Royce WilliamsJust doing my undue diligence.
ISP vet, password cracker (Team Hashcat), security demi-boffin, YubiKey stan, public-interest technologist, AK license plate geek. Husband to a philosopher, father to a llama fanatic. Views his.
Day job: Enterprise Security Architect for an Alaskan ISP.
Obsessed with security keys:
techsolvency.com/mfa/security-keys
My 2017 #BSidesLV talk "Password Cracking 201: Beyond the Basics":
youtube.com/watch?v=-uiMQGICeQY&t=20260s
Followed you out of the blue = stole you from someone I respect.
Blocked inadvertently? Ask!
Am I following a dirtbag? Tell me!
Suggestions welcome!
Photo: White 50-ish man w/big forehead, short beard, & glasses, grinning by a display of Alaskan license plates.
Boosts not about security ... usually are.
Banner: 5 rows of security keys in a wall case.
#NonAIContent
#hashcat #Alaska #YubiKeys #LicensePlates
P.S. I hate advance-fee scammers w/heat of 400B suns
โค
๏ธ:โ
๐จโ๐ฉโ๐ง
๐ก
๐
๐ป
๐ฝ
๐ป
โ
๐ฅ
๐ฆ
๐ถ
๐ซ
!
Royce WilliamsStanding invitation for any Mastodonians I've interacted with - if you're visiting Anchorage and need any tourist tips, or might enjoy a meetup ... send me a DM! The security-key museum, the Alaskan license-plate museum, and the SPAM museum are colocated. ;)
Royce WilliamsIf you followed me recently ... can you reply here saying why (or liking the reply that matches your reason)?
Royce WilliamsMy Mastodon setup - multi-column, multiple curated lists, slow mode, heavily filtered - is optimized for real-time monitoring for breaking security-relevant info.
But I also see random posts about daily life flowing by at the same rate - so I often 'like' posts within seconds of their creation. From the follow's perspective, it can look like I'm camping on their account. I swear I'm not! ๐
But since a lot of ordinary chatter is automatically filtered, I might not see some posts until after the work day ... or ever. So my pattern of 'likes' must seem strangely distributed. :D
Royce WilliamsIf you have a non-trivial amount of effort invested in your Mastodon filters, and want to regularly grab a manual full JSON backup:
First, get your access token:
Go to the "Development" area of your individual preferences on your instance.
Click on "New application".
For "Application name", give your "application" a simple descriptive name (I chose "filter-backup-ro", where "ro" means "read only"),
For "Application website", a URL to your own website or whatever is fine - anything will do.
For "Redirect URI", leave the default "urn:ietf:wg:oauth:2.0:oob", which is for "local tests".
Under "Scopes", uncheck all the (few) default checked items, then check 'read:filters'.
Hit 'Submit'.
Go back into your newly created application and note/copy its 'Access token'.
Then, on the command line:
curl -X GET \
-H "Authorization: Bearer [your-token-here]" \
https://inst.example/api/v2/filters \
> filters-backup.json
Note that some instances may have an API endpoint hostname that's different from the main domain (for example, crank.infosec.exchange).
You can pipe the output to python -m json.tool if you want the JSON to be human-readable.
NOTE: If you change your app's permissions, the access token will be automatically regenerated!
And since the permissions are so nicely granular ... dropping your access token into a script, and adding a little extra to automatically name the file uniquely based on datestamp, makes for a low-risk, quick, convenient backup: https://gist.github.com/roycewilliams/d6462a23cbee520848a3c7c33c5fe870
Royce WilliamsWhoever created the Mastodon filtering feature set that allows a "This post was filtered by these five filters, click here to show the post anyway" approach was a genius.
Any platform that doesn't have this functionality no longer interests me. It has permanently altered my perspective on input triage.
It's not perfect - I have spent a lot of time sampling filtered messages to reduce false positives. And some clients can't handle 6000ยน filter keywords(!).
There's also a very real danger of sticking your head in the sand - constructing your own de-facto social media bubble. So it's important to make a habit of sampling posts on important filtered topics.
And all that work is also at risk - there's currently no in-app Mastodon way to export filters or back them up (without backend database access or API calls).
But even if my filters vanished today, I would immediately start reconstructing them.
Mastodon filters are like TiVo - now that I've experienced the world with them, I'll never go back. And any platform that lacks this feature set is ... broken.
ยนAs of 2024-10:
Filters: 802; Keywords: 25036
Royce Williams"Let us be the repository of your passkeys" and "We may terminate your account at any time and permanently refuse to communicate with you" ... seems like a bad combination?
Royce WilliamsThat "Your Windows PC has a secretly useful backup tool" article title kinda buried a pretty important "but it's been deprecated by Microsoft" lede, didn't it.
Royce WilliamsDo US military installations allow people to wear even semi-smart watches (like old-school Fitbits), given the potential abuse of telemetry (not just GPS, but typing) ?
Royce WilliamsWhat is your preferred conditional comment grammar style? (Assume "X" and "Y" may be of less-trivial length)
Royce WilliamsI've never wandered off and then come back 1/2 hour later to download a script update from ChatGPT. Was this already a thing, or did it start recently?
Either way, on other models I'm pretty sure I've come back to do something like this weeks later. (switching back to an older session). Seems ... inconvenient.
#ChatGPT #ChatGPT5
Royce WilliamsI'll be impressed by the TextQuest AI benchmark when they add "A Mind Forever Voyaging" to the test set ... and a model can solve it without the VisiClues clue data.
Royce WilliamsI will absolutely report these as spam, every time.
"But my deliverability numbers will be impacted! Why don't you just unsubscribe?"
Because they are the very definition of unsolicited.
(Bitterness aside, I know that non-profits depend on contributions, and these campaigns work. Maybe a reasonable compromise would be for the initial message to be unsolicited, but one-time and opt-in, instead of forcibly subscribing me to something that will spam me forever, regardless of my interest?)
Royce WilliamsCalls to "relax" about the cryptographic threat of quantum computing seem to set aside one important practical fact: that the real-world duty life of some classes of gear is measured in decades (whether by design, org inertia, cost, etc).
PQC work understands how long it can take for equipment in the field to be rotated out. They're effectively trying to make 2055 less of a security s--t show.
The next-best time to plant a security tree is now.
Edit: see my reply here for some risk-tradeoff reasoning.
https://infosec.exchange/@tychotithonus/115016017588683054
Royce WilliamsWow, I totally forgot about Orkut, Friendster, and Tribe.
What a fascinating transitional era in social media.
Royce WilliamsReminder: this is still a Subspace Rhapsody stan account.
To borrow from Tom Bissell (on Wiseau's "The Room"):
"I have seen [it] at least 20 times. I know I will watch it again soon. I am probably watching it right now."
Royce Williams(This last sentence is brilliant, by the way. Bissell knows he's working in a permanent medium, predicting that any randomly-selected future point in time applies. It's pure genius.)