You can’t throw out your worn-out USB security keys when you can’t recall what locks they’re for. Physical security tokens come with their own problems.
An easily-spoofed iframe embedded onto every random online merchant’s websites is not a safe place to enter my bank password! Is it really BankID‽
I’ve been an SELinux complexity apologist for years. Lately, I’ve concluded that every implementation with difficult-to-configure policies is just unmanageable.
OpenCore lets you run the latest MacOS on unsupported Apple legacy hardware (and PCs). But software that bypasses security restrictions requires a lot of trust.
I found an open redirect vulnerability in the Libravatar specification. An open-source avatar hosting API could be abused to redirect to untrusted websites.
Opening a pull request is all it takes to get a GitHub patch URL that’s indistinguishable from patches/commits that are a part of an open-source GitHub project.
A review/critique of the complexity, security, and unpredictable user experience of modern feature-laden copy–paste clipboards in today’s operating systems.
Superfeedr tried securing its website with HTTPS and HSTS, but failed to apply it correctly. User emails and credentials are sent in plain-text on the first login.
An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.
A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software.
Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets.
Plan for the day your password manager stops working. Even if it’s a cloud service! Backing up your password manager is harder that it sounds.