Wack Playstation Sup! ๐Ÿ™Š ๐Ÿ‡ฎ๐Ÿ‡ธ ๐Ÿ is a user on mastodon.xyz. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Micah Lee ๐Ÿ”‘ @micahflee@mastodon.social

PGP users,

I implemented a simple #efail exploit for Apple Mail, which is vulnerable to direct exfiltration with its default settings. The mitigation, disabling remote content, works but is brittle. So never click "Load Remote Content". (Thunderbird/Enigmail is vulnerable in a similar way, but I haven't tried that one yet.)

youtube.com/watch?v=_67Pz9zpPb

Wack Playstation Sup! ๐Ÿ™Š ๐Ÿ‡ฎ๐Ÿ‡ธ ๐Ÿ @HerraBRE

@micahflee That's really nicely done!

It would have been even more realistic if you'd actually included a remote image as well, so clicking the button would give the victim the warm fuzzy feeling of successfully loading a kitten over the Internet. Nothing happening is suspicious.

I suspect the ease of social engineering this is why the didn't just tell people to disable remote content.

Wack Playstation Sup! ๐Ÿ™Š ๐Ÿ‡ฎ๐Ÿ‡ธ ๐Ÿ @HerraBRE

The more I think about and the 's take, the more sympathy I have with their approach.

I wish they'd given more nuanced advice and avoided some of drama, but here are some factors to consider:

1) People don't read. Security advice needs to be simple.

2) Lazy User A can put careful User B at risk.

3) Social engineering works.

4) The PGP/e-mail community's knee-jerk was "we're not vulnerable."

But many were & are vulnerable if you count SocEng and/or old versions. too.

Wack Playstation Sup! ๐Ÿ™Š ๐Ÿ‡ฎ๐Ÿ‡ธ ๐Ÿ @HerraBRE

Daniel (dkg) at the ACLU is one of the smarter people in the PGP world. He says some reasonable things about#EFail (and ) here: aclu.org/blog/privacy-technolo

Reading this, I get the feeling he's missing point 2) from my previous toot - how is particularly scary because Lazy User A can put Careful User B at risk.

In InfoSec, we're so used to thinking in an individualistic way about how we protect ourselves, I think we often fail to consider how our choices affect others.

ยท Web ยท 0 ยท 3
Ed Davies @edavies@octodon.social

@HerraBRE Doesn't his โ€œEcosystem concernsโ€ section cover your point 2 or are you thinking of something else?

Wack Playstation Sup! ๐Ÿ™Š ๐Ÿ‡ฎ๐Ÿ‡ธ ๐Ÿ @HerraBRE

@edavies Yes, I think he missed an important point.

His frame there is "I need to send confidential info, therefore..."

I am pointing out the framing of "I have received confidential information from others IN THE PAST, therefore..."

Different questions lead to different outcomes.

The EFF recommendation that everyone who can, temporarily disable decryption until things are more clear, is actually quite reasonable from the latter POV.

Just my opinion, of course. ๐Ÿ˜ƒ

mastodon.xyz powered by Mastodon