Skip to main content

Posts

Showing posts from August, 2021

This is a PPTP VPN intervention.

Six years ago (sigh), I wrote but never published this blog post begging users to find an alternative to the PPTP VPN protocol. They were already years out of date at that time. Even today, however, well-known companies like ExpressVPN are still providing PPTP to clients despite the fundamentally insecure nature of these types of tunnels. Consider this an intervention. For years, the Virtual Private Network (VPN) has been a mainstay of those trying to keep snoopers away from their online activities. Its important to keep in mind that a VPN is one part of a secure and private online presence - without complementing the use of a VPN with additional tools and habits, the security offered is more narrow than many users believe. There are two main reasons to use a VPN.  First and foremost, a VPN is a means of encapsulating your network traffic within an encrypted "tunnel". This makes it extremely difficult to see or manipulate that network traffic. This is typically the type of

Electromagnetic eavesdropping is cheap & easy - so why doesn't anyone believe it exists?

Below, I've included what would have been the first post in a series of posts I wrote about the  badBIOS  controversy in October 2013. I found the evidence in support of badBIOS to be unconvincing and I was concerned by how popular badBIOS became despite those obvious shortcomings. This wasn't a situation where an overexcitable press ran with a story that turned out to be inaccurate; the most early and adamant believers in  badBIOS  weren't reporters, they were ITSEC professionals. How were so many of us publicly duped by what was essentially a conspiracy theory? This post doesn't address badBIOS directly. However, badBIOS was presumed to somehow involve the manipulation of computers using acoustic transmissions. This post provides some historical context behind a strain of computer science research in this field and shows how commonly held beliefs about the feasibility of these attacks were generally inaccurate at the time of writing. In future posts I would have explo

PHP empty() and the trouble of passing new zero values in forms

Lets say we have a form. The form is straight-forward: HTML radio buttons that posts to a PHP processing script that saves the results to a database. The radio buttons correspond to bindary responses to questions - Yes/No, True/False. These truth values are mapped to the integers '1' and '0', which are then stored in the database. When such a form is creating new records, this is about as brainless as web-development gets. But things get more complicated when the form is used to update existing records. A useful update form will typically have a few basic features; among them, the option to update all of the data in the form or just some of the data. To do this, we have to check whether a variable is being updated or not. One approach to checking on variable updates is to create an array with all of the variables to be considered, like this:  $stuff = array( 'fee' => $_POST['fee'], 'fi' => $_POST['fi'],