jaredj

@jaredj@infosec.pub

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Roast the security of my app⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Marvellous!
⁨Comment⁩ on ⁨Roast the security of my app⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
history which may or may not be relevant to you: en.wikipedia.org/wiki/Cryptocat
⁨Comment⁩ on ⁨apps .. repo or not⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
A name I’ve seen in connection with this issue is Obtainium. From a cursory look, it appears this just streamlines checking for and getting apk’s from GitHub release pages and other project-specific sources, rather than adding any trust. So maybe it just greases the slippery slope :)

Security guidelines for mobile phones, and therefore policies enforced by large organizations (think Bring-Your-Own-Device), are likely to say that one may only install apps from the platform-provided official source, such as the Play Store for Android or the Apple App Store for iOS. You might say it’s an institutionalized form of “put[ting] too much trust in claims of authority.” Or you might say that it’s a formal cession of the job of establishing software trustworthiness to the platform vendors, at the mere expense of agency for users on those platforms.

People are not taught how to verify the authenticity and legitimacy of software

Rant: Mobile computing as we know it is founded on the rounding off of the rough corner of user agency, in order to reduce the amount users need to know in order to be successful, and to provide the assurances other players need, such as device vendors, employers, banks, advertisers, governments, and copyright holders. See The Coming War on General Computation, Cory Doctorow, 2011. Within such a framework, the user is not a trustworthy party, so the user’s opinion of authenticity and legitimacy, however well informed, doesn’t matter.
⁨Comment⁩ on ⁨Security Control Frameworks⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
They are made (I think) to be implementable - even, to give implementors some flexibility. Then everybody goes and buys a tool to do it, and not that well. I thought 15 years ago that security configuration was a (voluminous) subset of system configuration and system administration, ripe for automation and rigorous documentation - not something to pay a different vendor for. But the market says otherwise. When you can split some work across a whole team, or even into a separate company, instead of glomming it into one job, that’s worth money to businesspeople.
⁨Comment⁩ on ⁨The Password Game - How many level can you reach?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
i got paul through the flames! but he dies if you feed him too much
⁨Comment⁩ on ⁨The Password Game - How many level can you reach?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
mmm yeah somewhere in the 20s. it gets way funnier after wordle :D