Lost+Found: PGP verification, cash for Bitcoins, unsafe API keys
Too small for news, but too good to lose, Lost+Found is a compilation of the other stories that have been on The H's radar this week: PGP verification, Java 0-days, Bitcoins for cash, default logins, API keys, and keyboards with card readers
-----BEGIN PGP SIGNED MESSAGE-----
- xkcd has summarised how to verify the authenticity of an email using PGP.
- From our "insult to injury" category: some security specialists now say that JAVA is an acronym for "Just Another Vulnerability Announcement", while others think that using Java in Pwn2Own exploits is "like doping in cycling".
- Companies use display boards that say "No accidents reported for XYZ days" on their shop floors. A similar thing now exists for Java. At the moment, even a two-digit figure would probably be a reason to celebrate for Oracle.
- Bitcoins can nowadays be used to buy almost anything – even cash. The sellers don't retain their recipients' personal details and only send out legitimate notes. At least that's what they say.
- It's not a good idea to run web applications with default logins. Anyone should be clear on this – after looking through the Web Application Defaults DB, if not before.
- Incidentally, a similarly bad idea is to place source code that contains private Google API keys on GitHub.
- And while we're on the subject: one should also refrain from testing magnetic card readers that connect to a system as a USB keyboard in public chat rooms.
- And don't forget to check the alt-text on that xkcd strip at the start of this week's Lost+Found
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8
iEYEARECAAYFAkiN0y0ACgkQKA46Lt0onH9hZwCeKliuQTO528NaqLNYD1tFy/iE z4EAoJm2xVFRvhQWlVAcLzfRF34JLhAa
=FNRI
-----END PGP SIGNATURE-----
(djwm)