Notices by Royce Williams (tychotithonus@infosec.exchange)

@kissane This section is particularly chilling:

Delta Airlines recently announced that they added MFA, to both their site and their app.
👍

But the only options are ones that require connectivity (SMS, email, push).
👎

I have zero interest in making managing my travel ... dependent on whether various networks are up.

If security people can immediately think of common threat models that make them want to avoid your MFA entirely, due to core aspects of your business offering ... some stakeholders were missing (or overridden) in those meetings.

#MFA

@ryanc

Hmm! I haven't spent much time attacking yescrypt yet, but since it's based on scrypt, it has other parameters to tweak.

It looks like the spec minimum of 5 for n is implemented for common OS-level implementations?

https://www.reddit.com/r/Passwords/comments/1cd58c3/

I do not know if the r parameter can be reduced in the defaults (login.defs or whatever the equivalent is on your OS). If you can reduce r, you can drop speed further. In theory, you might be able to use mkpasswd to drop r manually and then paste that hash in?

How many milliseconds is it taking for you on that platform?

@chick3nman

Did you know that you can write an email to all of your Congresspeople simultaneously?

https://democracy.io

The Brutalist is 3 hours and 35 minutes?!
🤯

@ryanc Can't the IRS also require you to pay estimated tax (or at least, penalize you if you don't)?

https://www.irs.gov/businesses/small-businesses-self-employed/estimated-taxes

@Sempf @cR0w @ryanc @drscriptt

I mean, my experience is outdated, but at its height I was the sole sysadmin and abuse admin for a platform that served about 60,000 users, accepting or rejecting about a million SMTP delivery attempts a day. I was a very early implementer of things like graylisting and SpamAssassin, before you could even buy an appliance to do them, let alone a cloud service. But the landscape was very different then -- spammers were smaller scale and not big business then. The scars are old, but deep. Count yourself lucky. 😅

@ryanc
I think we agree more than we disagree! Especially when it it is probably better, but the ecosystem for the systems causing harm to be the explicit source of that harm, so that the ecosystem will start to respond to it appropriately. So I'm basically arguing myself out of silent discard even in my idealistic case!
@drscriptt @Sempf

@drscriptt

I'm interested in minimizing ecosystem harm / impact, even if I'm not the direct / attributable source. In the worst case, if I know that an upstream hop is going to generate backscatter if I reject in my DATA phase, and I know with high confidence that the content is spam, and I know that that upstream hop is not likely to change their ways any time soon ... it's a net lessening of ecosystem harm if I silently discard, rather than indirectly "trigger" predictable backscatter.

Yes, I know this is idealistic. :D

@ryanc @Sempf

@ryanc @Sempf Yeah, that's definitely an angle that wasn't as available to me back then. If past me it was working this, I would 100% be looking for a milter that did that!

@ryanc @Sempf I mean, I get that, but in the meantime the blowback still hits the innocent non-sender. As a troubleshooter, I 100% hated silent discard, but as a spam fighter from back in the day, never doing that produced a whole bunch of busy work and harm that was impossible to work around otherwise. (Rejecting early in the connection was of course ideal!). But I've been out of this game for more than a decade ...

@ryanc @Sempf That works fine when there are only two SMTP servers involved, but what happens when it is multi-hop?

@Sempf @ryanc
It's been awhile since I was in the daily email game, but I assume blowback is still a non-trivial problem, such that silent discard, despite non-compliance, might sometimes be preferable to innocent bystanders receiving blowback? But deciding when to do that must be complicated ...

Recently, I learned that Western Digital has decided to only partially implement the ATA Secure Erase featureset for initial price points for some storage products.

https://www.westerndigital.com/en-us/solutions/data-security/data-protection

Specifically, they are withholding the near-instantaneous "Crypto Erase" option (encrypt the entire drive with a strong key, and then discard the key) from some products, offering only "Sanitize Block Erase" (overwrite everything) at the entry-level price point.

Technically, Block Erase does comply with NIST 800-88 "Purge" level for SSDs, per Table A-8. But it wastes [size-of-drive] writes. And on modern drives, it can take a looong time to overwrite an entire HDD.

I understand the need to stratify pricing. But just like the "SSO tax" ... making security harder is never better for the ecosystem.

And by the time most people realize they wanted the better option ... the purchases will have been made (maybe years before), and the folks making the purchasing decision will likely be far removed (in time, org structure, and technical awareness) from the personnel suffering the consequences.

Bad form.

@Infoseepage Totally. Independent email with phishing-resistant MFA is the only defense -- and you have to be savvy enough to set it up in advance, before you get victimized.

Add Verizon to the list of companies that doesn't make sure that someone controls an email address ... before letting them apply it to their account.

I am not a Verizon customer.

Companies are rarely set up to get feedback about required account changes from non-customers.

(Yes, I'm aware of the other things you can do when this happens)

I swear every time Mark Zuckerberg ends up in the news and there's a new photo of him ... it looks like it's some different Mark from a different timeline.

Maybe they have some kind of timeshare agreement across the multiverse.

@petrillic Ahahah, indeed - or, maybe even worse, the obligatory:

https://xkcd.com/979/

There's a special place in Hades reserved for orgs with websites that, when the user uses the browser's "back" button, not only does it damage app state, but also destroys the user's current authentication session, requiring them to log back in.

There are five people at my day job that have the same first and last names.

TIL they have a permanent / dedicated email-deconfliction chat channel. :mind_blown: