Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
hjk10156964yVery well written. Has more than enough fluff to make it readable and not dry/highly technical as the preface warns.
You caught on with the symmetric key only solution, something any audit should have flagged. You did a good job. The fix should be forced on new customers but as it requires action on the users part (supplying a public key) it's hard to make it default for existing customers.
Marketing comes up with "fort Knox it" on order to make it seem they already provide adequate security. High chance they won't force existing customers or even inform them to migrate to the fix.
What student data gets disclosed by this flaw? -
Nice catch.
I don't know if I would do responsible disclosure on this - it is spyware, not more, not less. Certainly I wouldn't have helped the local banking trojan's vendor...
Interestingly, this is not the first vulnerability in this component (e.g. insecure random was used). -
@sbiewald It *is* spyware, but I went the responsible disclosure route because of the consent dynamic here - if people were wilfully ignorant of the risks (such as with video game "anti cheat" DRM), for just playing shiny new game, that's on them.
But, given that, security issue or not, students are being forced to use such services and not given an alternative, I did what I thought would be best for students. (Which is also why I didn't give advance notice on some other stuff, like the open source libraries I found used in code. Goal was to help students, not do the company's job for them.)
I've been working with student orgs and trying to organise for pushback against these services, but it has been difficult. -
@hjk101 Everything they store. Depending on configurations, may include government ID, room panoramas, signatures, etc.
Related Rants
-
sonrisa37Best quotes from IT teacher: - "C# is a language to program your IDE." - "C# is a language for beginners, and...
-
PieInOblivion11I once brought my Kali Linux laptop to school. (Because normal had dead battery, waiting for shipping) MFW so...
-
Gerrymandered35I was in school and I got bored. I opened two command prompts and did what any scammer would do. I went to t...
Just finished a large write up on a security flaw I found and disclosed in an exam spyware vendor's "zero knowledge encryption" - derived keys that were generated from incrementing integers, discussion on obfuscation and more.
It was a hell of a time writing this up; not sure if linking my personal blog here would be bad practice, but here it is: https://proctor.ninja/wave-rake-pro...
It's been something else, but hopefully I can keep fighting against tech like this on school campuses.
rant
spyware
proctoring
school
exam