tychotithonus

@tychotithonus@infosec.exchange

Just doing my undue diligence.

ISP vet, password cracker and Team Hashcat member, security demi-boffin, YubiKey stan, public-interest technologist, AK license plate geek. Husband to a philosopher, father to a llama fanatic. Views his.

Day job: Ent Sec Arch for a quad-play Alaskan ISP.

Obsessed with security keys: https://www.techsolvency.com/mfa/security-keys/

My 2017 #BSidesLV talk "Password Cracking 201: Beyond the Basics":
youtube.com/watch?v=-uiMQGICeQY&t=20260s

Profile photo: White 50-ish man with prominent forehead, short beard, and glasses, looking very pleased to be in front of a display of Alaskan license plates.

Banner photo: 5 rows of YubiKeys and security keys, in a wall-mounted case.

Blocked inadvertently? Ask!

Followed you out of the blue = probably stole you from follows of someone I respect.

#hashcat #Alaska #YubiKey #YubiKeys #WebAuthn #FIDO #licenseplates

P.S. I hate lottery / advance-fee scammers with the heat of 400B suns.

❤️:⚛👨‍👩‍👧🛡🙊🌻🗽💻✏🎥🍦🌶🍫

This profile is from a federated server and may be incomplete. Browse more on the original instance.

kurtseifried, to random

Is it just me or is #gmail spam detection getting bad? Lots of false negatives and now an ugly false positives, from Cloudflare, DKIM/SPF/etc is all correct, so I guess based on content... but can you really word "here's a copy of your invoice" in any other way? @cloudflare

gmail warning on a cloudflare invoice

tychotithonus,

@kurtseifried

What does the 'Show original' security diagnostic section say? All 'PASS' ?

tychotithonus,

@kurtseifried Whoops, sorry - reading too fast!

tychotithonus, to random

@robertatcara As someone who personally discovered and fixed Y2K bugs that would have had significant real world impact, it is disturbing to hear someone propagate this myth [that it was a "big fuss about nothing"]. And it is a myth.

This is what really happened:
https://time.com/5752129/y2k-bug-history/

The testing methodology insured that these impacts were not hypothetical. At my company, the testing was performed by actually rolling the clock forward to test systems to see what would happen. For example, I discovered that every ATM in the state of Alaska operated by my company would have locked up until a PROM chip was swapped. Someone had to fly all over the state to proactively swap the chip beforehand, to avoid significant customer impact.

And that was just one story. I personally oversaw investigation and fixes for other hardware and software at that company that would have failed.

And that was just my company. I spoke with others in IT at that time with similar stories. And that was just the people I knew.

So no, it wasn't "a big fuss about nothing" - and saying so is both dangerously revisionist, and disrespectful of the work it took to prevent real impacts.

lzg, to random
@lzg@mastodon.social avatar

deleted_by_author

    •
    tychotithonus,

    @lzg Ditto - it really is good. Gave it as a Christmas gift, even.

    (cc @debcha so there's awareness of our stanning)

    tychotithonus, to random

    Can NGINX ACLs easily handle tens of thousands of allow/deny CIDR blocks?

    Background: One of the legacy VPSes I maintain for a third party A) has need to block large swaths of IPv4 space by CIDR, bu B) doesn't have an on-system host-based firewall exposed to the admin. Attempts to load 5000+ CIDR blocks into Apache .htaccess trigger reproducible segfaults. Long-term fix s a ways off, so I'm evaluating local reverse-proxy options to buy time.

    tychotithonus, to random

    Who's going to tell them?

    lauren, to mastodon
    @lauren@mastodon.laurenweinstein.org avatar

    No matter what version of #Mastodon I've run, and currently I'm on the latest version, I've NEVER seen any embedded videos in posts ever play. They're just an empty black viewer, and nothing ever shows up. I suspect it's some problem with very large files just never making it to many instances. #YouTube links don't have this problem, of course.

    tychotithonus,

    @lauren I've had to open the video post in a new tab that isn't in multi-column mode. That's the only way I can get video playback to work.

    lauren, to random
    @lauren@mastodon.laurenweinstein.org avatar

    You may be seeing a lot of discussion about a new exploit being called SMTP SMUGGLING permitting bypassing of SPF/DKIM/DMARC type authentication checks on inbound email.

    There is considerable controversy about this, with some vendors unconvinced that this is actually not working as intended, and others "fixing" it in various ways.

    Basically, as I interpret all this right now, the entire issue is only relevant to email servers that are actually doing inbound SPF/DKIM/DMARC checking. If they're not, this exploit is only of academic interest at this time to those sites.

    As far as ordinary users are concerned, what this really means is, as always, be careful about trusting any email received, irrespective of whether or not it has received the "stamp of approval" from your email service.

    But you already knew that.

    tychotithonus,

    @lauren

    To clarify, since major inbound servers (like Gmail and Hotmail and Outlook) are doing such checking (definitely on the back end to make spam ID decisions, and increasingly surfacing them to be user-visible signals) ... doesn't this mean the majority of email users?

    Not to disagree with your broad point about vigilance, but because it could significantly shift the usual pattern of mail in a way that vigilance can only do so much to combat.

    tychotithonus,

    @lauren

    I'm tracking up until the end. As someone that's implemented the DMARC suite for 150 domains so far, everything from totally fallow parked domains, to domains serving 50,000 active users, I can tell you that I saw (in the DMARC reports) a dramatic drop off in delivery of spoofed mail. It's not foolproof by any means, but it is one step along the path necessary for me to reduce how often my customers, and the rest of the world, have to make that judgment call when a message claims to come from my domain - just in terms of sheer volume. So I don't consider DMARC to be a total failure.

    @tknarr

    tychotithonus,

    @lauren
    Wow, no reduction in overall calls? I'd like to be able to cite a source for that - ongoing discussion with callattendant (Python caller ID filtering framework) users. Not knowing any better, I would have expected the broad "impose cost" principle to also apply retroactively - once imposing the cost becomes the standard, failure to impose that cost leaves a weak point etc etc

    @tknarr

    tychotithonus,

    @lauren

    And now that I think about it, there's an analogy here - my elderly parents got duped very recently byt a spoofed 'MICROSOFT' CNAM - for which there may no longer be vulne benefits for spoofing CNAM, but may still have "resistance to targeting" benefits - and that DMARC may have similar benefits, depending on threat model etc.

    (Thanks for the discussion, by the way - this is very interesting and relevant)

    @tknarr

    tychotithonus,

    @lauren I totally get that it's whack-a-mole - I just apparently am still optimistic enough to believe that whacking each mole is worth tackling (in the "necessary but not sufficient" sense) :D
    @tknarr

    tychotithonus, to random

    As the big email houses move towards requiring DMARC, has anyone seen movement in the Linux server distros for semi-automatic setup of DKIM signing for 'root@server.example.net' emails (from cron, etc.) ?

    kxynos, to random

    twitter not working for anyone else ?

    tychotithonus,

    @kxynos Yep, seems to be pretty widespread

    tychotithonus, to random

    I do not even understand what this CAPTCHA is asking me to do.

    tychotithonus, to random

    At this writing, 925 people have clicked the "I have the same question" button on just one of the requests to be able to disable just YouTube Shorts in Android's parental control plane.

    Why Google has not stood up a functioning UserVoice equivalent is left as an exercise for the reader.

    ryanc, to random

    What did I do that's got Google News sending me articles from "Yachting World"?

    tychotithonus,

    @ryanc Being a monarch (in the "YASSSSS MONARCH" sense)

    tychotithonus, to random

    Prompted by a recent conversation, a short, living list of password-length breakpoints relative to hashes, in bytes:

    7 - Max length of the first and second halves of an LM password. This means that any ASCII LM password, regardless of length and composition, can be cracked in under five minutes on modern gear.

    8 - Max length of a descrypt password. If ASCII, can be fully exhausted on prosumer gear in a couple of days (worst case)

    14 - Max "length" of an LM password (even though it's really two 7-byte passwords)

    15 - Length at which LM password default will be ignored, and the hash will be forced to be NTLM

    72 - Max length of a bcrypt password

    What am I missing? (Will merge any validated replies)

    Note: chars != bytes, lots of corner cases, YMMV.

    #passwordcracking #hashing

    nazgul, to random

    This might take a while.

    Never mind that I have two rsync’s bringing in more right now.

    No big deal. Just a dozen or so drives with a couple decades worth of backups and archives. But once I have them all in one place I can work at deduping and cleaning up. I’m guessing that will remove at least 80% of stuff.

    tychotithonus,

    @nazgul <3 My pipe dream has always been an OS-and-filesystem hybrid (such as ZFS) modified to add lazy file-level checksumming in a system-wide queryable way. Since ZFS knows when a file changes, it could mark that file's checksum as 'dirty' and then recompute that checksum as time and I/O permits (the 'lazy' part). This would enable near-instant querying the entire filesystem for duplicates, at any time. Making this available to userland could enable things like "you already have the file with this checksum, no need to re-download it" etc.

    jimmylittle, to random
    @jimmylittle@hachyderm.io avatar

    Moving my @obsidian vault to Obsidian Sync and off of iCloud. I never really had any issues with iCloud, but I’m looking for ways to support Obsidian’s development.

    Their sync service is fast (I can see edits in near-real-time across devices) and E2E encrypted. It’s also wildly overpriced for what it does. It basically only syncs text files for $8/mo with a 10GB data cap, which is really worth about $3/mo. No server side processing, no API. Just file sync.

    tychotithonus,

    @jimmylittle Huh - is it NTFS on the back end? Strict Windows compliance for NTFS does forbid the colon, even though it isn't the default config on Linux NTFS-3g (because that project follows the open NTFS standard, which Windows tweaks a bit).

    Edit: Now that I think about it, maybe that's just lowest common denominator on their side, in order to avoid potential problems. From experience, I can tell you that if you have colons in Linux NTFS, and then mount it on a Windows system, chkdsk Will detect it as corruption and just automatically start deleting every single file with a colon in the filename (!)

    SecureOwl, to random

    General tip: if you have a domain, that is publicly resolvable and you don’t plan on ever sending emails from it - you should still set up email security DNS records for it, like an SPF with no authorized senders in to specifically declare that.

    Reduce the likelihood of someone getting phished - because they might not know you don’t send emails from said domain.

    tychotithonus,

    @SecureOwl +1. And in addition to the DMARC components (SPF and DKIM), there is also "null MX" convention (in RFC 7505*) that you can also use to signal "never email from this domain":

    example.net. IN MX 0 .

    (Note the zero followed by a lone "." as the contents of the record, which the server is supposed to interpret as a request for a zero-length label, so deliberately empty)

    * https://datatracker.ietf.org/doc/html/rfc7505

    tychotithonus, to random

    Looks like CaliDog's certstream service has been down for a week or more - Cloudflare is throwing the "back end is down" 521. Anyone aware of status?

    #calidog #certstream

    tychotithonus,

    @kkarhan That seems kinda randomly inflammatory without context. I can't speak to the general trend, but Ryan seems pretty savvy.

    lkarlslund, to random

    Do you want to go from NTLM hash to plaintext password in an instant? I made a freely accessible service that contains 8.7B hashes, no sign up required, free to use. https://ntlm.pw/

    tychotithonus,

    @lkarlslund Well, not every service:

    https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

    I would give some thought to whether or not you should retain what is queried. No matter what you decide, I would publish an explicit policy that's easy to find on your site.

    davep, to random

    And now for the top prize in the Palindrome Awards, we open the Reward Drawer.

    tychotithonus,

    @davep obligatory Weird Al:

    https://youtu.be/JUQDzj6R3p4

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • mdbf
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • JUstTest
  • normalnudes
  • osvaldo12
  • tester
  • GTA5RPClips
  • cubers
  • everett
  • tacticalgear
  • ethstaker
  • provamag3
  • anitta
  • Leos
  • cisconetworking
  • lostlight
  • All magazines
    •