209 Matching Annotations
  1. Last 7 days
    1. An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the GCP Console and embeds that key in every call to your API as a query parameter
    1. This is useful if just a subset of the operations need the API key

      can we do wildcard paths at all?

    2. PI keys are supposed to be a secret that only the client and server know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL
    1. API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key

      hmmm... what about client-API architectures where there are no username/pwd pairs?

    2. Cloud Endpoints handles both API keys and authentication schemes, such as Firebase or Auth0
    1. Access control for GCP APIs encompasses authentication, authorization, and auditing. Authentication determines who you are, authorization determines what you can do, and auditing logs record what you did
    2. Application credentials provide the required information about the caller making a request to a GCP API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys.
    1. OAuth can be many things. It is most commonly used to allow an application (the consumer) to access data or services that the user (the resource owner) has with another service (the provider), and this is done in a way that prevents the consumer from knowing the login credentials that the user has with the provider
    1. For each call to your API, user should send token with every API request and you should validate the encoded toke and either deny or send back the response.
    1. Cloud IAP enables you to configure Cloud IAP policies for individual resources in a Google Cloud Platform (GCP) project. Multiple apps within a project can each have different access policies
  2. Oct 2019
    1. principle of least privilege states that any process, user or program has only the privileges it needs to do its job

      Principle of least privilege

    2. If you really want to impress your security consultant, then casually mention Kerckhoffs Principle which is a more formal way of saying ‘security through obscurity is not sufficient’

      Kerckhoffs Principle

    3. Hashing is the process of turning one set of data into another through a reproducible algorithm

      Hashing

    4. symmetric key is. It’s a key that is ‘the same’ one used on both sides of the communication

      Symmetric key

    5. asymmetric key is one where access to the key used to encrypt the message does not imply access to decrypt the message

      Asymmetric key

    6. Authorization is the process of determining whether you are allowed to do something or not

      Authorisation

    7. Security through obscurity is security through the design of a system. In other words, if the design of your system were to become public then it would be easy to expose

      Security Through Obscurity

    8. Role-Based Access Control gives permission to a more abstract entity called a role. Rather than giving access to that user directly, you give the user access to the role, and then that role has the access permissions set for it

      Role-Based Access Control (RBAC)

    9. This is why it’s important to ‘salt‘ your hash with a secret key so that knowledge of the hash algorithm isn’t enough to crack a lot of passwords

      Improving hashing algorithms

    10. Encryption vs Encoding

      Encoding - converting some data into some other format

      Encryption - involves needing some secret or secure process to get access to the data, like a private 'key' that you store in your ~/.ssh folder

    1. new data provided by the Department of Human Services showed that almost half of all pension applications received last year were not processed within the timeframe set out in their Key Performance Measure standards

      Key Performance Measure for social security processing

  3. Sep 2019
    1. deploying an App Engine standard or flexible environment application and securing it with Cloud Identity-Aware Proxy (Cloud IAP)

      isn't IAP sufficient to secure apps, then?

    1. Endpoints Frameworks is supported only on the App Engine standard Python 2.7 and Java 8 runtime environments

      seems like endpoints frameworks is different from endpoints itself

    1. it's not that there are new vulnerabilities that have been identified in the implicit flow, just that PKCE offers a more secure alternative that you should use if you have the option

      Use PKCE instead of the implicit flow if you have a chance

    2. PKCE (which stands for "Proof Key for Code Exchange" and is pronounced "pixie") was originally developed to solve a problem specific to native mobile apps using OAuth 2.0

      PKCE (Proof Key for Code Exchange) is an extension to OAuth 2.0

    3. While this has worked and continues to work for a wide range of web applications, security experts had (and continue to have) concerns that it leaves open some potential attack vectors

      Implicit flow is still simple and very secure

    4. click a button that says "Sign in with GitHub." I am then sent to GitHub to sign in and, if this is my first time, grant permissions

      The Implicit flow:

      1. The application requests authorization from the user ➡
      2. The user authorizes the request ➡
      3. The authorization server issues an access token via the redirect URI ⬅
      4. The application uses the token to call the API ➡
  4. Aug 2019
    1. JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
  5. Jul 2019
    1. If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number
    1. Fellow student, since you are reading this, you installed Hypothes.is as the instructor's recommended. However, the extension by default has permissions to read all data on all websites you visit. Technically that means email, banking sites, etc. I for one don't want to give random software that authority. The developer did provide a easy way to limit that, and I'll assume he programmed it to work as promised. If you right click on the "h." extension icon, you can change "This can read and write all site data" to only Coursera - which means you can use the extension for the class, but it shouldn't be reading your emails or bank passwords.

      For the course writers and INSEAD - while Hypothesis looks solid and its nice that its non-profit, encouraging all students to install unrestricted extensions which can read all pages and data is a big responsibility, it could easily go wrong. Have you considered how this could be used as malware with the extensive permissions the extension is granted by default?

    1. Authentication (from Greek: αὐθεντικός authentikos, "real, genuine", from αὐθέντης authentes, "author") is the act of proving an assertion, such as the identity of a computer system user.

      The assertion does not need to be about an actor's identity per se?

  6. Jun 2019
    1. Top Reasons Why Your Website Needs An SSL Certificate

      Whether your #website is small or large, it needs an #SSL certificate. Here are the top reasons why your website needs an SSL certificate. If your website is on a shared hosting server, you can get it prepared by the web hosting company.

  7. May 2019
  8. Apr 2019
    1. “Being able to feel safe with other people is probably the single most important aspect of mental health; safe connections are fundamental to meaningful and satisfying lives.”
    2. Trauma victims cannot recover until they become familiar with and befriend the sensations in their bodies. Being frightened means that you live in a body that is always on guard. Angry people live in angry bodies. The bodies of child-abuse victims are tense and defensive until they find a way to relax and feel safe. In order to change, people need to become aware of their sensations and the way that their bodies interact with the world around them. Physical self-awareness is the first step in releasing the tyranny of the past.
    1. Oops, I think that one might even be exploitable… I think I’m going to stop here. This needs a structured effort, not spending ten minutes every now and then. As I said, the codebase isn’t bad. But there are obvious issues that shouldn’t have been there. As always, spotting the issues is the easy part – proving that they are exploitable is far harder. I’m not going to spend time on that right now, so let’s just file these under “minor quality issues” rather than “security problems.”
    2. LastPass has always been stressing that they cannot access your passwords, so keeping them on their servers is safe. This statement has been proven wrong several times already, and the improvements so far aren’t substantial enough to make it right. LastPass design offers too many loopholes which could be exploited by a malicious server. So far they didn’t make a serious effort to make the extension’s user interface self-contained, meaning that they keep asking you to trust their web server whenever you use LastPass.
    3. Some of these actions will prompt you to re-enter your master password. That’s merely security theater

      "Security theater". I dig that term.

    4. LastPass is run by LogMeIn, Inc. which is based in United States. So let’s say the NSA knocks on their door: “Hey, we need your data on XYZ so we can check their terrorism connections!” As we know by now, NSA does these things and it happens to random people as well, despite not having any ties to terrorism. LastPass data on the server is worthless on its own, but NSA might be able to pressure the company into sending a breach notification to this user.
    5. Should you be concerned about LastPass uploading your passwords to its server?

      TL;DR: Yes, very much.

  9. Mar 2019
    1. Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent. Privacy regulation should emphasise the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.

      Horrific conclusion, which clearly states that "sharing of user data is routine" where the medical profession is concerned.

    2. To investigate whether and how user data are shared by top rated medicines related mobile applications (apps) and to characterise privacy risks to app users, both clinicians and consumers.

      "24 of 821 apps identified by an app store crawling program. Included apps pertained to medicines information, dispensing, administration, prescribing, or use, and were interactive."

    1. Hashicorp Vault: One-Time Password para SSH

      Está aí um assunto sob o qual quero aprender! Não é explicitamente coberto pelos tópicos de certificação DevOps, mas dá uma olhada nos assuntos cobrindo ssh e security (procura também por vault em https://wiki.lpi.org/wiki/DevOps_Tools_Engineer_Objectives_V1).

  10. Jan 2019
    1. Who would have thought crypto investors would be U.S. securities law experts by the end of 2018

      <big>评:</big><br/><br/>《金瓶梅》第四十八回有曰:「常言:『兵来将挡,水来土掩』。事到其间,道在人为,少不的你我打点礼物,早差人上东京,央及老爷那里去」。人生如戏,每个人顾及的都是如何演好自己的戏份。好在如今已不是投机倒把等同犯罪的年代,嗅觉灵敏的市场玩家们逢场作戏也无可厚非,但是谁来「打点礼物」制造惊喜呢?2018年,玩家们反倒收获了不少惊恐。<br/><br/>专业的投资者和政客总是能在自己的地盘上长袖善舞,但是在这个野蛮生长的年代,恐怕他们也得多向口译员们学习快速熟悉陌生领域的技能——共情、抗压、不服输,或许称之为「人格特质」更加合适。

    1. vorsichtig in öffentlichen WLAN-Netzen sein

      bei unverschlüsselten Netzwerken (Zug, Bus, Cafe etc.) VPN benützen. Bspw. Freedome oder NordVPN. Beide speichern keine Daten.

  11. Dec 2018
    1. Ultimate Guide To Develop Secure Mobile App

      Mobile applications must be developed using above mention security tips. This can be done by a professional mobile app developer or by hiring a mobile app development company. Make sure include these practices in order to have a completely secure difficult to break the application.

  12. Oct 2018
    1. The NYCLU found nothing in the documents outlining policies for accessing data collected by the cameras, or what faces would be fed to the system in the first place. And based on emails acquired through the same FOIL request, the NYCLU noted, Lockport administrators appeared to have a poor grasp on how to manage access to internal servers, student files, and passwords for programs and email accounts. “The serious lack of familiarity with cybersecurity displayed in the email correspondence we received and complete absence of common sense redactions of sensitive private information speaks volumes about the district’s lack of preparation to safely store and collect biometric data on the students, parents and teachers who pass through its schools every day,” an editor’s note to the NYCLU’s statement on the Lockport documents reads.
    1. As a recap, Chegg discovered on September 19th a data breach dating back to April that "an unauthorized party" accessed a data base with access to "a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password" but no financial information or social security numbers. The company has not disclosed, or is unsure of, how many of the 40 million users had their personal information stolen.

  13. Sep 2018
    1. politicians looking for issues to drum up with have made a whipping boy out of the social networks

      Here, I think the author is just saying that Facebook and Twitter have taken a lot of heat from politicians about the 2016 election, Russian interference, etc. This year, the tech companies are showing that they are "good citizens" by having better security and helping young people register to vote.

    1. DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
    1. When your page links to another page using target="_blank", the new page runs on the same process as your page. If the new page is executing expensive JavaScript, your page's performance may also suffer. See The Performance Benefits of rel=noopener for more information. On top of this, target="_blank" is also a security vulnerability. The new page has access to your window object via window.opener, and it can navigate your page to a different URL using window.opener.location = newURL. See About rel=noopener for a demo and explanation of the vulnerability. Adding a rel="noopener" attribute prevents the new page from being able to access the window.opener property and will ensure it runs in a separate process. The rel="noreferrer" attribute has the same effect, but will also prevent the Referer header from being sent to the new page.
    1. This document outlines Cross-Origin Read Blocking (CORB), an algorithm by which dubious cross-origin resource loads may be identified and blocked by web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
    1. Cross-Origin Read Blocking (CORB) is a new web platform security feature that helps mitigate the threat of side-channel attacks (including Spectre).  It is designed to prevent the browser from delivering certain cross-origin network responses to a web page, when they might contain sensitive information and are not needed for existing web features.  For example, it will block a cross-origin text/html response requested from a <script> or <img> tag, replacing it with an empty response instead.  This is an important part of the protections included with Site Isolation.
    1. I love the voice of their help page. Someone very opinionated (in a good way) is building this product. I particularly like this quote: Your data is a liability to us, not an asset.
  14. Jul 2018
    1. It is clear that the intelligence and law enforcement communities of the United States — adhering to the principles of patriotism enumerated by Deputy Attorney General Rod Rosenstein on Friday — felt that a message needed to be sent to the Russians that we were on to them.

      Typically, the president would deliver such a message, but this president has proven to be the staunchest defender of Putin and the most active advocate of covering up or denying these attacks. He did it again this week even while aware of the indictments.

      ...

      Trump may deny collusion. But given that this the attack continues, denying it is collusion, distracting from it is collusion, obstructing the investigation of it is collusion — because all these things enable it to go on.

  15. Jun 2018
    1. security

      Hi ,<br> All gov websites holding citizens personally identifiable information should hold a valid third party certificate, as I have seen at most of time, government website do not produce a valid certificate or do not produce any certificate at all , a few examples railway recruitment website which collects candidates personal info, apart from that voter id verification website (http://www.nvsp.in/) also not producing any certificate. in such cases lack of secure communication will help hackers to grab the passed data in between.. Certificates should be mandatory in all local/state / national level government websites.

    1. we must not place the burden of safety on users in terms of who is responsible and who suffers the consequences
    2. IDEAS FOR TECHNICAL MECHANISMSA technique called differential privacy1 provides a way to measure the likelihood of negative impact and also a way to introduce plausible deniability, which in many cases can dramatically reduce risk exposure for sensitive data.Modern encryption techniques allow a user’s information to be fully encrypted on their device, but using it becomes unwieldy. Balancing the levels of encryption is challenging, but can create strong safety guarantees. Homomorphic encryption2 can allow certain types of processing or aggregation to happen without needing to decrypt the data.Creating falsifiable security claims allows independent analysts to validate those claims, and invalidate them when they are compromised. For example, by using subresource integrity to lock the code on a web page, the browser will refuse to load any compromised code. By then publishing the code’s hash in an immutable location, any compromise of the page is detectable easily (and automatically, with a service worker or external monitor).Taken to their logical conclusion these techniques suggest building our applications in a more decentralized3 way, which not only provides a higher bar for security, but also helps with scaling: if everyone is sharing some of the processing, the servers can do less work. In this model your digital body is no longer spread throughout servers on the internet; instead the applications come to you and you directly control how they interact with your data.
  16. May 2018
  17. Apr 2018
  18. Mar 2018
    1. Introducing Subscribe with Google

      Interesting to see this roll out as Facebook is having some serious data collection problems. This looks a bit like a means for Google to directly link users with content they're consuming online and then leveraging it much the same way that Facebook was with apps and companies like Cambridge Analytica.

  19. Feb 2018
  20. Jan 2018
  21. Dec 2017
    1. Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

  22. Nov 2017
    1. The draft Plan of Implementation for the World Summit on Sustainable Development,recognizes poverty eradication as the greatest global challenge facing the world today andan indispensable requirement for sustainable development.

      Human rights and poverty reduction

    1. The reason that oil reached $117 a barrel last week was less to do with security of supply… than World shortage."
    2. "While the unresolved conflict with Iraq provides the immediate justification" for the US "to play a more permanent role in Gulf regional security," "the need for a substantial American force presence in the Gulf transcends the issue of the regime of Saddam Hussein."
    1. Oil was not the only goal of the Iraq War, but it was certainly the central one, as top U.S. military and political figures have attested to in the years following the invasion
    1. Saddam Hussein deserved to remain in power. But the security vacuum after his fall and the presence of foreign occupiers led to Iraq becoming a breeding ground for jihad and religious extremism.
    2. Saddam Hussein was a nasty, murderous tyrant who brutalized much of his country and was guilty of war crimes
    1. It is widely agreed upon that Iraqi civilian deaths peak in July. But estimates, which hover between 1,000 and 3,500 for that month, vary greatly
    2. Acting on tips from the dictator's bodyguard and family members, U.S. troops find Saddam Hussein hiding out in a one-man hole near his boyhood home of Tikrit.
    3. L. Paul Bremer III, head of the Coalition Provisional Authority in Iraq, signs an order disbanding the Iraqi army and intelligence services, sending hundreds of thousands of well-armed men into the streets
    4. Lawlessness and some skirmishing in the country are written off as the desperate acts of "dead-enders" by Defense Secretary Donald Rumsfeld
    5. U.S., British, and other coalition forces quickly overwhelm the Iraqi Army, though elements loyal to Saddam Hussein who will form the core of a postwar insurgency fight on
    1. We know that there are few sticky security and implementation issues

      Which is probably why @judell’s tate doesn’t show up in Chrome on my system and there’s weirdness with the scrolling once we accept to load unsafe scripts.

    1. the Iraqi government had a difficult time recruiting and training police officers and soldiers to assume domestic security duties. The death of al-Qaeda in Iraq’s leader, Abu Musab al-Zarqawi, in June 2006 did nothing to reduce the violence.
    2. Responsible for countless killings and sabotage, the insurgents targeted coalition forces, new Iraqi security forces and recruitment centres, electrical installations, oil pipelines, and other civilian institutions
    3. Major fighting ended by late April, but acts of common criminality continued, and, as the months passed, a pattern of concerted guerrilla warfare began to unfold. On December 13, 2003, Ṣaddām surrendered to U.S. troops when he was found hiding near Tikrīt, and other major figures from the regime were tracked down and arrested.
    1. when all people, at all times, have physical, social and economic access to sufficient, safe and nutritious food that meets their dietary needs and food preferences for an active and healthy life.
    1. For the last few years, Intel CPUs have Intel Management Engine, which runs its own OS, the Unix-like MINIX. You have no access to it. But it has complete access to your computer.

    1. EFF recommendations for Congress regarding data security and data breaches like the one at Equifax.

      https://www.ftc.gov/datasecurity<br> FTC guide to data security for businesses.

  23. Oct 2017
    1. oston, Newport, New York, Philadelphia, and Charleston were the five largest cities in British North America. Philadelphia, New York, Boston, and Charleston had populations of appr

      Security

    1. DEFCON, the world’s largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines.

      ...

      Though the report offers no proof of an attack last year, experts involved with it say they’re sure it is possible—and probable—and that the chances of a bigger attack in the future are high.

      “From a technological point of view, this is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part.”

  24. Sep 2017
  25. Jul 2017
  26. May 2017
    1. Tools that might be able to decrypt files encrypted by the WannaCry ransomware. With a little luck, and if the victim hasn't rebooted, the keys can be found in memory.

    1. Certain HP laptops have flawed audio drivers that record all your keystrokes to: C:\Users\Public\MicTray.log

      If these files exist, delete them: C:\Windows\System32\MicTray64.exe C:\Windows\System32\MicTray.exe

  27. Apr 2017
    1. Phishing attack that uses Unicode characters to fake a domain name.

      The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.

      What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.

  28. Mar 2017
    1. Protection Level 0 Limited or none Information intended for public access, e.g.,: Public directory information

      Includes name and email.

    2. Student Directory Data (link is external) (unless the student has requested that information about them not be released as public information) Name of student Address, telephone, e-mail

      Not considered private or high level?

    3. Evaluations

      Anything graded with grade indicated? Or simply gradeable?

    1. There were no prospects of advancement mentioned. I had no choice. I had no means. The door of the flat had been ripped off by thieves, the possessions taken.

      Movement outwards...into box

    1. Sebastian Gorka, President Trump’s top counter-terrorism adviser, is a formal member of a Hungarian far-right group that is listed by the U.S. State Department as having been “under the direction of the Nazi Government of Germany” during World War II, leaders of the organization have told the Forward.

      ...

      Gorka’s membership in the organization — if these Vitézi Rend leaders are correct, and if Gorka did not disclose this when he entered the United States as an immigrant — could have implications for his immigration status. The State Department’s Foreign Affairs Manual specifies that members of the Vitézi Rend “are presumed to be inadmissible” to the country under the Immigration and Nationality Act.

    1. The Justice Department has announced charges against four people, including two Russian security officials, over cybercrimes linked to a massive hack of millions of Yahoo user accounts. [500M accounts, in 2014]

      Two of the defendants — Dmitry Dokuchaev and his superior Igor Sushchin — are officers of the Russian Federal Security Service, or FSB. According to court documents, they "protected, directed, facilitated and paid" two criminal hackers, Alexsey Belan and Karim Baratov, to access information that has intelligence value. Belan also allegedly used the information obtained for his personal financial gain.

  29. Feb 2017
    1. A company that sells internet-connected teddy bears that allow kids and their far-away parents to exchange heartfelt messages left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen.

    1. All along the way, or perhaps somewhere along the way, we have confused surveillance for care. And that’s my takeaway for folks here today: when you work for a company or an institution that collects or trades data, you’re making it easy to surveil people and the stakes are high. They’re always high for the most vulnerable. By collecting so much data, you’re making it easy to discipline people. You’re making it easy to control people. You’re putting people at risk. You’re putting students at risk.
  30. Jan 2017
    1. Jim Arkedis, formerly an intelligence analyst with the DoD.

      Below is how I would assess the credibility of the sources and allegations detailed in Buzzfeed’s recently-released dossier and an explanation of why I believe its two main allegations should be judged on their individual merits as credible with moderate-to-high confidence.

      No, that’s not the same as saying the allegations are 100 percent guaranteed to be true, but I think there’s enough evidence there that it would be irresponsible not to consider how this could impact our nation’s security and what, if anything, can be done to mitigate those potential impacts.

    1. TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.
    1. Thousands of poorly secured MongoDB databases have been deleted by attackers recently. The attackers offer to restore the data in exchange for a ransom -- but they may not actually have a copy.

    1. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together.

      Lesson learned: not chain different accounts by "logging in with" (most of the time Google, Facebook, Twitter)

    2. First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up. Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

      Is it still as eas to enter someone's Amazon account today? Hopefully not. But I'm really not sure...

    3. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com

      This is where email sub-adressing (https://en.wikipedia.org/wiki/Email_address#Sub-addressing) is also useful!

    4. Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file

      Not very complicated to hack, isn't it? Fortunately, Apple now relies on two-factor authentification.

    5. In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

      Security is not only the user's business. If the company doesn't do the job, it's useless for the user to be careful.

    6. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.

      Security considered from different perspectives leads to security flaws!

    1. Almost half of eight- to 11-year-olds have agreed impenetrable terms and conditions to give social media giants such as Facebook and Instagram control over their data, without any accountability, according to the commissioner’s Growing Up Digital taskforce. The year-long study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.