Notices by Royce Williams (tychotithonus@infosec.exchange)

@ryanc Feature request: at the other end of the status line (right-justified), an indicator of how many simultaneous streams are currently being served 😉

@ryanc Hey, sweet! What are you using to do the conversion?

Petition to make it illegal for streaming services to use thumbnails that contain spoiler content.

The voice inside my head when I read AI answers is now Cliff Claven's "bar trivia answer, said in a highly confident tone, that sounds kinda plausible, but is actually quite wrong" voice.

https://youtu.be/-PQS2q1328M?t=28
https://youtu.be/-PQS2q1328M?t=111

Good evening to everyone except Intuit, who have bizarrely concluded that there's no need to differentiate passkeys by, you know, giving them user-configurable, useful names or anything. (The only option is "delete".)

And extra style points for the "Unkown" typo that made it to production.

@ryanc Framework are pretty great also. Bit pricey, but solid.

Just saw a job posting that said (emphasis mine):

• B.S or higher in either Electrical Engineering, Network Engineering, Software Engineering or Computer Sciences earned within the last 20 years

Thinly disguised ageism -- surprised they can get away with this.

Whew! Good thing users will be blocked from using these compromised "passwords"! /s

How long before DOGE has access to the emails sent to Congress by constituents (to feed into an AI correlation machine, to ID individual political opposition)?

Do they already?

#uspol

Dear everyone,

Stop putting click tracking on your password-reset links.

You need ZERO third-party metrics to record that I followed a link that is the only way to get what I explicitly requested.

And I need ZERO interference / dependencies (from ad blocking, web filtering, etc.) for such a critical function.

@kissane This section is particularly chilling:

Delta Airlines recently announced that they added MFA, to both their site and their app.
👍

But the only options are ones that require connectivity (SMS, email, push).
👎

I have zero interest in making managing my travel ... dependent on whether various networks are up.

If security people can immediately think of common threat models that make them want to avoid your MFA entirely, due to core aspects of your business offering ... some stakeholders were missing (or overridden) in those meetings.

#MFA

@ryanc

Hmm! I haven't spent much time attacking yescrypt yet, but since it's based on scrypt, it has other parameters to tweak.

It looks like the spec minimum of 5 for n is implemented for common OS-level implementations?

https://www.reddit.com/r/Passwords/comments/1cd58c3/

I do not know if the r parameter can be reduced in the defaults (login.defs or whatever the equivalent is on your OS). If you can reduce r, you can drop speed further. In theory, you might be able to use mkpasswd to drop r manually and then paste that hash in?

How many milliseconds is it taking for you on that platform?

@chick3nman

Did you know that you can write an email to all of your Congresspeople simultaneously?

https://democracy.io

The Brutalist is 3 hours and 35 minutes?!
🤯

@ryanc Can't the IRS also require you to pay estimated tax (or at least, penalize you if you don't)?

https://www.irs.gov/businesses/small-businesses-self-employed/estimated-taxes

@Sempf @cR0w @ryanc @drscriptt

I mean, my experience is outdated, but at its height I was the sole sysadmin and abuse admin for a platform that served about 60,000 users, accepting or rejecting about a million SMTP delivery attempts a day. I was a very early implementer of things like graylisting and SpamAssassin, before you could even buy an appliance to do them, let alone a cloud service. But the landscape was very different then -- spammers were smaller scale and not big business then. The scars are old, but deep. Count yourself lucky. 😅

@ryanc
I think we agree more than we disagree! Especially when it it is probably better, but the ecosystem for the systems causing harm to be the explicit source of that harm, so that the ecosystem will start to respond to it appropriately. So I'm basically arguing myself out of silent discard even in my idealistic case!
@drscriptt @Sempf

@drscriptt

I'm interested in minimizing ecosystem harm / impact, even if I'm not the direct / attributable source. In the worst case, if I know that an upstream hop is going to generate backscatter if I reject in my DATA phase, and I know with high confidence that the content is spam, and I know that that upstream hop is not likely to change their ways any time soon ... it's a net lessening of ecosystem harm if I silently discard, rather than indirectly "trigger" predictable backscatter.

Yes, I know this is idealistic. :D

@ryanc @Sempf

@ryanc @Sempf Yeah, that's definitely an angle that wasn't as available to me back then. If past me it was working this, I would 100% be looking for a milter that did that!