tychotithonus

@tychotithonus@infosec.exchange

Just doing my undue diligence.

ISP vet, password cracker and Team Hashcat member, security demi-boffin, YubiKey stan, public-interest technologist, AK license plate geek. Husband to a philosopher, father to a llama fanatic. Views his.

Day job: Ent Sec Arch for a quad-play Alaskan ISP.

Obsessed with security keys: https://www.techsolvency.com/mfa/security-keys/

My 2017 #BSidesLV talk "Password Cracking 201: Beyond the Basics":
youtube.com/watch?v=-uiMQGICeQY&t=20260s

Profile photo: White 50-ish man with prominent forehead, short beard, and glasses, looking very pleased to be in front of a display of Alaskan license plates.

Banner photo: 5 rows of YubiKeys and security keys, in a wall-mounted case.

Blocked inadvertently? Ask!

Followed you out of the blue = probably stole you from follows of someone I respect.

#hashcat #Alaska #YubiKey #YubiKeys #WebAuthn #FIDO #licenseplates

P.S. I hate lottery / advance-fee scammers with the heat of 400B suns.

❤️:⚛👨‍👩‍👧🛡🙊🌻🗽💻✏🎥🍦🌶🍫

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Edent, to random
@Edent@mastodon.social avatar

What services do you use which work with / / ?

I'm testing a new product and want to see where it works and where it doesn't.

Thanks gang!

tychotithonus,

@Edent you can pick and choose from this repo:

https://github.com/Nitrokey/dongleauth

tychotithonus,

@Edent It's a bit of a misnomer - one of the data fields is about u2f/fido2, for which the browser/ app should be mediating the NFC UX. Some sites do indeed do this poorly, but I'm not aware of a place that this has been enumerated. (Ironically, adding a field to this repo's data could track that, but I think this is as close as you can get, as a list of places to try, based on the existing field)

tychotithonus, to superbowl

Huh, I don't remember seeing braces on players arms during active play before.
#superbowl

campuscodi, to random
@campuscodi@mastodon.social avatar

If you're looking for the latest entries published on ransomware leak sites, you can follow the CTI.FYI Mastodon and Bluesky accounts.

https://infosec.exchange/

https://bsky.app/profile/cti.fyi

tychotithonus,

@GossiTheDog
After digging for RSS, I discovered that cti.fyi has JSON but no plans to add RSS support (GitHub issue closed as wontfix) - but they pointed people at
https://ransomware.live/rss.xml instead.
@campuscodi

malwarejake, to random

Going all in on a vendor, only to have them abandon their roadmap, leaving the org in a bad place...

video/mp4

tychotithonus,

@malwarejake
cough cloud cough

tychotithonus, to random

As someone who saw the early stages of domain registration (I got my vanity domain from ISI) ...

Watching sub-national .gov domains getting registered willy-nilly - towns, state-level departments, counties, programs/services, all jumbled into the same second level - is excruciating.

[state-2char-code].us used to be a thing - and it automatically kept the namespaces clean and disambiguated. And it made queries like "show me all the domains in Utah" trivial.

Instead, disambiguation is randomly and unparseably overloaded into that second level, in whatever way people feel like (and can achieve uniqueness). Is a "co" suffix Colorado ... or county? 🤷​

The .us TLD should have never been privatized.

This account is my favorite self-torture follow. :D

https://botsin.space/@dotgov/111908090219012715

rsalz, to random
@rsalz@ioc.exchange avatar

2**6 today, Mixed feelings.

tychotithonus,

@rsalz Many happy increments of the exponent? 😉​🎉​

joebeone, to random
@joebeone@techpolicy.social avatar

Whatever the fuck Google did with passkey credentials on accounts.google.com seems to have resulted in some hardware security keys being no longer recognized, which is not good at all

tychotithonus,

@joebeone
My attempts to get official attention on the "what the hell happened to straight security keys in Google land" problem have not landed so far. But /r/yubikey is full of people trying to figure out what the heck is going on. Even if it's "just" a UX problem ... it's a pretty bad one.

tychotithonus,

@chort
The UX issue appears to be that folks fundamentally expected security keys - even older / U2F-only ones - to Just Keep Working, instead of being partially converted to being "treated as" passkeys. But the root causes are still murky to me.
@joebeone @sleevi

tychotithonus, to random

@jerry FWIW, for the first time, seeing some kind of intermittent cache inconsistency - immediately after editing a post, reloading that post sometimes shows the previous version, and sometimes the current version. (Opening the post to edit is consistent, but display definitely isn't)

tychotithonus,

@jerry Not able to replicate at this writing - definitely better than it was. May simply have been ephemeral/ temporary?

tychotithonus, to random

Instead of deleting, just leaving these funky temporary files on this rarely-used USB stick as a little puzzle for Future Me to figure out someday.

duanegran, to random

Looked over much older text messages trying to find someone I haven’t written to in ages. Discovered a whole tribe of people I’ve fallen out of contact with. Do not recommend.

tychotithonus,

@duanegran You don't recommend the discovery, the falling out, or the tribe? 😉​

tychotithonus,

@duanegran I know exactly what you mean.

fatsam, to random
@fatsam@mstdn.social avatar

DuckDuckGo browser, which I use to browse Facebook on my phone, has various protections to prevent tracking. Why I use it, in fact.

Last few days it has started offering to turn off protections for Facebook, so that the website will work better.

Don't know if this is some clever malware from FB, or a really unfortunate blink on DuckDuckGo's part, but if I have to turn off this protections to use FB, I'll stop using it.

tychotithonus,

@fatsam Facebook's reach is so pervasive that, on both desktop and mobile, I use Firefox (and its Facebook Container extension) as a dedicated Facebook browser, and use extensions to block all Facebook domains in the other browser.

nazgul, to random

My phone is using an AT&T plan.
My WhatsApp does not show location.
I’m in Mexico.

So someone explain to me why I’m getting Spanish spam on WhatsApp when I never did until I started using it here.

tychotithonus,

@lauren
The way Mobile IP works, in theory you should actually get an IP in your "home" network - not one in Mexico at all:
https://en.wikipedia.org/wiki/Mobile_IP
@nazgul

tychotithonus,

@nazgul
Ahhh, indeed.
@lauren

tychotithonus,

@lauren
Mexico may be different, but the way Mobile IP works in the US, your phone gets an IP issued by your own ISP, regardless of what network you're roaming on. The traffic tunnels back to your home network (and yes, this is as inefficient as it sounds). For example, I have an Alaskan IP as I roam through the US. (But again, Mexico may be different?)
@nazgul

eljefedsecurit, to random

Yaaay Github won't let me disable mfa anymore! isn't that nice of them? 😁🫠🤗

tychotithonus,

@eljefedsecurit They definitely have good ecosystem / volume reasons - but I do wish they would show their reasoning by publishing the stats driving their decision. (I think if they did, most of us would - sometimes begrudgingly - agree. :D)

tychotithonus, to Ethics

ISTR that CISSP and some other tech-specific certs have a "violate our code of ethics, lose your cert" clause. But I have no memory of that actually happening. Does anyone know of a case where violation of a code resulted in a loss of tech/cyber certification specifically?

Being found to have violated laws is a deliberately public process, in part because visible censure within the group has cultural reinforcement value. For example, in the license plate club I belong to, the list of people who have been ejected from the club for cause is in every issue of our print magazine (to ensure that those ejected for cause cannot continue to predate on unsuspecting members!)

If loss for cause of a CISSP/etc. cert is invisible to other members ... what's the clause even for?

#ethics #cissp

tychotithonus,

@hrbrmstr Personally, I'm fine with professionalization being aspirational - gotta start somewhere! It just needs to have teeth.

tychotithonus, to random

To clarify, Google cached pages aren't "dead".

They're just no longer available to us.

patrickcmiller, to random

Google will no longer back up the Internet: Cached webpages are dead https://arstechnica.com/?p=2000802

tychotithonus,

@patrickcmiller

To clarify, Google cached pages aren't "dead".

They're just no longer available to us.

tychotithonus, to random

After the latest update, I'm unable to edit posts using the PWA if the post is over a certain length - the edit option appears to be getting pushed past the bottom of the rendering of the pop-up?
@jerry

Edent, to security
@Edent@mastodon.social avatar

Where are the U2F Rings?

The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.

I use a USB thumb-drive sized hardw

https://shkspr.mobi/blog/2022/02/where-are-the-u2f-rings/

#/etc/ #nfc #security #WebAuthn #yubikey

tychotithonus,

@Edent

Uh oh. "Military-grade encryption" and "ransomeware" [sic] ... in the same sentence.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • tacticalgear
  • rosin
  • Youngstown
  • mdbf
  • ngwrru68w68
  • slotface
  • khanakhh
  • ethstaker
  • everett
  • kavyap
  • thenastyranch
  • DreamBathrooms
  • magazineikmin
  • anitta
  • osvaldo12
  • InstantRegret
  • Durango
  • cisconetworking
  • modclub
  • cubers
  • GTA5RPClips
  • tester
  • normalnudes
  • Leos
  • provamag3
  • megavids
  • lostlight
  • All magazines
    •