Nostr notes by Royce Williams

Nostr event nevent1qqsd3kz6wgy39yrmtu2mcf45knxu2k2srk4v5a4fnp6p60ljv252ragzyp5kgl2m3qt5w2kzem2t3r7efh8td8nukpsrsunhrfnnw3c2se0p65qu3tf

2026-04-22T22:47:57Z

I keep reading "AiTM" as "Am I The Monster"

https://www. ietf.org/archive/id/draft-meow -mrrp-00.html

2026-04-17T14:54:02Z

In reply to nevent1q…zlh7
_________________________

https://www.
ietf.org/archive/id/draft-meow
-mrrp-00.html

Nostr event nevent1qqs9ztpaxf3695yfdw0wcrm3eu7esmh63qheflj8vp4nry7sdep4a5qzyp5kgl2m3qt5w2kzem2t3r7efh8td8nukpsrsunhrfnnw3c2se0p6kvj0q0

2026-04-16T15:12:08Z

Lies, damned lies, and "LIFT TAB TO OPEN"

I don't understand why the recovery of deleted Signal ...

2026-04-09T15:49:47Z

I don't understand why the recovery of deleted Signal messages is news.

If an attacker has full access to the endpoiint, Signal has never claimed to protect messages -- and IIRC, has expressly stated that they do not.

Edit: But hey, at least it is getting the word out that deleting the app doesn't delete the messages!

RE: https://techpolicy.social/@joebeone/116194325589609756 New AI ...

2026-03-08T15:45:58Z

RE: https://techpolicy.social/@joebeone/116194325589609756

New AI term just dropped: vibekilling
nostr:note1679ex0ww9sjqnykfsq5vd999ez3k9w80h3drluglutwp655ept2sx7q3j4

"Wow, I got a TOTP code of 000000! What are the odds of ...

2026-01-24T20:27:16Z

"Wow, I got a TOTP code of 000000! What are the odds of that?!"

"Uh ... one in a million?"

"I know, right?"

🤣

The nice thing about EICAR is that, when properly implemented, it ...

2026-01-22T22:35:48Z

The nice thing about EICAR is that, when properly implemented, it should only produce a hit if it is at the *beginning* of the file (per the EICAR spec itself). Inclusions of EICAR elsewhere are amusing, but should absolutely be false positives that should be fixed.

The Anthropic magic string, by contrast, can appear *anywhere*. The chaos this enables is commensurately greater.

I'm having a Mandela Effect / Berenstain Bears moment where I ...

2026-01-06T21:10:25Z

I'm having a Mandela Effect / Berenstain Bears moment where I *swear* people say "pled" as the past tense of "plead" ... but half of the spellcheckers don't like it?

Ah, indeed. Though when working as designed, the ATA Secure Erase ...

2025-12-30T03:19:08Z

In reply to nevent1q…q2np
_________________________

Ah, indeed. Though when working as designed, the ATA Secure Erase *should* reach all storage. Except when it doesn't. Hmm.

In your experience, what are the ATA Secure Erase failure modes? If we (pessimistically) assume that it can fail silently, it is probably often working as intended (unless it throws an error).

So if I had to write an internal standard at $dayjob, the wiping workflow would *always* attempt an ATA Secure Erase first, and then *always* follow with a single overwrite (with zeroes or NULL; the reasons for overlapping / random / multipass are from ancient HDD days).

I'd argue that verification is itself limited. Part of the ...

2025-12-30T03:03:15Z

In reply to nevent1q…yxe2
_________________________

I'd argue that verification is itself limited. Part of the OS-level verification gap/problem is that the storage has regions that the OS can't reach. So an OS-level verification process is inherently incomplete.

Hmm .. since each approach covers angles that the other does not, ...

2025-12-30T03:00:56Z

In reply to nevent1q…p7cr
_________________________

Hmm .. since each approach covers angles that the other does not, then, the most robust approach is probably to first trigger an ATA Secure Erase, and then do an overwrite.

SSDs also support ATA Secure Erase (controller-level ...

2025-12-30T02:51:08Z

In reply to nevent1q…s0ut
_________________________

SSDs also support ATA Secure Erase (controller-level encrypt-then-discard-key) -- which should, in theory, be significantly more thorough than OS-level overwrite.

This is also the NIST-approved method.

RE: https://infosec.exchange/@zak/115793005915790340 This is a ...

2025-12-27T18:49:40Z

RE: https://infosec.exchange/@zak/115793005915790340

This is a metaphor about cybersecurity products.

quoting
note156n…mum6

Eyelashes: stop things from falling into your eyes.

Also eyelashes: fall directly into your eyes.

What horseshit.

Also how did we manage to land the "switch to passkeys" ...

2025-12-15T15:59:37Z

Also how did we manage to land the "switch to passkeys" messaging ... but somehow miss the "and you absolutely must let users add more than one, with clear UX" bit?

"Let us be the repository of your passkeys" and "We ...

2025-12-15T15:54:49Z

"Let us be the repository of your passkeys" and "We may terminate your account at any time and permanently refuse to communicate with you" ... seems like a bad combination?

Welp, Google is killing off the Dark Web Report feature, which ...

2025-12-15T15:38:41Z

Welp, Google is killing off the Dark Web Report feature, which was useful (to me, anyway), as of Feb 16, 2026.

Nostr event nevent1qqs09mh9cnawlpdxt69atdwvs8a0m6z3p3dg0ukh4w07jalwdmdl27gzyp5kgl2m3qt5w2kzem2t3r7efh8td8nukpsrsunhrfnnw3c2se0p6s2k03r

2025-12-05T15:53:20Z

I kinda hate the mashed-to-a-single word "protip".

I know of seven org-branded standard YubiKey bubble packs (note: ...

2025-11-26T00:23:52Z

I know of seven org-branded standard YubiKey bubble packs (note: the *packaging* is branded, not necessarily the *key*). Are there any more?

First four:

1/2

I don't know why this is how I found out. ...

2025-11-15T20:15:55Z

I don't know why this is how I found out.

https://www.nytimes.com/2025/11/13/us/politics/alaska-phone-voting-anchorage.html

Anchorage is going to try voting by phone.

No one who understands the problem space thinks this is a good idea.

OH: "You're in his DMs. I'm in his VMs. We're not ...

2025-11-07T06:55:47Z

OH: "You're in his DMs. I'm in his VMs. We're not the same."

The kids can't eat without something to scroll. It terrifies ...

2025-11-07T00:35:27Z

The kids can't eat without something to scroll. It terrifies me. When can we rest? When can we have ideas? When can we connect?

Indeed! This thread is what triggered the support in JtR (and ...

2025-11-05T21:11:15Z

In reply to nevent1q…06mw
_________________________

Indeed! This thread is what triggered the support in JtR (and eventually hashcat):

https://unix.stackexchange.com/questions/31549/is-it-possible-to-find-out-the-hosts-in-the-known-hosts-file

Happy to try to crack them if you'd like!

2025-11-05T21:08:24Z

In reply to nevent1q…j37n
_________________________

Happy to try to crack them if you'd like!

Whoa, how did I miss that you'll be able to buy YubiKeys at ...

2025-11-05T04:01:14Z

Whoa, how did I miss that you'll be able to buy YubiKeys at Best Buy?!

https://www.yubico.com/press-releases/secure-your-digital-accounts-yubikeys-available-now-in-stores-at-best-buy/

[Edit: *right now* -- or at least, available to pick up within the hour at my local store!]

#YubiKey

😐

2025-11-04T21:21:51Z

In reply to nevent1q…rjjy
_________________________

😐

Oof. Does the mechanism provide a way for the defederating server ...

2025-11-04T21:20:43Z

In reply to nevent1q…c87z
_________________________

Oof. Does the mechanism provide a way for the defederating server to say why it happened? Or is it just totally opaque?

inb4 everyone realizes that several Someones are taking notes ...

2025-10-29T18:45:53Z

inb4 everyone realizes that several Someones are taking notes during ransomware attacks, outages, etc. -- mapping our attack surface / dependencies / response capabilities.

What percentage are active vs passive measurement are left as an exercise.

https://infosec.exchange/@tychotithonus/115418342699692840

2025-10-22T14:45:41Z

In reply to nevent1q…nj8d
_________________________

https://infosec.exchange/@tychotithonus/115418342699692840

Hot take: we are boiling the illiteracy frog. ...

2025-10-22T06:26:26Z

Hot take: we are boiling the illiteracy frog.

I feel like a lot of the "it was DNS" is conceptually ...

2025-10-20T13:47:22Z

I feel like a lot of the "it was DNS" is conceptually oversimplifying, and masking true root cause(s).

It makes sense to centralize naming, It makes sense to abstract naming away from IP addresses. Many of these outages are "this other thing broke, and it made DNS break". Most folks would never say "it was DNS" when it was a network problem that was preventing reaching the DNS servers. But a lot of the time, this isn't much different from that.

Don't get me wrong, every outage is an opportunity to learn and improve, both locally and centrally. I just want to shift the conversation to "it was DNS, *because* ...", and help people make informed risk trade-offs.

Approach it like the NTSB would: keep going until you know, and have recommendations for, *all* of the failure modes.

And the opposites are also very true: Local doesn't mean ...

2025-10-09T16:00:22Z

In reply to nevent1q…j6yd
_________________________

And the opposites are also very true:

Local doesn't mean insecure. Cloud doesn't mean secure.

Good question! A core property of FIDO2 is authenticating the ...

2025-10-04T14:21:03Z

In reply to nevent1q…2lq2
_________________________

Good question!

A core property of FIDO2 is authenticating the *origin* (are you connected to the right site, or a copycat). The daily benefit of this protection is intended to be worth the trade-off of requiring diligence in retaining possession of the key.

Also, the idea is that loss of the key would be noticed quickly enough that the key could be revoked.

Finally, putting a PIN on a "leave-in" / installed key (which is a PIN for the *key*, not for individual sites), is a reasonable way to mitigate the risk of the window of time between the loss/theft of key and when it can be revoked.

#YubiKey

This saga feels like an ad for ZFS 😉 I've been burned by ...

2025-09-29T16:51:12Z

In reply to nevent1q…etwy
_________________________

This saga feels like an ad for ZFS 😉

I've been burned by both hard and soft RAID too many times to ever go back.

Updated to include: ...

2025-09-23T20:22:04Z

In reply to nevent1q…u9pc
_________________________

Updated to include:

https://www.yubico.com/press-releases/yubico-and-t-mobile-deployment-of-200000-phishing-resistant-yubikeys-enhances-un-carriers-work-systems-security/

I should have been collecting the receipts on a rolling basis; ...

2025-09-23T20:17:18Z

In reply to nevent1q…xwsm
_________________________

I should have been collecting the receipts on a rolling basis; chatter at the time for multiple of these was "deploying fast now for highest risk, doing the rest in a more controlled fashion after".

Thinking of:<li>npm ("encouraging FIDO2", anyway)</li><li>T-Mobile - <a href="https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation"; target="_blank" rel="nofollow noopener" translate="no">https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation</a></li><li>Twitter - <a href="https://blog.x.com/engineering/en_us/topics/insights/2021/how-we-rolled-out-security-keys-at-twitter"; target="_blank" rel="nofollow noopener" translate="no">https://blog.x.com/engineering/en_us/topics/insights/2021/how-we-rolled-out-security-keys-at-twitter</a></li>

And probably:<li>Uber ("further strengthening our MFA", reading between the lines for 2022 breach and 2023 deployment) - <a href="https://www.uber.com/newsroom/security-update/"; target="_blank" rel="nofollow noopener" translate="no">https://www.uber.com/newsroom/security-update/</a></li><li>Discord (again, reading between the lines - 2023 breach, 2025 deployment)</li><li>eBay (public evidence is thinner here, but I got a couple of confidential reports)</li>

And a couple "we could see the writing on the wall" (they get points for that):<li>Google (2017) - <a href="https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/"; target="_blank" rel="nofollow noopener" translate="no">https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/</a></li><li>Cloudflare - <a href="https://blog.cloudflare.com/how-cloudflare-implemented-fido2-and-zero-trust/"; target="_blank" rel="nofollow noopener" translate="no">https://blog.cloudflare.com/how-cloudflare-implemented-fido2-and-zero-trust/</a></li>

How many stories of "get popped, then do an emergency FIDO2 ...

2025-09-23T19:56:52Z

How many stories of "get popped, *then* do an emergency FIDO2 deployment" does your leadership need to read before you decide to deploy FIDO2 proactively?

Like conference social preference badges, except "yes I will ...

2025-09-20T01:57:52Z

Like conference social preference badges, except "yes I will always say hi to your dog"

"Using ChatGPT to complete assignments is like bringing a ...

2025-09-18T17:28:08Z

"Using ChatGPT to complete assignments is like bringing a forklift into the weight room; you will never improve your cognitive fitness that way."
-- Ted Chiang

Source:
https://www.newyorker.com/culture/the-weekend-essay/why-ai-isnt-going-to-make-art

Dudes will install Debian on a 13yo MacBook Air instead of going ...

2025-09-17T00:37:54Z

Dudes will install Debian on a 13yo MacBook Air instead of going to therapy.

It's me. I'm dudes.

(XFCE is pretty snappy!)

And to your solid point about the 70%, I forgot to math that out ...

2025-09-09T12:56:46Z

In reply to nevent1q…qmj2
_________________________

And to your solid point about the 70%, I forgot to math that out to illustrate the importance of protecting the remaining people who *aren't* reusing passwords. (And I know you know this, mostly posting for those following along).

In the 16 million bcrypt cost 12 case, if 70% of them can be "pre-cracked" with correlation, then the amount of time for the attack above to run for the remaining 30% drops from 300 days to 90 days. Which is an okay amount of time to buy between compromise and discovery, until we remember that you can have a lot more than two 4090s 😅, and of course, bcrypt parallelizes relatively well, such that a different hash like Argon2 or yescrypt is a better choice. But if bcrypt is the only option for some reason, bumping the work factor higher, if feasible, would be recommended.

Wow, that is substantially more terrible than I was expecting. ...

2025-09-09T05:23:39Z

In reply to nevent1q…4yx9
_________________________

Wow, that is substantially more terrible than I was expecting. Yow.

Well, there's a spectrum there. A lot of the Hashmob bcrypt ...

2025-09-09T04:49:36Z

In reply to nevent1q…p4tw
_________________________

Well, there's a spectrum there. A lot of the Hashmob bcrypt lists have been thoroughly correlated, and I think the percentage trends lower than 70% there, but I'd have to look.

If full correlation is in play (a leak with known passwords), then the cost doesn't make a ton of difference, because each hash can be targeted with john's --single mode or hashcat's -a 9.

And for hashes that cannot be correlated, targeting a single hash slows the attacker down only so much (because single-hash performance has to be tolerable for user experience). When the bcrypt cost gets to 12, and a million candidate passwords, that's only about 30 seconds with hashcat on 2 4090s.

And then that cost is magnified when it's a broad attack (many hashes targeted simultaneously), Even just trying the first N thousand most common passwords, attempting to crack a million bcrypt cost 12s is correspondingly harder, so there's still a "herd health" benefit to the hashes being stronger.

For example, with 16 million cost 12 bcrypts, and a very short list of very common passwords (6144 words, the minimum for certain hashcat efficiencies), 2x 4090s will take 300 days to fully exhaust. The equivalent attack - all other variables constant, but dropping the bcrypt cost from 12 to five -- will complete *in 2.5 days*.

And that's for a *very* short wordlist. Running through longer wordlists would be correspondingly longer.

So I think that the work factors should be tuned to protect folks who aren't reusing their own passwords across multiple accounts, but might be sharing semi-common passwords *with other users*.

Nice find! We're going to have get the word out that just ...

2025-09-09T03:54:13Z

In reply to nevent1q…tf76
_________________________

*Nice* find!

We're going to have get the word out that just 'bcrypt' isn't enough -- bcrypt cost 12 is 128 times harder than cost 5, etc. We need to know the default costs.

Anyone seeing disclosure of what password hashing algorithm Plex ...

2025-09-09T02:03:27Z

Anyone seeing disclosure of what password hashing algorithm Plex uses on their back end?

[Edit: Aaron Toponce ⚛️:debian: (npub1t9c…8529) discovered a thread showing bcrypt:

https://fosstodon.org/@atoponce/115172271450263878 ]

There are three kinds of org postures relative to disclosure of password-hashing algorithm:<li>Orgs confident enough in their selection of algorithm that they know that there is no harm in disclosing it</li><li>Orgs who know they're doing it badly and want to keep it a secret</li><li>Orgs who won't disclose their algorithm because the PR team has no idea how the passwords are hashed, and internal comms are spotty enough that the information can't reach the public</li>

Note that a mix of 1 and 3, or 2 and 3, are also possible.

1 alone is a sign of security maturity. If 2 and 3 are in play, there's room for improvement ... for different reasons, but both indicators of security immaturity.

Practitioners: Which type is your org?

Reporters: Are you probing orgs to find out which type they are?

Normalize hash-type disclosure.

Clonezilla is such a hidden gem. An impressive combination of ...

2025-09-07T23:52:12Z

Clonezilla is such a hidden gem. An impressive combination of "make the core things easy and the tricky things possible" and "do what I probably need".

I totally forgot about this. Thank you, random synapse from ...

2025-09-04T03:04:22Z

I totally forgot about this. Thank you, random synapse from literally the year 2000.

https://goodreads.com/book/show/331807.How_to_Good_Bye_Depression_If_You_Constrict_Anus_100_Times_Everyday__Malarkey__or_Effective_Way_

That is hilarious and insightful. You win the Internet today, and ...

2025-08-28T13:42:48Z

In reply to nevent1q…vl3q
_________________________

That is hilarious and insightful. You win the Internet today, and it's only 5:42 a.m. here. 😁

Turns out "despite patches" means "despite patches ...

2025-08-28T13:35:21Z

Turns out "despite patches" means "despite patches being available, because a bunch of people aren't applying them" rather than "despite patching it, but it's still vulnerable anyway and there's something wrong with the patches" 🙄

Words mean things.

#SavedYouAClick

MDXfind 1.133 released: ...

2025-08-26T04:50:30Z

MDXfind 1.133 released:

https://www.techsolvency.com/pub/bin/mdxfind/

Highlights:<li>Now shows hash and candidate rates/sec in comfort messages</li><li>Significant (10x) improvement in solution output speed for hashes</li><li>Previously undocumented features, including <code>-m</code> flag to specify hashtypes in hashcat mode syntax</li><li>Metadata showing mapping of MDXfind hashtype IDs (by position in -h) to hashcat modes</li><li>Now with gzip support for hashes (<code>-f</code> or stdin), and for candidate lists</li>

Too many to fully list, but lots of interesting stuff in the full changelog:

https://www.techsolvency.com/pub/bin/mdxfind/CHANGES.txt

Always be cracking!

#MDXfind

Good morning to everyone except GitHub, ...

2025-08-24T16:00:15Z

Good morning to everyone except GitHub, which:<li>allows (but strongly discourages) fine-grained access tokens with no expiration date, but</li><li>won't let you create one with an expiration date more than one year out.</li>

So my choices are "never expire" or expire in a year or less".

Our Threat Models May Vary!

Nostr event nevent1qqsgsqwk33jl4qylj656w8r7dy7qp084c9j3emv48vvqp8ts08flhfqzyp5kgl2m3qt5w2kzem2t3r7efh8td8nukpsrsunhrfnnw3c2se0p6e55mqe

2025-08-23T04:00:34Z

These can both be true: <li>Passkey deployment has ...

2025-08-18T14:56:34Z

These can both be true: <li>Passkey deployment has been fraught with UX challenges, failures to advise users about threat model trade-offs, and vendor lock-in concerns </li><li>The ecosystem couldn't go much longer without the benefits of passkeys (reducing password reuse risk, mitigating infostealer harm, and deploying FIDO2 phishing resistance at scale)</li>

#Passkeys

Ah, another "strong MFA bypassed" story. /me opens ...

2025-08-17T22:23:25Z

Ah, another "strong MFA bypassed" story.

/me opens article, starts scanning for buried lede

Ah, here it is ... paragraph 8:

"First you have to compromise the endpoint"

🙄

Surprise! This is *not something passkeys -- or any other authentication system -- are designed to mitigate*.

https://www.securityweek.com/passkey-login-bypassed-via-webauthn-process-manipulation/

I say again: the word "bypass" only leaves the layperson with the impression of "nya nya strong MFA isn't as strong as they said lol" ... and the CIO with the impression "you told me I had to move to strong MFA why do they keep finding problems with it"

Cut it out.

So ... is the new Sandia time-independent MFA thing: ...

2025-08-17T15:39:19Z

So ... is the new Sandia time-independent MFA thing:

https://www.sandia.gov/labnews/2025/07/24/two-factor-authentication-just-got-easier/

... just ... renegotiating a new per-client code every time there's a new connection?

Like ... how garage door openers have worked ... since the mid-90s?

Huh -- did I miss it, or does even the upstream Sandia not ...

2025-08-17T15:33:20Z

In reply to nevent1q…h8hc
_________________________

Huh -- did I miss it, or does even the upstream Sandia not actually say what the approach *is*?

https://www.sandia.gov/labnews/2025/07/24/two-factor-authentication-just-got-easier/

All I can extract from the coverage is "easier" and "time-independent".

Still digging ...

Edit: is it... just ... renegotiating a new per-client code every time there's a new connection?

Like ... how garage door openers have worked ... since the mid-90s?

Kiddo: why do you put the full year with "20" at the ...

2025-08-16T22:00:18Z

Kiddo: why do you put the full year with "20" at the front when you sign the school forms?

Me: *thousand-yard Y2K stare*

Since it's just the tree, if someone could snapshot it ...

2025-08-15T17:56:14Z

In reply to nevent1q…7j9d
_________________________

Since it's just the tree, if someone could snapshot it safetly and put a text-only version of it somewhere (like a GitHub gist), folks would probably appreciate that

Does "runtime" here always imply "source code is ...

2025-08-13T15:59:11Z

In reply to nevent1q…6t3h
_________________________

Does "runtime" here always imply "source code is available"?

On mobile, desktop, or both? I hadn't seen this yet, can you ...

2025-08-03T01:15:30Z

In reply to nevent1q…lved
_________________________

On mobile, desktop, or both? I hadn't seen this yet, can you point me to some coverage or a summary?

Things platforms want you to do less of:<li>untrackably ...

2025-08-02T16:22:43Z

Things platforms want you to do less of:<li>untrackably copy a link to something</li><li>save an image</li><li>copy arbitrary text</li><li>decide what to look at next</li><li>return to where you were a minute ago</li><li>find options you can change</li><li>know how many search results there are / length of scroll</li><li>decide what part of a video you want to see</li><li>prioritize and deprioritize content based on your own preferences</li><li>manage your own attention</li>

Mobile apps make this agenda easier. Apps are for companies.

The web makes this agenda harder. The web is for people.

RIP the Corporation for Public Broadcasting. It genuinely made ...

2025-08-01T18:52:33Z

RIP the Corporation for Public Broadcasting.

It genuinely made generations of kids both smarter and more empathetic.

The only winners in this outcome are the enemies of the United States.

And I didn't realize it was going to hit me this hard.

https://cpb.org/pressroom/Corporation-Public-Broadcasting-Addresses-Operations-Following-Loss-Federal-Funding

Oh look, another "door locks are bad because someone can ...

2025-07-30T05:03:53Z

Oh look, another "door locks are bad because someone can crawl through the window" scare article (this time a sponsored one). Not responsible journalism, Bleeping.

I especially "appreciate" the scare quotes around "phishing-resistant" 🤬

Never tell a call with 300 people that they can just drop ...

2025-07-22T17:32:52Z

Never tell a call with 300 people that they can just drop questions into chat whenever they want for a 3 hour presentation. Only takes 5‰ of them taking you up on it -- who somehow don't realize most of their questions are about to be answered -- to derail velocity.

Man, this feels like some data-hoarding person would have ...

2025-07-16T22:16:43Z

In reply to nevent1q…55p4
_________________________

Man, this feels like *some* data-hoarding person would have retained it -- or was it never actually downloadable?

I mean, I just liked the quote. Wasn't really trying to ...

2025-07-11T05:11:53Z

In reply to nevent1q…uych
_________________________

I mean, I just liked the quote. Wasn't really trying to invoke the overall article either way.

Daniel Miessler :verified: (npub1qu3…rukd)

"Engineering should eat security." -- Caleb Sima Source: ...

2025-07-11T03:03:08Z

"Engineering should eat security."
-- Caleb Sima

Source:
https://danielmiessler.com/blog/ai-creative-destruction-wave
(via Daniel Miessler :verified: (npub1qu3…rukd))

Couldn't find this anywhere and my scanner is borked, but at ...

2025-07-08T16:13:45Z

Couldn't find this anywhere and my scanner is borked, but at least here's a photo, with alt text.

Love Rich Tennant -- quite insightful. Not affiliated, just a fan:

https://the5thwave.com/

1/2

Mention of "several mitigations" without details ... ...

2025-07-08T13:55:45Z

In reply to nevent1q…m7gs
_________________________

Mention of "several mitigations" without details ... sheesh

That sounds quite satisfying -- nice work! Need before and after ...

2025-06-28T23:47:22Z

In reply to nevent1q…aky5
_________________________

That sounds quite satisfying -- nice work! Need before and after photos 😉

Ooh, really?! That's so great. Legit impressed

2025-06-27T03:24:26Z

In reply to nevent1q…pnwf
_________________________

Ooh, really?! That's so great. Legit impressed

Collab / call platforms: Just add a "When someone shares ...

2025-06-26T16:03:45Z

Collab / call platforms:

Just add a

"When someone shares their screen, give all other attendees a 'Can you see what is being shared? Yes / No' button

already.

Assuming you have no plans to leave the house that day ... at ...

2025-06-24T14:12:36Z

Assuming you have **no plans to leave the house** that day ... at what percentage of battery level on your primary mobile device do you *start* to get uncomfortable, and think you should charge it?

Assume you will not have access to a charger or external power pack while away (If you do end up having to leave).

(If your number is somewhere in between, choose the next lower number)

(Please RT to improve sample size.)

"Showing what's possible without constraints is just ...

2025-06-23T18:10:36Z

"Showing what's possible without constraints is just delaying contact with the constraints."

-- Mike Williamson (npub15xj…2uj4)

ooh, that is a sweet spot

2025-06-20T03:47:09Z

In reply to nevent1q…adlu
_________________________

ooh, that *is* a sweet spot

Nostr event nevent1qqswu7d2efd97rarr2h6ux3glaue0mqn6kn2t569tc4kzs2jc7jpsjszyp5kgl2m3qt5w2kzem2t3r7efh8td8nukpsrsunhrfnnw3c2se0p6hpp7f3

2025-06-20T01:04:13Z

In reply to nevent1q…z3qa
_________________________

https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/

white/orange/orange white/green/blue white/blue/green ...

2025-06-15T22:56:38Z

In reply to nevent1q…3yvd
_________________________

white/orange/orange
white/green/blue
white/blue/green
white/brown/brown

Oof, wow - do what ya gotta do. The ecosystem may need you, but ...

2025-06-02T22:39:42Z

In reply to nevent1q…wyl3
_________________________

Oof, wow - do what ya gotta do. The ecosystem may need you, but the personal cost matters. Hang in there. If you're wanting it, I hope you land somewhere that's less about middens-mucking and more about pushing the envelope. 💪

I'm getting this error immediately after login and the ...

2025-06-01T15:14:53Z

I'm getting this error immediately after login and the recurring acceptance of usage terms. Never seen this one before, not even during scheduled maintenance, etc.

#SocialSecurity

@npub1gv2…tlwl Hey, I know that you recently introduced a ...

2025-05-31T13:53:05Z

Simon Willison (npub1gv2…tlwl)

Hey, I know that you recently introduced a "pay a little to get less" subscription model. I have a value-add suggestion (if it doesn't already exist?)

As I explore the LLM space, I often find myself asking "what would Simon use?" So if I had my druthers, your subscription would include a living, opinionated "best model / approach for X" table -- with diffs published as an RSS feed or a simple, dedicated repo -- that matches your current opinion as it evolves over time.

Ideally, this would be published live as it happens, rather than waiting until the end of the month.

And I understand that the table would need a few fields to capture the nuance, such as size of model, affordability, local vs remote, etc.

But boy howdy would I mash the subscribe button for that (if I wasn't already - I just fixed that gap -- and, dear other readers, if you want to efficiently grow your understanding of LLMs ... so should you!)

Ugh ... did they explain/justify the GrapheneOS change anywhere?

2025-05-28T01:44:40Z

In reply to nevent1q…gsal
_________________________

Ugh ... did they explain/justify the GrapheneOS change anywhere?

OMG this. It's why I wrote this -- to provide an alternative ...

2025-05-26T07:14:59Z

In reply to nevent1q…kpfm
_________________________

OMG this. It's why I wrote this -- to provide an alternative to the footgun (well, really more of a foot-sledgehammer that people keep hitting themselves with harder and harder) :

https://blog.techsolvency.com/2025/04/managing-unique-wordlists-password-cracking.html

The steady stream of "how do I sort this 300GB file" folks in the cracking Discords is never-ending. This hurts less.

Wow! Any rough ETA on when the passwords will be merged to Pwned ...

2025-05-23T22:25:51Z

In reply to nevent1q…566n
_________________________

Wow! Any rough ETA on when the passwords will be merged to Pwned Passwords?

Really hoping that the title - of the W3C's position paper - ...

2025-05-08T12:47:15Z

Really hoping that the title - of the W3C's position paper - "Third-Party Cookies Must Be Removed":

https://w3c.social/@w3c/114432468864338537

... is a deliberate echo of "Carthage must be destroyed":

https://en.wikipedia.org/wiki/Carthago_delenda_est

inb4 the Signal clone is revealed much later to have actually ...

2025-05-05T23:10:58Z

inb4 the Signal clone is revealed much later to have actually been a bugdoor-riddled op, because¹:

"Any sufficiently advanced malice is indistinguishable from incompetence."

¹https://infosec.exchange/@tychotithonus/110782759353122562

Petition to make it illegal for streaming services to use ...

2025-04-20T07:20:15Z

Petition to make it illegal for streaming services to use thumbnails that contain spoiler content.

And, per me: ...

2025-03-20T15:58:40Z

In reply to nevent1q…f6me
_________________________

And, per me:

https://infosec.exchange/@tychotithonus/110782759353122562

... the inverse is true:

Any sufficiently advanced malice is indistinguishable from incompetence." (bugdoors, etc.)

Whew! Good thing users will be blocked from using these ...

2025-03-19T06:36:44Z

Whew! Good thing users will be blocked from using these compromised "passwords"! /s

#HashCracking

The protective value of "k-anonymity"¹ for Have I Been ...

2025-03-18T23:15:47Z

The protective value of "k-anonymity"¹ for Have I Been Pwned / Pwned Passwords API lookups is significantly reduced because frequency data is included. And the more common the password, the more this effect is magnified.

An example:

https://gist.github.com/roycewilliams/2034c9253d46fbcaefb13f8e5d42daa2

... with cracks:

https://gist.github.com/roycewilliams/2bb471cc90cce7f6834204344590fcac

Using "k-anonymity"¹ to return all hashes that begin with b2e98 is less "anonymous" ... when 98.6% of the passwords (by frequency across all leaks) are the top one.

It's not really hiding a needle in a haystack if you just lay it on top.

Edit: in fact, even *without* the frequency data, since some passwords are much more common than others ... left-skewed distribution is an intrinsic property of password data. Missing frequency data can be largely reconstructed from public cracking efforts. (And even if that weren't true, the hashes can just be cracked using traditional methods. If the cracking community can get a 97%+ cracking rate², what is being achieved other than plausible deniability?)

K-anonymity [as implemented by HIBP, anyway -- true K-anonymity is different¹] may just be a bad fit for password hashes.

¹ Not actually k-anonymity at all:
https://en.wikipedia.org/wiki/K-anonymity

² Actually closer to 99.29% across the entire corpus, publicly:
https://gist.github.com/roycewilliams/40f0e8c93ec9c69f5b5a1874c76f2587

#passwords #HaveIBeenPwned

Fair - though since tailoring ads based on demographic data and ...

2025-03-09T16:01:13Z

In reply to nevent1q…ez5t
_________________________

Fair - though since tailoring ads based on demographic data and other factors requires different people to be served different ads, it feels like it would just be too inefficient to customize many input models. Even with a global (non-tailored) tweak, it seems like burning compute in that would be eclipsed by the business pressure of burning it in general model improvement instead. But then again, I might have said that about search a decade ago, so you may be in to something. 😅Fascinating!

Related, indeed ... but since AI handlers have models with ...

2025-03-09T15:40:16Z

In reply to nevent1q…0qqa
_________________________

Related, indeed ... but since AI handlers have models with untraceable sources, it seems far easier to manipulate the *answers* than try to alter the *inputs* (to weight Home Depot more than Lowe's, etc.)

Obvious in retrospect, but never occurred to me until this ...

2025-03-09T15:34:28Z

Obvious in retrospect, but never occurred to me until this morning:

Won't many broad answers provided by AI that are actually true have to be suppressed (regimes, ads and other commercial motivation, etc.)?

Won't improving *true* AI performance always be at odds with the goals of its creators, to the detriment of its consumers?

(Note that I say "actually true" on purpose; AI picking up *wrong* but dominant answers from bad data is also a thing but not what I'm talking about.)

Dear everyone, Stop putting click tracking on your password-reset ...

2025-03-08T22:08:52Z

Dear everyone,

Stop putting click tracking on your password-reset links.

You need ZERO third-party metrics to record that I followed a link *that is the only way to get what I explicitly requested*.

And I need ZERO interference / dependencies (from ad blocking, web filtering, etc.) for such a critical function.

They're missing the blue painter's tape labels in large ...

2025-03-08T18:13:03Z

In reply to nevent1q…84rx
_________________________

They're missing the blue painter's tape labels in large Sharpie, with the output specs. 😉

There's a lot to unpack here

2025-03-01T07:37:57Z

In reply to nevent1q…wmqn
_________________________

There's a lot to unpack here

I'd like to compile a list of good opsec references for these ...

2025-02-28T03:39:28Z

I'd like to compile a list of good opsec references for these times.

I'm interested in creating multiple sections - both general (the "use Tor, Use Signal" types), as well as for specific populations (vulnerable / targeted ones, protesters, Federal workers, etc.).

Also interested in refs for both technical and non-technical audiences! Blogs, checklists, books - anything.

Please reply with your favorite things. My goal is to organize them and publish them as a single meta-reference page on my website.

Indeed - though I'm also talking about how to surface this to ...

2025-02-27T20:09:32Z

In reply to nevent1q…l8xl
_________________________

Indeed - though I'm also talking about how to surface this to more ordinary users ("you just got a 'special' version of Telegram'" etc)

If a government can issue a secret order to push a ...

2025-02-27T16:44:45Z

If a government can issue a secret order to push a 'special' version of a mobile app just to a specific person (or set of people), how can this be mitigated?<li>How can app "rarity" be detected locally? (Antivirus and its descendants have a concept of a "well-known benign executable" vs one that has only been rarely seen. </li><li>Can a local app, or an OS feature, be used to compare local apps with a list of expected versions?</li><li>Can this be done independently of the OS (since the order could also subvert the rarity check)? (Even an independent app can be subverted if the only app store is the official one maintained by the same vendor.)</li><li>To detect unusual app versions, reproducible builds are necessary but not sufficient, unless the project is also FOSS -- because even if everyone gets the same APK, the app might receive different instructions from its server depending on unique metadata.</li>

You really want the latest - the full weekly list is reordered to ...

2025-02-25T17:35:46Z

In reply to nevent1q…wdfq
_________________________

You really want the latest - the full weekly list is reordered to be in frequency order across all targets, and in between those releases, it's append-only -- so you can HTTP Range Requests or rsync with --append to grab just the new, fresh ones very quickly and append them to your giant file. It's a superpower.

That is ... unusually bad. Where is it from?

2025-02-24T18:43:19Z

In reply to nevent1q…75rp
_________________________

That is ... unusually bad. Where is it from?

The hashcat.net site is down -- side effect of maintenance by ...

2025-02-21T20:08:53Z

The hashcat.net site is down -- side effect of maintenance by hosting provider. Being worked.

Current release can be downloaded from GitHub:

https://github.com/hashcat/hashcat/releases/tag/v6.2.6

Convenience Wayback links to popular wiki pages:

**Rules:**

https://web.archive.org/web/20250211234251/https://hashcat.net/wiki/doku.php?id=rule_based_attack

**Example hashes:**

https://web.archive.org/web/20250216060927/https://hashcat.net/wiki/doku.php?id=example_hashes

**FAQ**

https://web.archive.org/web/20250219024304/https://hashcat.net/wiki/doku.php?id=frequently_asked_questions

hashcat (npub1ay6…7gtx) #hashcat