Gidley's Gossipings

A blog about not much really

Web of distrust

2016-11-09

The Register are reporting a browser extension for web of trust has been caught stealing and harvesting browser history.

This underlines the risk browser plugins carry - they often can ‘see’ everything you’re browsing on the web and can send that data back to their developers. Most plugins are harmless and do what they say - but there is very little stopping ‘bad actors’ adding malicious code.

Another potential risk is a 3rd party ‘buying’ an existing plugin, imagine how many developers would happily sell their plugin for a few thousand dollars, they can then ‘update’ the plugin with malicious code and most users would never note.

Continue reading

Google not fixing Android Dirty Cow Yet

2016-11-08

It’s become fashionable to give security defects ‘cool’ names like Heartbleed, the latest is Linux’s ‘Dirty Cow’. This is quite a major bug as it allows any user/app on a linux device to get ‘root’. Linux has now got a patch, but interestingly Google have delayed the patch for Android by a month.

It’s worth thinking a bit about what that ‘could’ mean…

  • Any android app on your phone can now do anything - all those permissions mean nothing to an app using this exploit
  • Google may be able to stop apps doing this getting through the Google App store - but they probably can’t stop them all
  • As a user there is nothing you can do to secure your phone/tablet

So all those apps you use on your phone are now vulnerable - even the best software security can only hinder an attacker with ‘root’ permissions on Android. That means if any developer, of any app on your phone, decides they want to do things like capture your online banking passwords, pretend to be in you in any app or engage in any mischief they want.

Continue reading

Booth eye tracking

2016-10-26 Tech

Recently I was at a Trade Show (Money 2020 in Las Vegas) and was wondering how effective the booth designs were at getting people’s attention. There seem to be a number of apporaches people try

  • Big Pictures to grab attention
  • Videos on loop explaining stuff
  • ‘Gimmicks’ on the stand
  • Live Talks
  • Text explaining products
  • Slogans explaining mission

What’s not clear to me is which of these actually work. Annecdotially you can watch people go buy and see what they look at, and then observe who engages. But it struck me that it should be possible to do this more scientifically.

Continue reading
Does-It-Exist-Yet

Why is there such a thing as default passwords?

2016-10-26 Tech

Why in 2016 are people still shipping software and devices with default passwords? The recent IOT/Botnet that broke large chunks of the internet was entirely avoidable if the devices had been shipped without default passwords.

This is perfectly within the capability of a device manufactuer - even British Telecom (who have many many issues) have been shipping their devices with randomized passwords printed on a sticker on the device for years. It’s not hard to do that! With software it’s even easier you just force the user to pick a password and don’t ship them with admin/password or whatever you’ve decided is good enough.

Continue reading
Security Iot

Will PSD2 revolutionize banking?

2016-10-23 Fintech

There has been quite a lot of excited commentary about how PSD2 will revolutionize the banking industry, so I thought it was worth a bit of analysis to see what the actual outcome is likely to be.

What is it

PSD2 is a EU directective aimed at

  • Forcing open API’s on the payments industry to open up competition including ability to deliver cross border direct debit
  • Increasing security of payments/banking by mandating ‘strong authentication’ based on multiple factors
  • Better transparency on charges for payments

What are people saying it will mean

A number of commentators are crediting PSD2 with opening up the EU banking market to much more competition from non-banks and between banks. The theory is that these new entrants will use the API’s expose to create new and exciting services that will take marketshare away from banks.

Continue reading
Payments Psd2

Google Pixel - Initial Review

2016-10-21 Tech

I ordered a Google Pixel when they were released as I needed a new personal Android phone and generally the Nexus line has been very good, so I thought I’d try the Pixel.

Some initial comments

  • It looks nice, it compares well to my (work) iPhone 6 from a looks point of view
  • The finger print reader is great, so far much more accurate and quick than my iphone one which seems to be getting slower and slower
  • The USB cable ‘port your phone’ thing didn’t work at all with my old Android Phone (A Moto X). Instead I had to do it via the cloud
  • It’s really quick - both apps and data seem faster that my old phone. Data is a bit odd as am in same place with same signal, but it does seem faster (good job I have unlimited data)
  • The camera is very good (as reported), it won’t be replacing my DSLR for ‘good’ shots, but for quick shots it’s very good.

Overall it looks like a nice phone, I’ll have to use it for a few weeks to see how good it really is!

Phone Google

New Website

2016-10-10 Tech

I’ve decided to finally move this site off blogger. It wasn’t adding much value so I’ve gone old-skool back to static HTML using Hugo.

The site is using a AMP based template so it should be super quick and responsive.

Me Amp Blogging
Older posts Newer posts
© 2011-Present - 2026 Ben Gidley - All Rights Reserved - rss
Terms