tychotithonus

@tychotithonus@infosec.exchange

Just doing my undue diligence.

ISP vet, password cracker and Team Hashcat member, security demi-boffin, YubiKey stan, public-interest technologist, AK license plate geek. Husband to a philosopher, father to a llama fanatic. Views his.

Day job: Ent Sec Arch for a quad-play Alaskan ISP.

Obsessed with security keys: https://www.techsolvency.com/mfa/security-keys/

My 2017 #BSidesLV talk "Password Cracking 201: Beyond the Basics":
youtube.com/watch?v=-uiMQGICeQY&t=20260s

Profile photo: White 50-ish man with prominent forehead, short beard, and glasses, looking very pleased to be in front of a display of Alaskan license plates.

Banner photo: 5 rows of YubiKeys and security keys, in a wall-mounted case.

Blocked inadvertently? Ask!

Followed you out of the blue = probably stole you from follows of someone I respect.

#hashcat #Alaska #YubiKey #YubiKeys #WebAuthn #FIDO #licenseplates

P.S. I hate lottery / advance-fee scammers with the heat of 400B suns.

❤️:⚛👨‍👩‍👧🛡🙊🌻🗽💻✏🎥🍦🌶🍫

This profile is from a federated server and may be incomplete. Browse more on the original instance.

SecureOwl, to random

Pwnxsutawney Phill saw your shadow file

tychotithonus,

@SecureOwl Six more weeks of 0days!

tychotithonus, to random

Tell me you've never helped seniors with tech, without telling me you've never helped seniors with tech.

And I don't just mean the person answering this question. I also mean whoever decided to remove this option.

tychotithonus,

Original context:

https://support.google.com/chromebook/thread/226761039/how-to-stop-scrollbar-from-hiding

tychotithonus,

@jernej__s

Huh - I don't see this option in my ChromeOS settings - I also searched for 'scroll', 'scrollback', 'scrolling', 'page', etc.

@SmartmanApps @yakkoj

tychotithonus,

@jernej__s
Ah, yeah. The original forum post was about ChromeOS specifically. :D
@SmartmanApps @yakkoj

tychotithonus,

@jernej__s Apologies - totally missed that!

tychotithonus, to random

TIL Gmail assumes any "From" email name of the form "String1, String2" means "Last, First".

So when it shows the "first names only" collapsed list of recipients, any "First M. Last, Title/Honorific" - such as "Trapper John, MD" - shows up as just "MD".

tychotithonus, to random

Someone just attempted to fetch '/wallet.dat' from a webserver I run.

I wonder how often that works.

j0hnnyxm4s, to random

DFIR problem: I have a file system, which I know contains some sort of encrypted set of additional files. Maybe a folder, maybe a zip, maybe a truecrypt-type volume. How do I go about scanning for likely candidates? Some kind of entropy check, I assume.

tychotithonus,

@j0hnnyxm4s If it's Truecrypt, those are designed to look pretty randomly distributed - so might not fail a randomness check. That means there's also no way to tell which encryption subvariant was used. Hashcat can try some of them simultaneously, but there are limits.

tychotithonus, to random

Every time I run into Perl in an older code base, I hear the voice of Obi-Wan:

"An elegant weapon - for a more civilized age."

Laukidh, to random

I should make a userscript to add a + to every word in a search prompt

tychotithonus,

@Laukidh Which search engine? Plus sign stopped working in Google search a few years ago (maddeningly). The suggested alternative - each word into double quotes - is not only more irritating to type, but it also recently doesn't even work as well as it used to.

nyquildotorg, to random
@nyquildotorg@fedia.social avatar

Hot take: I would be much more impressed with "the 40th anniversary of the Mac" if Apple hadn't acquired someone else's operating system 20 years in and then slapped a coat of Apple paint on it.

tychotithonus,

@nyquildotorg I wasn't involved, but from watching the external signs, including Apple absorbing core FreeBSD devs like Jordan Hubbard for 12 years .. I suspect it was more than just "coat of paint" surface work.

lauren, to random
@lauren@mastodon.laurenweinstein.org avatar

New concept for WB: "Pinky and the AI Brain."

tychotithonus,

@lauren Pinky is the AI Brain 😉​

tychotithonus, to random

Once again, being startled by the volume and mix of tripped filters, and clicking through anyway, brings rewards.
https://sunny.garden/@georgepenney/111791497368506124

tychotithonus,

@RichiH Only one way to find out! 😉
(Also, woooow, impressive - I would be utterly unable to use Mastodon without filters (for my use cases, anyway))

tychotithonus,

@RichiH Ah, well! 😅

Follows: 3183

tychotithonus, to general

In a Discord I'm in, I made an offhand joke about the existence of a channel implying a potential need for a channel.

So someone created it.

It's an instant classic - hilarious, but also strangely useful in ways that we're still figuring out.

chrismerkel, to random

I think it's safe to assume, given the rapid weaponization seen by ransomware gangs, along with multi-year undiscovered exploitation that organizations need to think about how to build resilient systems with an understanding that "patching fast" is less and less effective.

Instead, we need to put real resources into segmenting internal control planes, with strong access controls and monitoring around them. Public facing endpoints need to be fundamentally rearchitected to "survive" direct compromise, specifically in a way that denies access to data or lateral movement.

https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021

tychotithonus,

@hrbrmstr

Perhaps because we can make the business argument by leveraging the recent public examples of how much it's costing others. Hope springs eternal! :D

@chrismerkel

tychotithonus, to random

Fewer and fewer web developers are testing their code with tracking blockers and browser JavaScript control frameworks enabled. (For some of them, failing to work when tracking
sites are blocked may even be a deliberate feature!). More and more, basic site functionality is degraded or entirely denied.

Are any of those blocking frameworks moving towards not just blocking, but emulating function calls with dummy return values? (Sort of like some mobile app privacy controls have to reply with dummy data)

kevinrothrock, to random

Question for the techies out there: Is it better for performance/ memory management to run an independent program/app or the browser-based version of that same thing if I've already got a browser open (as I always do)?

tychotithonus, (edited )

@kevinrothrock in addition to whatever everyone else said, keep in mind that the app is almost always an older snapshot of a browser, frozen in time, missing security patches, and with a bunch of browser security features disabled. So separate from the memory considerations, running in the browser is probably safer

dismantl, to random

deleted_by_author

    •
    tychotithonus, (edited )

    @dismantl Recently really enjoyed Daniel Suarez' Daemon, and Ted Chiang's short story collection Exhalation. Big fan of Vinge as well (Rainbows End, A Darkness in the Sky, True Names).

    Also, your other faves may align well with standalone works with an ethics / structural eye from folks like Gaiman (American Gods, Good Omens), Pratchett (same, plus everything else), Niven (Protector, Ringworld), Cherryh (Cuckoo's Egg), and Marge Piercy.

    I often also recommend that folks fill in any gaps of works that won both Hugo and Nebula - almost always worthwhile, without being overly heavy.

    whitequark, to random
    @whitequark@mastodon.social avatar

    question: given rsync.net's features and pricing, is there any reason to use tarsnap at all?

    tychotithonus,

    @whitequark Doesn't tarsnap provide the entire encryption layer out of the box, in such a way that not even the provider has access to your encryption keys?

    (So if you're someone who can't roll their own encrypt-before-sync layer, tarsnap takes care of that for you)

    tychotithonus,

    @ryanc
    Yeah, I should have included that use case :D

    Looks like there's a canned one, now?

    https://www.rsync.net/resources/howto/duplicity.html

    Though I'm inclined to expect Colin Percival's crypto to be pretty robust and fit to purpose.

    @whitequark

    bontchev, to random

    This global warming thing is getting out of control...

    https://apnews.com/article/winter-weather-snow-freezing-29b2628c7ab77d939172bb0b82e12f93

    tychotithonus,

    @bontchev Yes, that's the way it works.

    tychotithonus,

    @bontchev The whole point of my reply was to illustrate that it's not as simple as that. See the alt text for more explanation of the image.

    There are plenty of security topics for which a non-trivial amount of complexity of thought is required to understand their consequences. This is true here as well. It turns out that meteorology is also complex. 😁

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • tester
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • provamag3
  • tacticalgear
  • osvaldo12
  • normalnudes
  • cubers
  • cisconetworking
  • everett
  • GTA5RPClips
  • ethstaker
  • Leos
  • anitta
  • modclub
  • megavids
  • lostlight
  • All magazines
    •