micahflee's comments

It says "Verify your TM SGNL PIN" instead of "Verify your Signal PIN". That's the only difference.

Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data is available for sale today, and also it's free under a Creative Commons license

Hydroxychloroquine has dangerous side effects for people with heart abnormalities, and shouldn't be prescribed without first determining if it's safe. The FDA warned about this in 2020, and also warned doctors to not prescribe it for COVID-19 since it's shown to be ineffective at treating it: https://www.fda.gov/drugs/drug-safety-and-availability/fda-c...

The doctor never should have prescribed hydroxychloroquine for COVID-19 because it was ineffective and the medical community already knew it at the time, and if they were going to they should have done a physical exam or taken labs to determine if it was safe first, and they didn't.

I was suspended for posting this https://infosec.exchange/@micahflee/109520648205436407

I have doubts that a timing attack would even be exploitable here since it's a hidden service, but I just made the string comparison constant-time to be safe: https://github.com/micahflee/onionshare/issues/3

Keep in mind that the username/password are just hex-encoded 128 bits from /dev/urandom, so they're not guessable at all without some sort of leakage attack, like a timing attack. And if anyone attempts to do a timing attack the person hosting the file will see all the requests scrolling down their terminal in real-time and can always hit ctrl-c.

There's also the bit about knowing the hidden service .onion to attack in the first place, which wouldn't be trivial to discover, especially since I envision these to mostly be very short-lived.

But all that said, this is great feedback. Keep it coming and feel free to open security issues on github.

Is 12.04 pre-Unity and Amazon ads? These start when the ads started.

It doesn't particularly matter if people trust StartSSL, it matters if browsers trust them (which they do).

There are about 100 root CAs, and something like 1000 CAs if you include intermediates (controlled by ~650 different organizations - https://www.eff.org/observatory), and browsers trust ALL of them. All it takes is one to issue a malicious cert, or to get hacked, to do a MITM attack on ANY domain without showing a browser warning.

The trustworthyness of a single CA doesn't make a difference, because if any CA isn't trustworthy then an attacker can use them instead the other ones. This is the problem with CAs, and the problem with centralized trust systems in general. There are hundreds of weak points.

But also, StartSSL does fairly thorough identity verification. I've had to send them photos of my passport and talk to them on the phone to do identity verification. It's also worth noting that it's the CA that both https://www.eff.org/ and https://pressfreedomfoundation.org/ use.

As long as there's a broken CA system, the choice of CA does not matter in the slightest as long as it's trusted by browsers. Users only care if it breaks a website with a scary warning, but if it doesn't, it doesn't matter. There's no need to spend money.

StartSSL does charge if you have more than very basic needs, like if you want multiple alt names, or if you want a wildcard. But it's still cheaper than the competition.

If you offer software to download HTTPS is a must. Otherwise any active attacker, from a kid at a coffee shop to the NSA at the ISPs, can make it so when people download your software they're also downloading your software with malware attached. Software downloads are one of the most important things to protect, and it saddens me that some websites still exist that offer software downloads that don't use HTTPS.

Hey, I'm the maintainer of HTTPS Everywhere.

Last night we released a Chromium update that had a critical bug that broke the browser. As soon as we discovered this we removed it from the Chrome store temporarily until we could release an update.

We just released an update that fixes this bug, and it's back in the store again: https://chrome.google.com/webstore/detail/https-everywhere/g...

When was the last time you tried Debian on your desktop? It's much better than it used to be. The only piece of hardware that didn't work out of the box for me was wifi, but I just had to enable the nonfree repo to install my wifi driver. Other than that, it's a lot like Ubuntu.

Ok, the site should be back up if your DNS has updated. It's now sitting behind cloudflare. Load on the server is still at like 13 though, so clearly everyone's DNS hasn't updated yet.

If you want to read it quicker, add this to your /etc/hosts:

190.93.254.39 micahflee.com

Yup, $5/month. https://www.digitalocean.com/

Touche!

I'm the author. Sorry the site is down, I'm hosting it on a cheap VPS with 512mb and a single core. And it's running apache and php. Apparently being hammered by both reddit and hackernews at the same time is too much. Working on fixing it though, and it should be up again soon.

It's ridiculous and harmful to think sexual harassment is justified just because you're in a large group of drunk men.

Also, there aren't 10,000 men that go to DEFCON. A large percentage of the attendees are women.

I've been using DGG for a couple of months now and it's been great. As a programmer, it turns out that like 50% of what I search for at work is programming reference stuff, so I've found the !php and !jquery syntax totally awesome.

There's still occasionally searches that I make that I can't find what I need from DGG, so I manually go to google for those (and of course for image search). But DGG definitely meets my daily needs for a search engine, and I love how privacy friendly it it.

Touche.

I want the games to be under the GPL so that derivate work has to remain open source. But to have GPL apps in the App Store you need permission from all copyright owners. If someone forms Skeleton Key and releases their own version in the App Store, they need my permission since I'm one of the copyright owners.

So I just me giving my permission before anyone has to ask, but only for the purpose of App Store distribution. They're not allowed to re-license my code as proprietary for any other purpose.

curl -A "Mozilla/5.0 (iPad; CPI OS 7_0 like Mac OS X) AppleWebKit/535.8 (KHTML, like Gecko)" http://arstechnica.com/apple/news/2012/03/ipads-using-ios-6-...

Now Ars has iPad with iOS 7 user-agents in their logs too :)

I wonder if he's planning on figuring out how to make money from software sales in a way that doesn't involve Apple. They're total asshats when it comes to things like this.