Categories
Security

Blurring is not enough

You’ve probably heard of that thing that restored (well, tried to restore) pixelated images.

You may have heard about the criminal who got caught after he posted a swirled photo of himself. Police was able to undo the deformation to reveal his face.

Turns out, blurring can also be undone in some cases:

This is the result of Restoration of defocused and blurred images project by Vladimir Yuzhikov. Of course, it won’t magically unblur any photo, but the results are impressive nonetheless.

If you want to make something unrecognizable in a photo, just slap a big black rectangle on top. Make sure that the rectangle is opaque. Then take a screenshot of the censored image just to be safe and use it. To be completely sure, print and scan it back if you’re paranoid! Make sure your printer or scanner drivers don’t send pictures somewhere. Ah, screw it, just don’t post the picture!

Categories
Security

Firefox for Android allows websites to use camera even when the screen is locked

Interesting Firefox for Android bug: Camera remains active when the app is in background or the phone is locked. That is, when the camera is on and streaming via WebRTC, if the user locks their phone, the camera continues streaming.

kbrosnan on Hacker News adds:

For a user to be affected by this they woul need to:

* They would need to visit a website using webrtc

* Grant Firefox the Android camera/microphone permissions

* They would then be prompted to allow the website access to the camera and microphone

* For this to be a persistent problem the user would need to check a box that says “Remember my decision for this site” this is unchecked by default in the above dialog

This, of course, what everyone does when trying to use a web video chat.

What surprises me more about the bug is that Android allows apps to record video when the phone is locked. I didn’t know that. As far as I know, iOS doesn’t allow this. More than that, an app can’t even use camera if it’s not the front-most app — the frame just freezes until the app is back (I suspect we’ll see this change in the future versions, given that iOS/iPadOS 14 add an indicator).

Categories
Security

Platform authenticators for Web Authentication in Safari 14

Safari 14 will support platform authenticators for Web Authentication API (also known as WebAuthn). Current versions of Safari already support WebAuthn for security keys, such as YubiKey, which are called roaming authenticators, but soon you will be able to authenticate using Touch or Face ID on supported devices without any external keys; this is called a platform authenticator.

This is already supported by Chrome on Macs, but the importance of the new development is that millions of iOS and iPadOS users will be able to use WebAuthn without dongles.

Categories
Security Tools

How to use Chrome securely

  1. Install uBlock Origin extension. (If you’re not from US, check its options to turn on ad block lists for your country)
  2. Do not install any other extensions ever! (exceptions: 1Password, Google Arts & Culture).
  3. Create separate “people” for different activities: e.g. home, work, browsing sketchy websites. (Click on avatar → Manage People.)
  4. If you want to turn on sync, set up encryption passphrase. It’s a separate passphrase from your Google account — your sync data will be encrypted locally with it before hitting Google servers.
  5. Disable saving/auto fill of passwords, payment, and addresses. (https://twitter.com/Sc00bzT/status/1085521985017466881)

That is all (for now).

Categories
Security

Securing Go web applications

There are lots of security-related things to keep in mind when writing a web application, as the Web is a place full of danger: cross-site scripting (XSS), cross-site request forgery (CSRF), clickjacking, brute forcing, spam and so on.

Go gets many things right by default: for example, templates from the standard library make it hard to accidentally introduce XSS vulnerabilities. But what about other attacks? Fortunately, there are a few open source Go packages that can help us.