Notices by Royce Williams (tychotithonus@infosec.exchange)

@ryanc Bless, curse me now with your fierce tears, I pray.

Since folks seem to be weighing in:

I'm not interested in Bluesky. I'm interested in building a durable community on its own terms.

Fool me once.

"Ross Anderson had agreed with his publisher, Wiley, that he would be able to make all chapters of the 3rd edition of his book Security Engineering available freely for download from his website. These PDFs are now available there." 🎉 💔

https://www.cl.cam.ac.uk/archive/rja14/book.html

(As noted at: https://www.lightbluetouchpaper.org/2024/11/12/sev3-download/ )

@ryanc Oh, definitely! An interesting experimental middle ground would be a modified Xerox PARC / Bell Labs model:

• everyone has a private office
• multiple types of communal space
• everyone lives a short distance from work
• people know when not to schedule in-person meetings

@ryanc @JetlagJen

Accelerated by gender differences in socialization expectations

@ryanc Levenshtein wardialing in 3 ... 2 ... 1...

@patrickcmiller Counterpoint:

https://infosec.exchange/@tychotithonus/113251427429978042

@ryanc Erk - sorry!

@ryanc massscan may be useful reference code:

https://github.com/robertdavidgraham/masscan

@ryanc Here I'm just referring to everyday "I want to delete just this one message" interaction

As a:

Gmail user

I want to:

be allowed to still interact with the UI to perform deletes on messages while the list of message is actively being refreshed

so that:

the email list shifts just as I'm clicking, deleting the wrong email, but then the results vanishing so quickly that I may not even notice that I deleted the wrong one

Could be a feature: less itchy ... and a new look!

@lapo @ryanc Very reasonable for the what3words use case ... but may get tricky as the target keyspace gets larger. Short wordlist for something like passwords turns into 7 or more words to get enough keyspace. And the "humans can keep 5 to 9 things in short-term memory" means that rehearsal of 5 things to try to commit it from short-term to long-term keeps memorization manageable for a greater number of users.

@ryanc I see your point - though personally, I'd rather ask them to learn a couple of new words, than ask them to remember 7 words to approach equivalent keyspace.

(To be clear, we're talking about truly "must be memorized" secrets: the "initial" passwords to your password manager, your AD / VPN login, etc.)

These NIST principles:

• "length is more important that complexity"

• "forced rotation is bad"

... are a start, but they are all outdated proxies for the only true password principle:

• "uniqueness is more important than anything"

This uniqueness s not terribly hard. A five-word random passphrase from a 20K+ dictionary, with no other requirements:

• is globally unique for most practical purposes
• is longer than every platform's minimum
• is infeasible to crack for most threat models¹
• can be memorized without a ton of effort

And if you're dealing with a system that enforces other complexity, just apply the same complexity every time. This is safe because the strength of the password comes from the number of combinations. Capitalizing the first word, and appending 1 and an underscore is what I do to meet naive complexity. And I'm totally fine sharing that with the world because that's not what makes my passwords strong.

And if the platform has a length maximum, it's usually not one that requires memorization, and the password can just be set to random 15 ASCII chars and stored in your password manager.

tl;dr Give your users a password manager, and teach them to make random passphrases for their must-be-memorized secrets. Anything else is wasting time, teaching them things that are already outdated.

¹This is 3x1021 combinations. Worried about nation states or aliens? Use a bigger wordlist ... or just add one more word. Instantly makes it 20K+ times harder to crack (6x1025).

Odd that Gmail doesn't have a "warn when link text uses a domain that doesn't match the link" feature. This seems trivial to implement?

@baloo Fair point. Sure wish the click-tracking frameworks all had an easy "BYO subdomain" feature so that small shops could easily make in-domain redirects easy.

@patrickcmiller This was really good @wendynather - so articulate and practical!

In a world where adversarial reconstruction of social/influence network propagation is likely, I imagine things like "demure/mindful" are like radioactive dye -- added to trace where it goes.

Or maybe a flex - to prove to others where it can go.

@thomasfuchs Wow, I had no idea.

https://www.reddit.com/r/8BitGuy/comments/qr7edg/comment/jl2u9gq/