Notices by Royce Williams (tychotithonus@infosec.exchange)

@ryanc Make uptime in scope.

@ryanc Now you just need a poll with three options. 😉

@Infoseepage I've had some luck with physical analogy: "do you only have one house key?"

@Infoseepage 100% same - /r/yubikey has made fun of me a couple of times for having 10 (If you count cross-registering with a spouse, etc).

I am appalled at how many passkey implementations don't understand that someone might want more than one.

I don't know why this is how I found out.

https://www.nytimes.com/2025/11/13/us/politics/alaska-phone-voting-anchorage.html

Anchorage is going to try voting by phone.

No one who understands the problem space thinks this is a good idea.

Develop habits that will work well in old age.

Start them now.

You will not be able to switch to them later.

@feld Came here to say this; left satisfied

@feld Oof. Does the mechanism provide a way for the defederating server to say why it happened? Or is it just totally opaque?

@feld 😐

@thomasfuchs Yeah, by itself "source?" can be perceived or intended as aggressive ("your post is clearly false"). Additional context is needed if your intent is constructive ("Where did you get this? I want to share it with others")

@feld Interesting - I've never done that kind of lateral shift. Is it tricky?

@GossiTheDog

Updated to include:

https://www.yubico.com/press-releases/yubico-and-t-mobile-deployment-of-200000-phishing-resistant-yubikeys-enhances-un-carriers-work-systems-security/

@GossiTheDog

I should have been collecting the receipts on a rolling basis; chatter at the time for multiple of these was "deploying fast now for highest risk, doing the rest in a more controlled fashion after".

Thinking of:

• npm ("encouraging FIDO2", anyway)

• T-Mobile - https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation

• Twitter - https://blog.x.com/engineering/en_us/topics/insights/2021/how-we-rolled-out-security-keys-at-twitter

And probably:

• Uber ("further strengthening our MFA", reading between the lines for 2022 breach and 2023 deployment) - https://www.uber.com/newsroom/security-update/

• Discord (again, reading between the lines - 2023 breach, 2025 deployment)

• eBay (public evidence is thinner here, but I got a couple of confidential reports)

And a couple "we could see the writing on the wall" (they get points for that):

• Google (2017) - https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

• Cloudflare - https://blog.cloudflare.com/how-cloudflare-implemented-fido2-and-zero-trust/

How many stories of "get popped, then do an emergency FIDO2 deployment" does your leadership need to read before you decide to deploy FIDO2 proactively?

Varnish Cache project to change its name to Vinyl Cache with after the next release (after today's 8.0.0, in March), per @bsdphk:

We have tried to negotiate with Varnish Software for many months about this issue, but their IP-Lawyers still insist that Varnish Software owns the Varnish Cache name, and at most we have being offered a strictly limited, subject to their veto, permission for the FOSS project to use the “Varnish Cache” name.

We cannot live with that: We are independent FOSS project with our own name.

So we will change the name of the project.

The new association and the new project will be named “The Vinyl Cache Project”, and this release 8.0.0, will be the last under the “Varnish Cache” name. The next release, in March will be under the new name, and will include compatibility scripts, to make the transition as smooth as possible for everybody.

https://fosstodon.org/@bsdphk/115208900512511929

#VarnishCache #VinylCache

@dalias

No disagreement, though we might need to call it 1.5FA. I think it's hard to overstate the insecurity that comes when users have absolutely zero second factor whatsoever -- it turns the entire world into those random store clerks!

But it's also hard to get companies to treat SMS MFA as they should: as an emergency stopgap to cover them while they make better options available, and to allow users to opt into those stronger factors as quickly, and as early, as possible.

@mhoye

@ryanc

The level of arsing required is lower than you might think, especially with projects like (apologies if you're already familiar):

https://github.com/trailofbits/algo

https://zeltser.com/deploy-algo-vpn-digital-ocean/ (just for references; I don't think DO has an IRL presence)

@mcr314

@patrickcmiller Et tu, El Reg? 😭

@patrickcmiller Another buried lede:

https://infosec.exchange/@tychotithonus/115046442946529467