Tag Archives: security

Microsoft Teams is a security nightmare

Filetransfer with Teams apparently works by uploading the file to a OneDrive connected to a SharePoint connected to an AzureAD. Files are kept untill infinity (or untill your Quota runs out). Don’t ask.

The best thing is:

  • share file.txt with user A
  • forget about it (as i said, by default that could be years later)
  • share file.txt with user B
  • see the following dialog (german version, it says cancel/keep both/overwrite)

  • choose “overwrite”, mind you that is the default here
  • now user A (you remeber the one from way back) can download the file again and gets the new version probably intended only for user B
  • bang your head against the wall

lineageOS 15.1, Internet of unpatchable Things

The guys over at lineageos.org are busy rolling out 15.1 builds (that is android 8.1) and even provide builds for my somewhat aged Nexus 4 (reminder: from 2012) so i still get the “new stuff” and security updates for that device.

There were discussions about IoT devices and making regulations so manufacturer of devices are require to at least provide security updates for a certain timeframe but sadly no regulation was passed so far.

IMHO we need to enforce security updates for 5 Years for most devices lime IoT for smart home, smartphones etc … having manufacturers put a label on the box with the timeframe where he will provide software updates and security updates should have a good chance at getting manufacturers to compete with longer timeframes, reducing the number of devices that gets thrown out simply because they are not secury anymore.

Just to give another example:

@work we had a video conferencing system. Of course that was outdated after a few years, but was technically still working ok. Just a small hitch: No security updates from the vendor without maintenance contract, and after just 5 years no updates whatsoever since the product was EOL. Let me remind you, that is something that needs to be online to be useable, and is publicly reachable. And not cheap at all that thing was over 10k €.

It should be illegal for devices that require to be online not to provide security updates for free, and for a reasonable timeframe considering the price range the device is in.



Mitlerweile werdens alle wissen die es interessiert:

Cyanogenmod wurde effektiv zum Jahreswechsel beendet da die Firma dahinter wegfiel und wird nun als lineageOS als reines community-projekt weiter betrieben.

Da mein Nexus 4 (mako) von Google nur Android 5.1.1 (letztes update Oktober 2016 oder so) hat und nie mehr was bekommen wird war back-to-stock keine option. Es lief schon länger mit cyanogenmod 13.1 aber ohne security updates konnte ich das auch nicht lange so lassen.

Daher großer update-Tag ..

CM 13.1 > CM 14 > lineageOS 14 experimental > lineageOS 14 nightly

Dazu muss man wissen:

Bei gleicher Version kann man mit einem lineageOS experimental build versuchen von cyanogenmod zu wechseln OHNE alles neu einrichten zu müssen.

Side-note: “nightly” ist zumindest aktuell ein “weekly” 😀

Sobald es offiziell stabile builds gibt scheint der Plan zu sein wöchentlich updates/security fixes zu bringen.

Update lief gut bis ich von experimental auf nightly wechseln wollte, ein Schritt bei dem ich eigentlich dachte kann am wenigsten passieren. Hat in einem pseudo bootloop geendet, es hat nur noch das recovery (twrp) gebootet und gar kein android mehr.

Da es etwa später abends war hab ich dann stock -> twrp + lineageOs nightly gemacht und es halt doch neu eingerichtet. Mittlerweile habe ich gelernt, dass

  • bootloop per twrp terminal oder adb mit einem dd-einzeiler gefixt werden kann
  • das allerneuste twrp für den updater nötig ist damit es automagisch startet
  • die ersten lineageOS nightlies häufig korrupt ankommen (wie auch immer das passiert)

Das lineageOS vom 13.2. ging da ich mittlerweile TWRP habe wie erwartet:

Downloaden, starten, abwarten, (unlock), abwarten, fertig.

mixed content in firefox

i just discovered that firefox got two settings for mixed content (websites with TLS encryption that load things without):




while the first one is enabled since a couple versions, the latter is not.

As far as i can tell the split it into two settings after introducing the flag since completely blocking mixed_content broke too may sites. I’d suggest blocking display content too, most mixed content is ads anway.