🔑 FIDO's time to shine and NPM wild wild west - Newsletter #3
Also the privacy struggles of the European Union to protect children and not brake encryption
After a couple of weeks of vacation, we’re back in business. This month, we take a look at a FIDO initiative at Big Tech and how package managers are broken. On Privacy, we try to understand the EU initiative to fight child sexual abuse images that could mean breaking end-to-end encryption.
This month's Cybersecurity weather forecast
The Russia - Ukraine conflict is still causing damage on both sides. This time the Russians are linked to a new Brexit leak. We should expect more activity coming that way as the war continues (more than 100 days now).
There was a 150% rise in ransomware attacks from April 2020 to July 2021. ENISA has described the threat picture as the “golden era of ransomware”. This is partly due to attackers’ many monetisation options. This means that Ransomware still represents a high risk.
Apple, Google, and Microsoft pledge to extend FIDO support
Apple, Google, and Microsoft will roll out no-password login options over the coming year, per the Fast Identity Online (FIDO) Alliance. This is a joint effort to fight the password-only login that is reported by Apple as “one of the biggest security problems on the web”.
First of all, what is FIDO?
The FIDO ("Fast IDentity Online") Alliance is an open industry association whose mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". They have developed a standard together with the World Wide Web Consortium that allows websites and apps to offer “consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms”.
And how does it work?
FIDO uses the principles of public-key cryptography to enable passwordless and multi-factor authentication in a range of contexts. A user’s phone can store a unique FIDO-compliant passkey and will share it with a website for authentication only when the phone is unlocked.
Here’s an example of how it would work, assuming you are registering on a new website:
When you register on a new website, a key pair is generated: a public key shared with the website and a private key that stays on your phone.
When you try to log in, the website will ask you to confirm on your phone.
If you have the right key, it will allow you in.
Trivia: one survey found that while 85% of respondents wanted to use fewer passwords, 72% believed others would stick with passwords because it’s familiar.
Pwn the world
This is frightening but cool:
It’s not clear which “foreach” package he’s talking about because the top one has 130 dependents and not 36k, but it’s still something to think about. As someone says in the comments: this YOLO package management systems are fundamentally flawed.
EU’s problem with privacy to protect children
Privacy activists are sounding the alarm over the European Commission's plans to attack online child abuse, warning that it would result in "mass surveillance".
A member of the European Digital Rights group posted on Twitter that the proposal looks “shameful” and “entirely unfitting for any free democracy.”
The new law obliges companies to detect, report and remove child sexual abuse, a demand that comes with the responsibility to monitor encrypted content. This means that companies would be obliged to create backdoors on the end-to-end encryption mechanisms, which are available in tools like WhatsApp.
For Zach Meyers, Senior Research Fellow at the Centre for European Reform (CER) think tank, the Commission's plan "clearly undermines end-to-end encryption."
"Once a “backdoor” to undermine encryption exists, that will create both new security vulnerabilities for hackers, and inevitable political pressure to expand the “backdoor” so that it covers more than just child sexual abuse material over time," Meyers added.
A Guide to Zero Downtime Migrations
The Heroku incident is still ongoing. They’ve also learnt something from it
Top-500 NPM package maintainers now require 2FA
OVH Cloud fire class action reaches 140 clients, seeks more than €10m - we wrote about this a month ago
Thousands of popular websites see what you type before you hit submit
⏭️ Next week
Are you trying to remain private while surfing the web? If so, to what extent should you be doing it? what efforts are enough and what not? we will review some methods, techniques and tips to keep your privacy online.