to better harness the built-in algorithms that power browsers and CSS.
Some free, some pay.
A free guide to HTML5 <head> elements
HTML: the good parts
Migrating From Cloudflare
> Okay so here’s the thing: Cloudflare isn’t just the CDN provider for the instance, it is also the domain’s nameserver. That means that it holds all the DNS records that point mastodon.technology to the various IP addresses used for HTTP requests, email, and even public DKIM keys for mail server verification. These DNS settings are really, really important. If they get messed up, everything about the instance can break.
> So I split up the migration from Cloudflare to BunnyCDN into two phases: first migrate the CDN provider, and then migrate the DNS provider. Getting this right is really important, and I mostly did okay, but hopefully you can learn from my experiences.
Looking back at the Snowden revelations
> It’s no coincidence that this is a cryptography blog, which means that I’m not concerned with the same things as the general public. That is, I’m not terribly interested in debating the value of whistleblower laws (for some of that, see this excellent Twitter thread by Jake Williams). Instead, when it comes to Snowden’s leaks, I think the question we should be asking ourselves is very different. Namely:
> What did the Snowden leaks tell us about modern surveillance capabilities? And what did we learn about our ability to defend against them?
And it was Uphill Both Ways
> In fact, shortly after I made my own personal home page, full of <marquee> tags, creative abuse of the <font> tag, and a color scheme which was hot pink and neon green, I showed it to a friend, who condescendingly said, “What, you didn’t even use frames?” He made me mad enough that I almost deleted my Geocities account.
Nice look back at how we used to do things.
> In this era, we’d call stuff like this “DHTML” (the D is for “dynamic”), and we traversed the DOM as a chain of properties, doing things like document.forms.inputs to access fields on the form.
HTTP Mock – Intercept, debug and mock HTTP
> HTTP Mock is the latest tool in HTTP Toolkit, a suite of beautiful & open-source tools for debugging, testing and building with HTTP(S), on Windows, Linux & Mac.
This does look useful.
Interesting implementation note: https://news.ycombinator.com/item?id=21072087
> The trick is that it starts the application to be intercepted for you, so it can control it a little. It then does some magic to get that specific instance of the application to trust the certificate. There’s a lot going on there, but as an example: Chrome has a --ignore-certificate-errors-spki-list to inject the hashes of extra CAs that can be trusted in this specific Chrome instance. When HTTP Toolkit starts a Chrome process, it adds that command line option, with the hash of your locally generated CA.
Ik spreek geen Nederlands
> As you can see, the text was (for reasons unknown to me) helpfully translated into the language of the country we happen to be in. Unfortunately I don’t speak either Dutch or Portuguese so I can only interpret this behaviour as a punishment encountered by people rude enough to dare travel abroad without learning the language spoken in the country they happen to be in, thereby breaking the worldview held by the particular programmer who happened to be responsible for creating the translation module for this amazing example of good web development practices.
It’s Scarily Easy To Track Someone Around A City Via Their Instagram Stories
> By cross-referencing just one hour of footage from public webcams with stories taken in Times Square, BuzzFeed News confirmed the full identities of a half dozen people.
Terrible Ninth Circuit 230(c)(2) Ruling Will Make the Internet More Dangerous–Enigma v. Malwarebytes
> The Ninth Circuit has issued a Section 230(c)(2) opinion that creates significant problems for anti-spyware/spam/virus vendors (I’ll call them “anti-threat vendors”). The ruling will paralyze their decision-making, expose them to greater legal threats, and reduce their ability to protect consumers from unwanted software. This ruling makes the Internet less safe. I hope the Ninth Circuit will fix it via further proceedings.
> Nevertheless, the majority’s legal standard creates two obvious and significant problems. First, many spammers, virusmakers, and adware/spyware makers will claim–legitimately or not–to be direct or partial competitors with anti-threat vendors. In those situations, the threat purveyors will naturally claim that the blocking was motivated by anticompetitive animus. In fact, I would expect such anticompetitive animus claims to be routine for blocked entities, not an exception. Indeed, as the dissent noted, Zango claimed (not credibly) its adware was competitive with Kaspersky’s anti-threat software.
I would say it will be the AV companies facing bogus lawsuits who will lose the most, and probably not users, but it’s a bit of a pickle.
Scraping A Public Website Doesn't Violate the CFAA, Ninth Circuit (Mostly) Holds
> This is a major case that will be of interest to a lot of people and a lot of companies. But it’s also pretty complicated and easy to misunderstand. This post will go through it carefully, trying to explain what it says and what it doesn’t say.
Public Suffix List Problems
> This is a collection of thoughts from a maintainer of the Public Suffix List (PSL) about the importance of avoiding new Web Platform features, security, or privacy boundaries assuming the PSL is a good starting point.
> Equally terrifying, however, is how many providers only discovered the existence of the PSL once LE was using it to rate limit - meaning that their users were able to influence cookies and other storage without restriction, until an incidental change (wanting to get more certs) caused the server operator to realize.
An introduction to D3.js
> So, you want to create amazing data visualizations on the web and you keep hearing about D3.js. But what is D3.js, and how can you learn it? Let’s start with the question: What is D3? While it might seem like D3.js is an all-encompassing framework, it’s really just a collection of small modules.
A very deep dive into iOS Exploit chains found in the wild
> Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.
> There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.
> TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.
> I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple’s software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we’ll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users.
Elementary - Welcome to the New Blog
> Why we left Medium, and how!
A bit more detail here than just, oh look, we moved.
Also, interesting that they managed to keep almost identical look and feel (for people who like the design of medium), but it loads super fast. Proves medium could be doing a lot better, if motivated.