(Security Matters Even More)

I could write a long piece about the ins and outs of these, but really my heart’s not in it — I’ve written about this more than often enough in the Past and there’s really no more to be said on the matter than that you should take all the precautions you can.

So, read these.

Read any (all) BTL user/reader comments (if any).

Not all of them (e.g. SolarWinds) still merit a ‘Red Alert’ response from you now, but I’ve listed them because they are nevertheless recent examples of the state of play and why you need to keep your eye on the ball at all times — the nearer to the top of the list, the more immediately relevant the matters discussed in the article.

Also … don’t forget the phenomenon of bitsquatting

It hasn’t been shown to be a widespread threat yet, but that doesn’t mean it never will be ¹ … if there’s money to be made from it, people will try it … and, it arises from the fact that computers can make mistakes even when the user doesn’t and there were no software bugs (as if, but nevertheless); you can end up at a site other than the one you were looking for as a result of overheating, system uptime, manufacturing defects … even cosmic rays:

You may not even notice:

… not least because there’s no guarantee that the bit flipped will necessarily result in a printing character either (there are non-printing characters too ² ).

So … along with all the usual caveats about visiting random websites, clicking on random links, downloading random software, trojan horses, etc. … you should now appreciate these all the more …

  1. The update post

2. The original

Because you don’t need to rely on a compromised python library or web framework yourself to get owned, you just need to browse to a site that makes use of something that makes use of something that makes use of something that makes use of something … that does — stop searching for sites in search engines and clicking the first link that appears, enter the address directly in the URL/URI/address-bar (that’s what it’s for!) ³.

And, remember, the need to pay attention and be careful is not limited to ‎desktop/laptop devices … this all applies to mobile too.


¹ “A 2011 Black Hat paper detailed an analysis where eight legitimate domains were targeted with thirty one bitsquat domains. Over the course of one day, 3,434 requests were made to bitsquat domains” (Wikipedia).

² I format my posts with a non-printing space, for instance …

… which could potentially be registered as valid sites by automated domain registration systems — a series of bits is a series of bits and the software sees them even when the eye can’t.

³ Seriously, it takes no more effort to type amazon.com in there than it does in the search box on DuckDuckGo, Startpage or wherever (you aren’t dimwitted enough to use Google, so there’s no need to worry about that one). In fact, you’ll go straight to the site instead of having to click on the link afterwards, so it’s quicker and less effort as well as safer (you haven’t been doing yourself any favours by being lazy up until now, just making more work for yourself).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Where Angels Fear

Where Angels Fear

430 Followers

There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live and too rare to die.