Month: November 2021

Enlarge / Take one daily to keep Evil Hackerman away! (credit: Aurich Lawson | Getty Images)

Information security and privacy suffer from the same phenomenon we see in fighting COVID-19: "I've done my own research" syndrome. Many security and privacy practices are things learned second- or third-hand, based on ancient tomes or stuff we've seen on TV—or they are the result of learning the wrong lessons from a personal experience.

I call these things "cyber folk medicine." And over the past few years, I've found myself trying to undo these habits in friends, family, and random members of the public. Some cyber folkways are harmless or may even provide a small amount of incidental protection. Others give you a false sense of protection while actively weakening your privacy and security. Yet some of these beliefs have become so widespread that they've actually become company policy.

I brought this question to some friends on InfoSec Twitter: "What's the dumbest security advice you've ever heard?" Many of the replies were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or not even considered. And apparently, some people (or companies... or even vendors!) have decided these bad ideas are canon.

Enlarge / Pokémon Brilliant Diamond and Shining Pearl come with big visual upgrades over the 2007 Nintendo DS originals, but as remakes go they don't deviate much from the source material. (credit: Nintendo)

Pokémon Sword and Pokémon Shield may have disappointed some of the series' most devoted fans with their truncated Pokédexes, but that doesn't seem to have hurt them much with the game-buying public. The two titles are, collectively, the fifth best-selling game in the Switch's history, trailing only Mario Kart 8 Deluxe, the Switch iterations of Smash Bros. and Animal Crossing, and The Legend of Zelda: Breath of the Wild. They're the best-selling Pokémon games since Pokémon Gold and Silver were released at the height of late-'90s/early-'00s Pokémania over two decades ago.

Part of Sword's and Shield's appeal, as we explored a bit in our review, was that they used the Switch's extra hardware power to create a truly console-sized adventure, crafting a world with an impressive sense of scale and the series' first free-roaming overworld areas. There were still some weird quirks—story cutscenes with mouth movements but no actual spoken dialogue come to mind—but it felt like the series had finally broken free of some of the conventions it had been leaning on since the earliest Game Boy entries.

In that context, Pokémon Brilliant Diamond and Pokémon Shining Pearl can't help but feel like a bit of a letdown. The games are faithful to their source material, but that source material is a pair of games released on the original Nintendo DS in 2007, and both the originals and the remakes hew much more closely to the series' Game Boy roots. It's not that there aren't improvements—it's just that, even relative to other Pokémon remakes, Brilliant Diamond and Shining Pearl feel inessential.

Enlarge (credit: Getty Images)

As much as 38 percent of the Internet’s domain name lookup servers are vulnerable to a new attack that allows hackers to send victims to maliciously spoofed addresses masquerading as legitimate domains, like bankofamerica.com or gmail.com.

The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008. He showed that, by masquerading as an authoritative DNS server and using it to flood a DNS resolver with fake lookup results for a trusted domain, an attacker could poison the resolver cache with the spoofed IP address. From then on, anyone relying on the same resolver would be diverted to the same imposter site.

A lack of entropy

The sleight of hand worked because DNS at the time relied on a transaction ID to prove the IP number returned came from an authoritative server rather than an imposter server attempting to send people to a malicious site. The transaction number had only 16 bits, which meant that there were only 65,536 possible transaction IDs.

Enlarge / The Apple Watch Series 7 is virtually indistinguishable from the Series 6 (less so with a light-colored watch face), and it doesn't add much, but it's still the best smartwatch you can buy. (credit: Corey Gaskin)

One of the oldest complaints about new technology is that, by the time you get it, it’s already obsolete. But this year, Apple Watch Series 6 owners can breathe a sigh of relief, as the Apple Watch Series 7 is essentially the same device with a (largely imperceptible) facelift.

2021 won’t be the year we see an Apple Watch that can measure blood pressure (no major smartwatch can do so, for that matter), but it is the year we finally get an Apple Watch that charges fully in just over an hour. And that means a 10- or 30-minute dash on the charger goes much further now. Apple also introduced IPX6 dust resistance to the Watch for the first time, along with three new colors.

Oh, and there’s a full QWERTY keyboard option for text input.