@delegatevoid @LukaszOlejnik Upper limits on passphrase length are mostly about closing a possible resource exhaustion vector on the authenticating system. If you hash it all down to 64 bytes, there’s no point dealing with passphrases longer than 128 characters. Further characters don’t add any further entropy, but if you have no upper bound, some knucklehead is going to make your server hash the entirety of War and Peace over and over.
Notices by Zimmie (bob_zim@infosec.exchange)
-
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Wednesday, 25-Sep-2024 20:27:51 JST Zimmie -
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Monday, 16-Sep-2024 16:28:47 JST Zimmie @lmorchard @WhiteCatTamer @nex @alexhammy It would be really challenging. For example, I have no idea how you would make the word “house” sound blue.
-
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Wednesday, 11-Sep-2024 08:06:07 JST Zimmie @Di4na @clacke @makdaam @hendric That doesn’t seem at all the case to me. The Therac-25 report had quite a few big lessons.
• Data races can exist anywhere shared mutable state exists. This was poorly understood at the time. Language people have taken this to heart with copy-on-write data structures, static analysis for control flow, and more recently with proof-based data access validation as seen in Swift 6. This kind of issue is why those capabilities exist, and why you shouldn’t just turn them off to silence warnings.
• Software interlocks are strictly worse than hardware interlocks. They have more opportunities to fail in non-obvious ways.
• Safety-critical software has become a much more formalized discipline, finally matching the rigor of real engineering. For example, techniques were developed to prove a given program is free of bugs by proving it exactly matches the behaviors defined by its formal specification (no undefined behaviors, and no missing behaviors).
• Reported issues should be treated as real until you can prove what happened. Part of the reason the Therac-25 hurt so many people is the company brushed off the early issue reports.A lot of the company-culture problems the incidents exposed are still major issues today. The company thought their software was perfect, and they didn’t include it in their analysis of potential failure modes. They didn’t have any independent review of their code. They shipped straight to production (the hardware and software were never tested together outside customer installations). They didn’t document error codes and didn’t differentiate between minor errors and safety-critical errors.
-
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Sunday, 01-Sep-2024 23:57:19 JST Zimmie -
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Sunday, 25-Feb-2024 00:51:42 JST Zimmie @ryanc IPv4 numbers are really poorly specified. I personally use notations other than dotted decimal (especially hex integer) much more than I use dotted decimal because it’s so much easier to do math with them. For example, they greatly simplify matching expressions like this. They also help when dealing with networks which aren’t byte-aligned.
-
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Tuesday, 09-Jan-2024 04:05:09 JST Zimmie @Oneironaut @admford The visible antenna is either Bluetooth or WiFi. There could be a cell radio we can’t see, but it’s common for these to connect to a separate cell phone hidden a short distance away. That minimizes the risk the skimmer contains information which could be tracked back to the criminal, making it effectively disposable.
-
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Saturday, 06-Jan-2024 09:06:05 JST Zimmie @ryanc I’m a fan of FreeBSD, so I’ll point to the Juniper EX2300-24p. 24x1g copper ports with 370W PoE budget, 4x10g SFP+ ports. $100 used.
-
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Monday, 11-Dec-2023 08:25:01 JST Zimmie @mcv I had to fight that fight when Spectre/Meltdown were the shiny new flaws. “We need you to prove the firewalls and routers aren’t vulnerable to Spectre/Meltdown!”
That whole class of flaw requires the ability to run code on the target system. If somebody who isn’t on my team can run *any* code on our firewalls and routers, we have much bigger problems.
-
Embed this notice
Zimmie (bob_zim@infosec.exchange)'s status on Wednesday, 06-Dec-2023 13:21:43 JST Zimmie @thomasfuchs Gets even more interesting. In the terms of service, they say you must opt out by emailing arbitrationoptout@23andme.com, and if you don’t, you agree to arbitration. They could argue writing only to legal@ (which is the what the “notify us” link does) is not enough.