Food for Thought: 2016-01-23
Posted on January 23rd, 2016
I like this tiny house design.
Brilliant satire from The Onion: Pentagon Holds Gala To Celebrate 25 Years Of Bombing Iraq
The “Have I been pwned" site has helped reduce the value of breach dumps (and thus, may be disencentivizing them). Troy Hunt asks for your help.
Want to be horrified when your phone vibrates? This app sends "a push notification every time the police kill someone in the United States."
Economic concerns trigger survival instincts and will often override our ethics and conceptions of morality. When this happens, we can find ourselves making decisions we do not rationally agree with. Here’s a precautionary tale.
One might assume that governments who become aware of security vulnerabilities in products would want to help get those vulnerabilities fixed, at least if those products are made by companies headquartered in their country, or if their citizens frequently rely on those products. After all, the core argument for a government is to protect its citizens.
That assumption would be wrong. Governments frequently keep these vulnerabilities secret so that they can attack other countries and (though they are loathe to admit it) their own citizens.
“But if you’re not doing anything wrong, then you have nothing to worry about" is a common refrain when we discuss abuses by governments. Here’s “A brief history of governments hacking human rights organizations" from Amnesty International.
"The whole page is static content, yet they literally hit the Rails stack, then hit the Node stack to render the React to a string and then send it back through the Rails stack." via The Sad State of Web Development
There are some instances of Cross-Site Scripting (XSS) attacks that don’t show up when performing a dynamic or manual application security test. These same issues are often seen as “unlikely" or “non-exploitable" when seen in static analysis security testing or code review. A great example of these is XSS of admins through log-injection. Portswigger is calling these “blind XSS" and has released an update to Burp Suite to dynamically/manually test for them.