Articles and reports

Published Nov 2, 2023

What’s wrong with Passkeys advocacy?

Frustratingly, the security pop culture keeps ignoring the elephant in the room — the elephant academic researchers are pretty well aware of. Namely: there is no such thing as a password you can blame and sacrifice for the user’s sins. Not anymore. And whatever exists, it is not something with consistent security properties, not on the web at least.

Published Sep 18, 2023

How to spot a phishing email?

A gazillion of trainings is out there, but the ugly truth is simple: since bulk email senders as a service took over, you can not. You can if it is really stupid, but if it is smart, no chance. Legitimate emails are just as suspicious now

Published Aug 7, 2023

Don’t pin base image exact version tags

Use the “latest” tag whenever possible. It may be extreme, depending on the software nature; if it is “too dynamic” and tends to break the backward compatibility, you can pin major or even minor versions but definitely not the exact build or worse, the image hash.

Published Nov 15, 2022

Wearable tech, fashion, and augmented cognition

It is indisputable that the Google Glass failure was a devastating blow to smart glass tech. We have a radioactive wasteland poisoned for 10+ years, and who knows when it will be declared safe. “Even Google failed there, there is probably zero demand until we can take it to the next level!” But what actually happened?

Published Oct 10, 2022

What is wrong with Apple Passkeys?

I am a big fan of webauthn. It is the best thing that has happened to user authentication since OpenID (the "social network login" button we all love). But as always, the devil is in the details. Apple introduced a controversial "improvement" to webauthn called Passkeys, which could impair the security of your most valuable online resources.

Published Sep 9, 2022

You can (not?) predict software vulnerabilities — thoughts on EPSS and SSVP.