Locally added CAs override pinning, so no it wont help.
The evidence that he paid for murders is as damning as the rest of it, he kept the chatlogs and made diary entries about _paying to have someone murdered_, Please. The fact that he was scammed and no one was murdered is…
You see he's ok because he writes code and drug laws are bad, man. I'm disgusted by people trying to claim he is anything but a horrible person while trying to brush away the fact that he paid for people to be murdered.…
Sorry I wasn't clear, I wasn't talking about someone MiTM but someone actively compromising their servers. It would be nice to have a corpus of javascript and HTML from these sorts of sites so that someone could go and…
Since I'm the first security person here I might as well just start off the anti-javascript crypto thread: Their claim "Zero Access to User Data" is completely untrustable. There is no realistic way to be confident that…
Yes but worse, this is basically a 1990s anti virus + hype.
"Relatively poor" is letting them off easy, comically incompetent would be closer to the truth. Hopefully Square doesn't trust data from Snapchat. Lucky for Snapchat their users and potential investors don't care about…
The code used for the paper is actually here: https://github.com/pencilo/ssl I quit gradschool a month after publishing this so can't comment on what Suman is currently working on, but it looks like it is still mostly…
How could I possibly verify that though? Case 1: You delete my message once I read it Case 2: You simply report it as deleted once I read it(but keep it stored) Is there any way for us to distinguish the two? The more…
This isn't about hackers or even the NSA. The NSA is like the final boss. This isn't even passing level one. The point is that you don't actually offer me any more privacy than if I just used the 'Off The Record'…
That worked so well for people using hushmail. http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_p...
These services deeply anger me and it is pretty hard not to launch into rants when I see them unfortunately. I have an honest question for you HN: Do you not see these services as fundamentally broken? Would it be worth…
How do you know there is no paper trail? What stops Delete.im from saving your messages?
>The main thing to point out is that by uploading a message it is still possible to get access to your message in a permanent state either by screen shotting or finding the image source. The tool exists for people who…
As a security person I enjoy blaming the NSA and conspiracies as much as anyone. That said sorry but I don't buy this. Just seeing a diff with that one + makes me more inclined to believe there was an if(...) goto fail…
You don't need fancy software, compilers warn about this kind of thing.
SSLVerifySignedServerKeyExchange in http://opensource.apple.com/source/Security/Security-55471/l... If you want to see my favorite SSL bug ever.
Take a look at http://opensource.apple.com/source/Security/Security-55471/l... specifically check the function SSLVerifySignedServerKeyExchange I leave the joy of spotting it to you. It is obvious and if you know c…
The key is a constant in the application, while ECB is embarrassing the mode can't help you here. But if it makes you feel better you can upload arbitrary bytes to Snapchat, encrypt it with your own not-stupid method.
Chad here. First off I'd like to give props to the gibsonsec.org guys, that is a really high quality protocol breakdown and the attack is neat. I see nothing wrong with going full disclosure after being ignored this…
You're slightly wrong on the app side of things and the keys. There are in fact two 'secret' keys. One is a fixed SHA256 hash used for their weird request generation and one is the fixed AES-128 key for encrypting…
Hi, one of the authors here. A good chunk of the core is from my python Snapchat API(https://github.com/pencilo/pysnapchat) which lets you do things like download snaps and send snaps. You are correct that it is…
Locally added CAs override pinning, so no it wont help.
The evidence that he paid for murders is as damning as the rest of it, he kept the chatlogs and made diary entries about _paying to have someone murdered_, Please. The fact that he was scammed and no one was murdered is…
You see he's ok because he writes code and drug laws are bad, man. I'm disgusted by people trying to claim he is anything but a horrible person while trying to brush away the fact that he paid for people to be murdered.…
Sorry I wasn't clear, I wasn't talking about someone MiTM but someone actively compromising their servers. It would be nice to have a corpus of javascript and HTML from these sorts of sites so that someone could go and…
Since I'm the first security person here I might as well just start off the anti-javascript crypto thread: Their claim "Zero Access to User Data" is completely untrustable. There is no realistic way to be confident that…
Yes but worse, this is basically a 1990s anti virus + hype.
"Relatively poor" is letting them off easy, comically incompetent would be closer to the truth. Hopefully Square doesn't trust data from Snapchat. Lucky for Snapchat their users and potential investors don't care about…
The code used for the paper is actually here: https://github.com/pencilo/ssl I quit gradschool a month after publishing this so can't comment on what Suman is currently working on, but it looks like it is still mostly…
How could I possibly verify that though? Case 1: You delete my message once I read it Case 2: You simply report it as deleted once I read it(but keep it stored) Is there any way for us to distinguish the two? The more…
This isn't about hackers or even the NSA. The NSA is like the final boss. This isn't even passing level one. The point is that you don't actually offer me any more privacy than if I just used the 'Off The Record'…
That worked so well for people using hushmail. http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_p...
These services deeply anger me and it is pretty hard not to launch into rants when I see them unfortunately. I have an honest question for you HN: Do you not see these services as fundamentally broken? Would it be worth…
How do you know there is no paper trail? What stops Delete.im from saving your messages?
>The main thing to point out is that by uploading a message it is still possible to get access to your message in a permanent state either by screen shotting or finding the image source. The tool exists for people who…
As a security person I enjoy blaming the NSA and conspiracies as much as anyone. That said sorry but I don't buy this. Just seeing a diff with that one + makes me more inclined to believe there was an if(...) goto fail…
You don't need fancy software, compilers warn about this kind of thing.
SSLVerifySignedServerKeyExchange in http://opensource.apple.com/source/Security/Security-55471/l... If you want to see my favorite SSL bug ever.
Take a look at http://opensource.apple.com/source/Security/Security-55471/l... specifically check the function SSLVerifySignedServerKeyExchange I leave the joy of spotting it to you. It is obvious and if you know c…
The key is a constant in the application, while ECB is embarrassing the mode can't help you here. But if it makes you feel better you can upload arbitrary bytes to Snapchat, encrypt it with your own not-stupid method.
Chad here. First off I'd like to give props to the gibsonsec.org guys, that is a really high quality protocol breakdown and the attack is neat. I see nothing wrong with going full disclosure after being ignored this…
You're slightly wrong on the app side of things and the keys. There are in fact two 'secret' keys. One is a fixed SHA256 hash used for their weird request generation and one is the fixed AES-128 key for encrypting…
Hi, one of the authors here. A good chunk of the core is from my python Snapchat API(https://github.com/pencilo/pysnapchat) which lets you do things like download snaps and send snaps. You are correct that it is…