Readit News logoReadit News
reedloden commented on UPenn uses 3rd party to scan and rewrite all URLs in emails   isc.upenn.edu/how-to/isc-... · Posted by u/podiki
musicale · 4 years ago
Lots of schools and companies do this; I understand why, but it makes it hard to communicate with people at such institutions.

And that's not even considering the security and privacy risks to email users from third-party email scanning and rewriting.

I could also imagine legal issues going both ways, particularly if the third party is tempted to retain data about email users.

For example, some universities that use Gmail and Google Apps for Education (for example) required that Google not scan student email, presumably due to privacy and legal requirements, or faculty email (due to faculty objections), and Google itself ultimately abandoned the practice in the face of a lawsuit.

https://marketbrief.edweek.org/marketplace-k-12/google_aband...

reedloden · 4 years ago
Google only stopped scanning the emails for advertising purposes, as the article states. Google definitely actively scans emails for malicious content (see https://support.google.com/mail/answer/25760?hl=en and https://support.google.com/a/answer/7380368?hl=en).
reedloden commented on Ask HN: Security audit for startup / OSS projects    · Posted by u/tommoor
reedloden · 5 years ago
https://www.hackerone.com/company/open-source-community

HackerOne has a free offering for open source projects. ^^

Let me know if you have any questions (I manage it). :-)

reedloden commented on Enabling Secure HTTP for BBC Online   bbc.co.uk/blogs/internet/... · Posted by u/edward
0x0 · 10 years ago
I don't think you can just run 'sed' on any random iOS app, any random symbian app, any random smart-TV app, some other guy's service that hits your APIs and feeds, and so on... :)
reedloden · 10 years ago
Now, that could be a valid issue, indeed, though not sure for how long I care about those devices continuing to work without any valid upgrade path... Using things like HSTS and CSP's `upgrade-insecure-requests` would help here for clients that do support it.
reedloden commented on Enabling Secure HTTP for BBC Online   bbc.co.uk/blogs/internet/... · Posted by u/edward
reedloden · 10 years ago
> There are always practical limitations to site-wide technical changes, and HTTPS Everywhere is no different. Sites and content we consider ‘archival’ that involve no signing in or personalisation, such as the News Online archive on news.bbc.co.uk, will remain HTTP-only. This is due to the cost we’d incur processing tens of millions of old files to rewrite internal links to HTTPS when balanced against the benefit.

Not to be snarky, but haven't people written tools to help with this? This seems like a common issue. I mean, there's `sed` and similar tools, obviously, but something that could go, validate that the link works over https://, and update it. I don't see why that would need to be some monumental amount of work.

HTTPS is more than just privacy. See https://certsimple.com/blog/ssl-why-do-i-need-it and https://www.troyhunt.com/ssl-is-not-about-encryption/

reedloden commented on Enabling Secure HTTP for BBC Online   bbc.co.uk/blogs/internet/... · Posted by u/edward
reedloden · 10 years ago
> Earlier in 2016, the Chromium development team decided to implement a change to Google Chrome, preventing access to certain in-browser features on ‘insecure’ (non-HTTPS) web pages. In practice, this meant that key features of certain products, such as the location-finding feature within the Homepage, Travel News and Weather sites, would stop working if we didn’t enable HTTPS for those services.

I think this shows how valuable it is to use incentives to get people to Do The Right Thing(tm). Perhaps more things should be changed to require HTTPS.

reedloden commented on Remote code execution, git, and OS X   rachelbythebay.com/w/2016... · Posted by u/ingve
reedloden · 10 years ago
Isn't this why projects such as Homebrew thrive? For me personally, I just `brew install git`, and I keep it updated that way (`brew update && brew upgrade`)...

Sure, Apple should ship a fix, but there are ways around it for now.

reedloden commented on An opensource alternative for the TSA’s $300k line assistant   tsa.arik.io... · Posted by u/arik-so
blr246 · 10 years ago
The UI looks nice, but there is more to this than a UI.

This should be implemented using a cryptographically secure random number generator. Presumably, the TSA requirements would specify some defense against an attacker being able to predict program outputs.

reedloden · 10 years ago
https://developer.mozilla.org/en-US/docs/Web/API/RandomSourc... solves that. Just need to tweak the code.

I submitted https://github.com/arik-so/tsa/issues/4 about this issue.

reedloden commented on Server and Client RCE in Git version 2.7.1 and below   seclists.org/oss-sec/2016... · Posted by u/breadtk
voltagex_ · 10 years ago
Ubuntu should announce the fix at https://www.ubuntu.com/usn/ but I can't load the page right now.

(removed DSA link as per advice below)

reedloden · 10 years ago
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1557787 is the tracking bug for this issue. Seems like it's fixed on xenial but not yet in older releases.
reedloden commented on Encrypted libraries leak lots of information in Seafile   github.com/haiwen/seafile... · Posted by u/networked
reedloden · 10 years ago
Note that Seafile seems to still be using a very old and EOL'd version of Django that has known security issues (currently v1.5.12, I believe).

https://github.com/haiwen/seafile/issues/1502

reedloden commented on Bug 647959 – Add Honest Achmed's root certificate (2011)   bugzilla.mozilla.org/show... · Posted by u/Moral_
reedloden · 10 years ago
Just use Let's Encrypt. :)

Signed, The guy who marked that bug report invalid.

r

u/reedloden

KarmaCake day185June 16, 2013
About
[ my public key: https://keybase.io/reed; my proof: https://keybase.io/reed/sigs/Lty8JS0VpdMSR0MLoCbl-xDn6C74xbtJkt5prorBAHc ]
View Original