Passwordless

One of the recent Windows 11 updates described in release notes that passkeys are now easier than ever to manage in Windows Settings, so I gave it a go to see if it is time to go passwordless for websites that support Web Authentication.

After poking around this functionality for a bit, however, I realized that the line between going passwordless and ending up passwordless is not as bold as one would hope with passkeys, because this technology is not well documented, relies on data hard-wired into a specific device, and on how well tech behemoths, such as Microsoft, Google and Apple, interact with one another, which is not the strongest trait for many of them.

Airline Security Theater

I recently visited Newfoundland for a few days and traveled to Elliston, which is famous for their puffin viewing site and root cellars. One of the information signs next to a group of root cellars described how people of Elliston harvested partridge berry in the past and, inspired by this story, I bought a couple of jars of partridge berry jam at Nanny's Root Cellar Kitchen, as small a present for my friends back in Ontario.

When I was leaving Newfoundland, I didn't want to put glass jars in the checked-in baggage and took them with me to the cabin instead, without a smallest thought that a couple of jars of jam could present any trouble at the airport. How wrong I was.

Random security

Generating good random values is critical for security of applications using them. Unfortunately, far more critical than many developers realize, as was highlighted by the recent flurry of DNS servers reported vulnerable to various forms of attacks based of predictability of their transaction identifiers.

Massive SQL injection, anyone?

Last weekend I found a number of entries in the HTTP server logs indicating SQL injection attempts. The SQL targeted MS SQL Server and used the CAST function to decode a long hexadecimal sequence used to bypass code quote-escaping code on the server side.

DECLARE @S VARCHAR(4000);
SET @S=CAST(0x4445434C4152452040542...736F7220 AS VARCHAR(4000));
EXEC(@S);