Chuckellania for October 7th, 2021

Published on Thursday, October 7, 2021

Twitch had a major data breach, including some (all?) of the source code. One design flaw which may help explain the breach is that, while they've been migrating their user account password hashes from SHA-1 to bcrypt since 2015, you can still log in to an account using SHA-1, even if it has already been migrated, due to a logic error.

(SHA-1 was technically never a great choice for passwords, as it wasn't intended for those. However, this choice is fairly common, and I have sadly made it as well.

Attacks against SHA-1 started appearing in 2005, although a publicly disclosed collision didn't appear until 2017.)

The attackers may have exploited this particular bug, either by deliberately producing a SHA-1 collision, or because they had a table of known-good SHA-1 hashes.

[ Disclaimer: I'm no infosec expert. ]

Running Linux, non-virtualized, on an M1 Mac is further along than you might think.

OTOH, Apple and Microsoft seem to be putting the blame on each other to provide official support for Windows on ARM Macs, virtualized or otherwise. They both purportedly "want" it to happen, but neither seems to want to put any engineering effort (or support overhead) into it.

Web developers can override a single character for a font to use a different font. Weird edge case, and yet possible.

Sex toys are getting an ISO standard for design and safety requirements.


What if those little clips that tie your bread bag together were a lifeform?

There's a song for that.