Forem: Arinze Chianumba

Should you be scared of your wireless earphones or what?

Arinze Chianumba — Sun, 29 Sep 2024 11:17:00 +0000

Call me old school, but I've never liked wireless earpieces. Not because I'm averse to progress, but because of the tiny latency in wireless communication and because it's too easy to lose wireless earphones.

Image source: Buds FE exploded while in her ear.

Just when I was starting to get comfortable with them, a Samsung earbud reportedly exploded the other day, causing its user permanent hearing loss. So now, I no longer dislike wireless earphones; I'm SCARED of them.

Wireless earphones are powered by lithium batteries, you know?

Anyone who's tinkered with lithium-ion/polymer batteries knows they're basically explosives waiting for the right condition(s) to explode. So, to paraphrase Rossmann, why are you so comfortable about voluntarily wearing explosives just a few inches from your brain?.

I might be exaggerating, but if you take the fact that people are voluntarily wearing explosive material just inches from their brains and multiply it by supply chain attacks, like the one that hit Lebanon the other day, you just might have the perfect recipe for murder by earpiece staring you in the face!

I know, I know... murder by earpiece sounds far-fetched. What isn't far-fetched is the Find device feature that uses a high-decibel tone to alert users to the location of their wireless earphones when they're nearby.

While convenient, manufacturers clearly state that this sound-based "find device" solution can cause hearing damage if used while the earbuds are in one’s ears.

What happens if a threat actor connects to your earbuds before you and decides to help you find your earbuds when said earbuds are already plugged into your ears?

Security: You might want to quit peppering Passwords Now!

Arinze Chianumba — Wed, 29 May 2024 07:45:59 +0000

Memorized peppers are one of the oldest 2FA tricks up the sleeves of password manager users.

The Good

As long as you had a few 8- to 12-character peppers memorized and manually added to autofilled passwords, you had some assurances against a leaked master password.

The Bad and the Ugly

However, with the ongoing wide adoption of passkeys, that is no longer the case because:

As an offline password manager user, your leaked master password and a copy of your password database would grant attackers access to your stored passkeys and therefore, your online accounts unless you've setup an alternative 2FA method for the database.

The same applies to cloud-based password manager users except, instead of their password database file, an attacker would need their password manager's URL and username in addition to their master password.

Unlike password authentication methods where the user has total control of the password generation process, you don't get to manually generate passkeys.
Each passkey is unique, and it'll be quite a hassle to 1.) memorize a section of the keys; 2.) manually add the memorized fragments to your private key before authenticating to a passkey service for each login.

Am I saying You shouldn't adopt Passkeys?

Hell no, passkeys are awesome!

This post is aimed at pointing out how memorizing your password pepper for website X might be futile if you have saved passkeys of website X in the same password vault/database.

What You should do instead...

Consider adding an alternative 2FA method such as a key file or TOTP to your password manager. If you aren't using passkeys for a given platform (yet), then manually adding a pepper to its autofilled password might still serve as a 3rd factor auth mechanism.

Do you still memorize your password peppers? Am I maybe overreacting because am paranoid? What do you think about passkeys? Will you finally stop memorizing password peppers? Tell me all about it in the comments section!

What Really is an API?

Arinze Chianumba — Thu, 25 Aug 2022 14:59:16 +0000

I could tell you API stands for Application Programming Interface, but you probably know that already. So, what really is an API?

Let me explain APIs to you with an analogy of what happens when you order pizza.

High-level Pizza API

Say you’re having friends over for movie night so you decide to order a box of pizza to share with them. The process of placing and receiving your order may go as follows:

You call the pizza vendor and tell them the details of your order. These might include your home address and what spices you’d like on your pizza.
The vendor verifies your order and tells you how soon they can deliver a box of pizza to you.
You sit back and wait for the pizza delivery person.
Your doorbell rings, you answer the door, receive your order and pay the delivery person.

Mission accomplished, right?

Well, you forgot to tip the delivery person but that’s a discussion for another day.

The important point in the above transaction is that you ordered and received a box of pizza without knowing specific details such as:

how the pizza was cooked
what materials were used to fabricate its wrappings, or;
what route the delivery person took

Similar to how you can order pizza without knowing exactly how it is prepared, APIs allow you to programmatically perform complex operations without knowing the exact details of each step of the operation. It’s like knowing the light in your bedroom will come on when you flip the light switch without knowing exactly why the switch can turn on the light.

Examples

For example, the Document Object Model (DOM) is an API which defines and manages the logical structure of HTML and XML documents. It provides an easily accessible programming interface for element/node creation, modification, and removal on a web page

The document object in JavaScript provides a simple interface which programmers use to access and manipulate DOM elements without having low-level knowledge of how the browser performs such operations.

document.querySelector(‘.list-item’).remove(), for example is a chain of document methods which remove the first element of the .list-item class from the DOM of a web page. A regular JavaScript developer who writes this command knows:

document is an object representing the HTML document
querySelector(CSS-selectors) is a document method which selects the DOM element matching the CSS-selectors passed as the method’s arguments.
calling the remove() method on an already selected element removes the element from the DOM.

The developer doesn’t have to understand or write the source code defining the document object or its remove or querySelector methods before using them. This sort of abstraction is what makes APIs so important in software development.

Another example of an API is the Web Animation API which provides a common language for describing and handling animated DOM elements.

Not All APIs Are REST APIs

Spending a lot of time on tech Twitter and YouTube as a newbie may have misled you into thinking all APIs must be some (third-party) web server resource. This is because:

Web developers are some of the most vocal/popular groups on tech Twitter; and,
When web developers speak of an API, they’re usually referring to REST APIs which are accessible through web server endpoints. However, if you’ve been paying attention, you will notice the Web Animation and DOM APIs mentioned above are not server resources. They’re built into web browsers. In fact, MDN has compiled a large collection of web (not necessarily REST) APIs used in web browsers. So, not all APIs are REST APIs. Still, REST APIs are some of the most used APIs today. OpenWeather API, for example, provides a REST API for retrieving weather forecasts in JSON, XML, or HTML format. Going back to the pizza example from earlier, if a developer wishes to order the weather forecast of a given city, the developer needs to:
procure an API key which provides access to OpenWeather API’s weather information
specify relevant parameters (longitude/latitude or city name and API key) in the API endpoint’s URL
initiate a HTTP GET request to that URL and receive the desired weather forecast. The developer doesn’t need to have deep knowledge of meteorology, have access to a meteorology satellite, or learn how to operate such a satellite before retrieving weather forecasts from the API. I hope you find this post helpful. Also, I probably didn’t cover all aspects of APIs which may shine more light on the subject. So, please leave your contributions and questions in the comments.