onfocus

"So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people’s data is now gone. Yes, this interpretation is far less favorable of LastPass, which is why they likely try to avoid it."

I believe password managers are critical and also that this password manager is being mismanaged. I guess the time for me to move to a different service was last year.

"Armed with secret court orders in the United States and the help of governments around the world, the Justice Department and the F.B.I. disconnected the networks from the G.R.U.’s own controllers. “Fortunately, we were able to disrupt this botnet before it could be used,” Mr. Garland said."

Fantastic work and a great story. Just give me a steady stream of cybersecurity success stories please. Call the new beat Botnet Dragnet. I’ll waive my naming fee.

"For years, digital rights groups like the Electronic Frontier Foundation, security researchers, and journalists have warned that Venmo’s public friend lists were a privacy threat. Founded in 2009 on the idea that payments could be another form of social content, Venmo allowed people to pay each other and post about those payments to its public feed and other social media platforms."

It just takes a few seconds to update your Venmo privacy settings.

"Third party link-shortening tools can add unnecessary steps to your processes, create accessibility issues, threaten user privacy and undermine user trust – with no benefit to you as communicators."

Yes! The risks of using 3rd party URL shorteners outweighs any perceived benefit.

"The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment."

Facepalm. This should really help stem the tide of infrastructure attacks. We get a gas panic and the criminals get #!?*coin. At least the perpetrators can't buy Teslas with it.

"That Pence had a military aide and a briefcase was a surprise to many who aren’t familiar with the command and control of strategic nuclear forces. Suddenly the import of what happened acquired a new salience: Did Trump’s inaction place not only his vice president, but the security of the nuclear deterrent in jeopardy?"

The more we learn the worse it gets.

"Today, Firefox is enabling encrypted DNS over HTTPS by default in the US..."

So strange to see a tech company put energy into consumer privacy but I’ll take it.

"...there exists a sphere of life that should remain outside public scrutiny, in which we can be sure that our words, actions, thoughts and feelings are not being indelibly recorded. This includes not only intimate spaces like the home, but also the many semi-private places where people gather and engage with one another in the common activities of daily life—the workplace, church, club or union hall. As these interactions move online, our privacy in this deeper sense withers away."

Maciej Cegłowski, owner and operator of old-school bookmarking service Pinboard (which I use to power posts like this) spoke to the Senate Banking Committee about online privacy. His thoughtful written statement is an excellent description of privacy in our current tech environment and has some ideas about how regulation could change things. I have no idea how this public statement came about, but I hope our leaders were listening. The gif here is by @thedansherman.

These security and perfomance changes for websites are easy to add and include some new browser features I wasn't aware of before. I went with the recommendation here for a simple CSP header but it looks like you could really batten down the https hatches with that one if you read through the spec.