@tychotithonus@infosec.exchange cover
@tychotithonus@infosec.exchange avatar

tychotithonus

@tychotithonus@infosec.exchange

Just doing my undue diligence.

ISP vet, password cracker and Team Hashcat member, security demi-boffin, YubiKey stan, public-interest technologist, AK license plate geek. Husband to a philosopher, father to a llama fanatic. Views his.

Day job: Ent Sec Arch for a quad-play Alaskan ISP.

Obsessed with security keys: https://www.techsolvency.com/mfa/security-keys/

My 2017 #BSidesLV talk "Password Cracking 201: Beyond the Basics":
youtube.com/watch?v=-uiMQGICeQY&t=20260s

Profile photo: White 50-ish man with prominent forehead, short beard, and glasses, looking very pleased to be in front of a display of Alaskan license plates.

Banner photo: 5 rows of YubiKeys and security keys, in a wall-mounted case.

Blocked inadvertently? Ask!

Followed you out of the blue = probably stole you from follows of someone I respect.

#hashcat #Alaska #YubiKey #YubiKeys #WebAuthn #FIDO #LicensePlates

P.S. I hate lottery / advance-fee scammers with the heat of 400B suns.

❤️:⚛👨‍👩‍👧🛡🙊🌻🗽💻✏🎥🍦🌶🍫

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

jerry , (edited ) to random
@jerry@infosec.exchange avatar

Given my situation, I am thinking a lot about what makes a good ciso. I don’t think I was particularly good, but that’s another story.

I am curious what the community thinks makes a good CISO, at least from one narrow perspective. Do you think CISOs should be:

tychotithonus ,
@tychotithonus@infosec.exchange avatar

@jerry

[ ] Both technical and business

I know it's a unicorn -- but it seems very difficult for a CISO to not have a healthy helping of both.

tychotithonus , to random
@tychotithonus@infosec.exchange avatar

I discovered that my parents still have Google Picasa (2015) installed.

Clear interface with visible scrollbars. No analytics. Works even if the Internet is down. Reasonably performant facial recognition. Fast local indexing. Leaves files where they are on disk, without moving or renaming them.

In retrospect, now that I know today's user-hostile future ... I would have paid $100 a year for this.

This is the future they took from us.

jerry , to random
@jerry@infosec.exchange avatar

Tick tock ⌛️

tychotithonus ,
@tychotithonus@infosec.exchange avatar

@jerry Hey, you'd better stop calling my good friend Jerry trash! 😉

tychotithonus , to random
@tychotithonus@infosec.exchange avatar

From a post I just made elsewhere, about Recall:

Because Recall is "default allow" (it relies on a list of things not to record) ... it's going to vacuum up huge volumes and heretofore unknown types of data, most of which are ephemeral today. The "we can't avoid saving passwords if they're not masked" warning Microsoft included is only the tip of that iceberg. There's an ocean of data that the security ecosystem assumes is "out of reach" because it's either never stored, or it's encrypted in transit. All of that goes out the window if the endpoint is just going to ... turn around and write it to disk. (And local encryption at rest won't help much here if the data is queryable in the user's own authentication context!)

Put another way: no one has been writing their apps or libraries assuming that this data might be captured somewhere. Some suuuuper deep assumptions about that will only come to light once they've been painfully exploited - and may take a ton of time to remediate.

Most {organizational, ecosystem, societal} threat models don't include "run infostealers on steroids on every endpoint that anyone in the user's authentication context can query".

Ransomware of unprecedentedly juicy exfil (enabled by maliciously configuring it to strip out any "do not record" exceptions for a while) will have a field day. PCI / GDPR / etc implications are mind-boggling.

And Recall's users and Microsoft are going to learn all this the hard way.

tychotithonus OP ,
@tychotithonus@infosec.exchange avatar

Also, will Recall make naive exploitation of apps easier?

As any Burp user knows, a lot of what apps do under the hood is obscured by a thin layer of front-end complexity.

But what if Recall is like ... running Burp For Dummies all the time, writing it all to disk, and giving it a simple search interface?

tychotithonus , to random
@tychotithonus@infosec.exchange avatar

TIL reporters from a certain era had a specialized wrench to quickly and safely remove stuck mouthpieces from telephone handsets ...

... so that they could then alligator-clip to the mic leads directly ...

... to transmit higher-quality audio across phone lines without picking up background noise :mind_blown:

https://www.reddit.com/r/specializedtools/comments/hfb7at/wrench_to_remove_the_mouthpiece_cap_from_

(I found out about it because an eBay seller had posted something I needed that she couldn't identify, and then told me a story about another "mystery thingie" she listed ... which someone bought as a joke gift for a friend without knowing what it was!)

bontchev , to random
@bontchev@infosec.exchange avatar

Oh, look. A FOIA request to the FBI just uncovered some interesting information that the US-funded gain-of-function virus research in Wuhan.

Apparently, they researched how bat corona viruses could be transferred to humans in a way that would make them more virulent and damaging, while leaving no traces of human manipulation.

https://www.judicialwatch.org/wp-content/uploads/2024/04/FBI-NIH-Gain-of-Function-April-2024-1.pdf

tychotithonus ,
@tychotithonus@infosec.exchange avatar

@bontchev From an unverified informant?

tychotithonus , (edited )
@tychotithonus@infosec.exchange avatar

@bontchev I mean from the perspective of the reader, not of the FBI. How else do you interpret "Our person from [redacted]" other than "somebody we [the reader] can't verify who they are"?

jerry , to random
@jerry@infosec.exchange avatar

After reading this story: https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/ and combined with my own experiences with customers of certain services making bad decisions, should services like Okta not permit customers to disable “protection” and prohibit running in a monitor only mode?

tychotithonus , (edited )
@tychotithonus@infosec.exchange avatar

@jerry A reasonable compromise might be to put a hard limit on how long you're allowed to run in monitor mode. A 30-day timer can motivate orgs wonderfully.

tychotithonus , to random
@tychotithonus@infosec.exchange avatar

Tell me you've never helped seniors with tech, without telling me you've never helped seniors with tech.

And I don't just mean the person answering this question. I also mean whoever decided to remove this option.

ALT
  • Reply
  • Loading...
  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines