tech – netjeff.com

Attack to get into victim's bank account

Posted onJune 30, 2026June 30, 2026AuthornetjeffLeave a comment

Today I learned about an interesting way for an attacker, Bob, to get into the Bank account of their victim, Alice (or any other financial or sensitive account).

Attacker Bob knows lots of info about Alice, including her account number and password at the Bank used by Alice.
Bob tries to impersonate Alice by logging into her Bank's site, using Alice's acct & password. But the Bank site calls/txts to Alice's 212-555-0123 with a one-time code. Bob can't see this code, so he's blocked on login.
Bob then tries to gain control of Alice's 212-555-0123 by tricking Alice's phone provider to transfer the number to Bob's device (aka SIM jacking). But Bob is unsuccessful with this attack.
But Bob has another way to complete his attack, which I just learned about recently. With enough sophistication, Bob can "trick" the part of the public phone network between Alice's Bank and Alice's device, so that the Bank's calls/txts to 212-555-0123 instead go to a device controlled by Bob.
Note that Bob has not taken control of 212-555-0123, rather Bob has manipulated a part of the phone network such that the Bank's calls/txts end up at Bob's device rather than Alice's (and also others might be affected).

There is now an RFC 9970 that attempts to mitigate this attack. Previous RFCs focused on making it much much harder for attacker Bob to impersonate (spoof) the Bank's calls/txts to Alice (using cryptographic techniques). This new RFC adds protection in the opposite direction, to make it much much harder for Bank to impersonate (spoof) Alice. In other words, this new RFC 9970 can give the Bank much more confidence that the Banks' calls/txts are reaching a device actually controlled by Alice (not attacker Bob), regardless of the digits of the phone number.

The RFC 9970 uses the following jargon: Improving "connected identity" means making it harder for an attacker to impersonate (spoof) the "called party" (Alice) to the "calling party" (the Bank). This RFC 9970 tries to improve this "connected identity" problem.

Of course there is no such thing as "perfect security". Even with adoption of RFC 9970, a sufficiently motivated attacker can still get into Alice's Bank account. But adoption of this will make it much harder for attackers.

The 2024 almost-backdoor on the Internet

Posted onMarch 8, 2026March 8, 2026AuthornetjeffLeave a comment

Veritasium recently released an excellent video about the almost-backdoor into OpenSSH in 2024. The attackers (Russia? China?) would have had a secret backdoor into the majority of servers worldwide. The Internet came within several weeks of this disaster.

The video provides lots of context, in addition to the almost-backdoor, including: history of the "open source" movement; background on Linux; remote access encryption & OpenSSH; and how compression works.

If you're already familiar with all that, you can skip 20 minutes of this hour long video. Start at 9:12. When it gets to about 12:00 (about encryption), skip ahead to 23:26 and watch the rest of the video.

If you want to learn more, start with "XZ Utils backdoor" on Wikipedia.

Wikipedia offline

Posted onNovember 30, 2025December 7, 2025AuthornetjeffLeave a comment

Every few years I look into having an offline copy of wikipedia. Don't know why, just something that feels like I should have. Here's what worked well for me in late 2025.

Password advice

Posted onNovember 10, 2022November 30, 2025AuthornetjeffLeave a comment

Friends & family sometimes ask me for advice about passwords. I've captured this advice for the benefit of others, and to make it easier for me answer questions in the future. See netjeff.com/password-advice

Should all locks have keys? Phones, Castles, Encryption, and You.

Posted onApril 16, 2016AuthornetjeffLeave a comment

Passing a law that requires companies to build devices with digital keyholes which only good-guys can use, is the same as passing a law that says the value of π (pi) must be exactly 3.

Here's an excellent short video about the literal impossibility of such laws, and the enormous risks of going ahead anyway. Because unlike real-world keyholes where the bad-guy must be physically present at each keyhole they want to break through, in the digital world each bad-guy can simultaneously attack millions of digital keyholes from the other side of the world. The end of the video says it best: "Anyone who says otherwise [that digital keyholes can be built which allow only angel good-guys while blocking demon bad-guys] is either ignorant of the mathematics, or less of an angel then they appear."

There's no math in the video, just really good explanation.

Using ExifTool to make .mp4 video file dates match contents

Posted onOctober 24, 2015October 9, 2022Authornetjeff7 Comments

I had a bunch of .mp4 and .3gpp video files whose file "create" and "last modified" filesystem dates did not match the meta data inside of the file, and this was causing problems because many apps use the filesystem dates when sorting video files (rather than using the metadata inside the video files).

I found ExifTool could fix this. Using the ExifToolGUI I could fix them one at a time. By using the ExifTool cmd-line tool I was able to change them all at once. The biggest challenge was that most of the documentation was on how to modify the internal meta data, but I wanted to "copy" from the meta data to the filesystem timestamps.

The first trick is to figure out what the "tags" are for the internal metadata and the file system. I found the ExifTool FAQ #24 which shows how to query for the times:

> exiftool -time:all -a -G0:1 -s MyVideo.mp4

[File:System]   FileModifyDate   : 2014:09:07 19:35:32-06:00
[File:System]   FileAccessDate   : 2015:10:24 22:55:22-06:00
[File:System]   FileCreateDate   : 2015:10:24 22:55:22-06:00
[QuickTime]     CreateDate       : 2013:09:14 00:52:38
[QuickTime]     ModifyDate       : 2013:09:14 00:52:38

From the above the CreateDate & ModifyDate are the internal meta data, and the FileModifyDate etc are the filesystem.

So to update the filesystem date to match the metadata CreateDate I used this command:

> exiftool "-CreateDate>FileModifyDate" MyVideo.mp4

To modify multiple files I used wild-cards on the filename, like *.mp4 to update all mp4 files in the current directory.

=========================

Related, to update the file system time for image files to match the meta data:

> exiftool "-DateTimeOriginal>FileModifyDate" MyPicture.jpg

Note that most apps know how to look into image metadata, so setting the filesystem dates is not as important as for video files.

A computer built out of dominoes?

Posted onMay 18, 2014October 19, 2015AuthornetjeffLeave a comment

In the video below, a team built two computers out of dominoes. The first was capable of adding any two numbers between 0 (zero) and 7 (seven). The second computer they built was capable of adding any two numbers between 0 (zero) and 15 (fifteen).

The computer you are using right now, deep under the covers, does everything in terms of binary addition. What about the other operations you ask? Read More …

Security as a public health issue

Posted onMarch 15, 2014March 15, 2014AuthornetjeffLeave a comment

Cory Doctorow writes:

I think there’s a good case to be made for security as an exercise in public health. It sounds weird at first, but the parallels are fascinating and deep and instructive.

Read More …

Posted onJuly 12, 2011October 19, 2015AuthornetjeffLeave a comment

A clever (but slow) way to "see" wifi signals.

This project explores the invisible terrain of WiFi networks in urban spaces by light painting signal strength in long-exposure photographs.

A four-metre long measuring rod with 80 points of light reveals cross-sections through WiFi networks using a photographic technique called light-painting.

Eli Pariser: Beware online "filter bubbles"

Posted onMay 15, 2011AuthornetjeffLeave a comment

Google, Facebook, and others are trying to be helpful, and show content that is customized just for you. But this can trap you in a "filter bubble". Information used to be filtered by mass-media gatekeepers like newspapers & television, and was also filtered by where you lived. Is the automatic personalization and customization by Google, Facebook, and others any better than the old filtering?