@atoponce@fosstodon.org
@atoponce@fosstodon.org avatar

atoponce

@atoponce@fosstodon.org

MSCSIA, cryptography, security, locksport, Linux, programming, mathematics, amateur radio, Buddhism, running, anime, and bibliophilia.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

atoponce, to random
@atoponce@fosstodon.org avatar

I just learned that will automatically and correctly clamp any private 32-byte key.

For example:

$ openssl rand -base64 32
tx6Kwv9L17ARq8WOd0M3sjm8gKU8bmdoSeBoGTzyEyY=

Even though the first and last bytes are not properly clamped above, when generating the public key, the wg(8) tool will clamp it. Further, when bringing up the interface, Wireguard will also clamp it.

See https://git.zx2c4.com/wireguard-tools/tree/src/genkey.c and https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/noise.c (search for "curve25519_clamp_secret")

atoponce, to random
@atoponce@fosstodon.org avatar

I'll take this further. When was the last time you actually burned a CD or DVD?

https://infosec.exchange/@barsteward/110310436841721673

barsteward, to random

When was the last time you actually used a floppy disk?

atoponce,
@atoponce@fosstodon.org avatar

@barsteward 2001. I had a Java development class in university where the professor was adamant about turning homework in on floppy disks.

Even in 2001, my laptop did not have a floppy drive. I tried countering with a USB drive or a ZIP file emailed, but he would have none of it. Floppy, or 1/3 of the points deducted.

atoponce, to linux
@atoponce@fosstodon.org avatar

Be offended all you want, but it's true.

atoponce, to random
@atoponce@fosstodon.org avatar

I always get a kick out of off-brands in . It's always something I'm looking for.

Here we have a "Macrosoft Winding XO" laptop with a 128-bit DES encrypted password.

Sounds about right.

image/png

atoponce, to internet
@atoponce@fosstodon.org avatar

Terms of Service gives Jack a 'perpetual' & 'irrevocable' license to all your content.

https://threadreaderapp.com/thread/1651686218319425570.html

atoponce, to random
@atoponce@fosstodon.org avatar

It's kind of hilarious to me how toxic the word "telemetry" has become. Don't get me wrong, the ad tracking industry has ruined it for everyone. However

Firefox users: Disable telemetry! It's an enemy to your privacy!
Mozilla: We removed a feature no one was using due to a lack of telemetry data.
Firefox users: I use it all the time! Why are you bad at this!

1Password users: I trust AgileBits to safely handle my data.
AgileBits: We added telemetry.
1Password users: Why do you hate my privacy?!

atoponce, to linux
@atoponce@fosstodon.org avatar

@keepassxc allows you to add your own word list for the passphrase generator, such as the word lists found in /usr/share/dict/

Scerenshot of the passphrase generator in KeePassXC using the "american-english-insane" dictionary. The generated passphrase is "yanan-feeded-hilham-crescentader-coffey-contorno".

atoponce, to linux
@atoponce@fosstodon.org avatar

Debian 12 "Bookworm" is scheduled to release the day after my birthday.

https://lists.debian.org/debian-devel-announce/2023/04/msg00007.html

atoponce, to random
@atoponce@fosstodon.org avatar

Works like a charm. I set the follower count requirement to 5,000,000 and poof!. It's like this for miles and miles of endless scrolling.

https://fosstodon.org/@malwaretech@infosec.exchange/110267927849215057

Screenshot of the second page of https://twitter.com/TuckerCarlson/status/1651376097349578753 Replies by Twitter Blue subscribers with less than 5,000,000 followers are collapsed with the text "This Twitter Blue tweet has been hidden to save your brain cells."
Screenshot of the third page of https://twitter.com/TuckerCarlson/status/1651376097349578753 Replies by Twitter Blue subscribers with less than 5,000,000 followers are collapsed with the text "This Twitter Blue tweet has been hidden to save your brain cells."
Screenshot of the fourth page of https://twitter.com/TuckerCarlson/status/1651376097349578753 Replies by Twitter Blue subscribers with less than 5,000,000 followers are collapsed with the text "This Twitter Blue tweet has been hidden to save your brain cells."

craigmaloney, to random

I really, really, really wish that Ubuntu / Debian could collate all of the "needs attention" changes between local modified files and maintainer files so things don't grind to a halt at odd intervals.

(Note: Not the opportunity to tell me anecdotes or how other distros do it different / better. Just a rant. Nothing more.)

atoponce,
@atoponce@fosstodon.org avatar

@craigmaloney Do you have an example?

atoponce, to random
@atoponce@fosstodon.org avatar

PSA: KeePass and KeePassXC are different software applications. Please don't refer to KeePassXC as "KeePass".

atoponce, to infosec
@atoponce@fosstodon.org avatar

Unpopular opinion: don't pre-hash bcrypt. It complicates your code and exposes you to foot-guns. Just limit your input to 72 bytes.

https://www.reddit.com/r/cryptography/comments/12zfqua/i_read_that_bcrypt_is_a_slow_enough_hashing/jhs2c0l/

atoponce,
@atoponce@fosstodon.org avatar

@davep Even if you're migrating algorithms, you can do that without pre-hashing. Just update it on next login:

  1. User supplies password.
  2. Service verifies SHA-256 hash.
  3. Service hashes user password with bcrypt.
  4. Service replaces SHA-256 hash with bcrypt hash.
GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

deleted_by_author

    •
    atoponce,
    @atoponce@fosstodon.org avatar

    @GossiTheDog Do they run Arch BTW? 🙃

    atoponce, to random
    @atoponce@fosstodon.org avatar

    If your phone has a Qualcomm chipset, it might be spying on you. Unfortunately, this is happening at the firmware level, beneath iOS and Android.

    https://www.nitrokey.com/news/2023/smartphones-popular-qualcomm-chip-secretly-share-private-information-us-chip-maker

    atoponce,
    @atoponce@fosstodon.org avatar

    @cryptgoat Yeah. It reads like an advertisement for Nitrophone. For the time being, I'm willing to give them the benefit of the doubt, but I'm also holding the article at arms length. I'm curious to see if the domain shows up in my DNS logs.

    atoponce,
    @atoponce@fosstodon.org avatar

    @cryptgoat GrapheneOS has an opinion about the article. TL;DR, it's sensationalized to sell Nitrophones.

    https://old.reddit.com/r/privacy/comments/12yii9u/german_security_company_nitrokey_proves_that/jhojlr7/

    atoponce,
    @atoponce@fosstodon.org avatar

    @HistoPol I don't know offhand. If you find something, let me know. I'm curious also.

    atoponce, to random
    @atoponce@fosstodon.org avatar

    For those still on Twitter, you can write 2 simple uBlock Origin config lines to hide all Twitter Blue accounts from your timeline, including promoted ads.

    https://twitter.com/netrunnernobody/status/1649863487651303424

    neil, to random

    Has anyone asked 1Password how it intends to comply with EU/UK law, forbidding it from accessing information (anonymised or not) stored on a user's device, for a purpose which is not strictly necessary for the provision of the service, without the user's consent? (Art 5(3) https://www.legislation.gov.uk/eudr/2002/58/article/5)

    Is 1Password claiming that this is "strictly necessary", such that it doesn't need consent?

    "We’re Changing How We Discover and Prioritize Improvements | 1Password"
    https://blog.1password.com/privacy-preserving-app-telemetry/

    atoponce,
    @atoponce@fosstodon.org avatar

    @neil @jamesgecko The first time I encountered it, it seemed clear to me that it was only tracking which packages were installed and the CPU architecture they were installed on.

    I never questions keystrokes, network packets, or other telemetry as they weren't explicitly reporting at the mentioned URL.

    At that time, knowing what I already knew of their established history as a trustworthy and transparent distribution, I never felt deceived about the dialog.

    craigmaloney, to random

    Did the Twitter API get shut off or is nitter having issues?

    (actual answers preferred. I can speculate with the best of 'em)

    atoponce,
    @atoponce@fosstodon.org avatar

    @craigmaloney The free API is dead. You now need to pay for it.

    https://www.engadget.com/twitter-shutting-off-free-api-prepare-174340770.html

    atoponce,
    @atoponce@fosstodon.org avatar

    @craigmaloney

    I don't know when the effective shut-off date is, but a couple tools of mine stopped working a week or so. https://emojitracker.com stopped working almost immediately when it was announced. So I'm guessing it's kind of been a slow sunset rollout? Not sure.

    But for enterprises, they are charging as much as $42,000 per month, as well as charging per user.

    https://thenewstack.io/twitter-apis-are-going-very-wrong/

    atoponce, to random
    @atoponce@fosstodon.org avatar

    Got me in the first half. Not gonna lie.

    atoponce, to random
    @atoponce@fosstodon.org avatar

    How it started: How it's going:

    image/jpeg

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • magazineikmin
  • InstantRegret
  • GTA5RPClips
  • ethstaker
  • Youngstown
  • everett
  • slotface
  • osvaldo12
  • rosin
  • mdbf
  • kavyap
  • DreamBathrooms
  • provamag3
  • ngwrru68w68
  • Durango
  • modclub
  • cubers
  • khanakhh
  • Leos
  • tacticalgear
  • cisconetworking
  • vwfavf
  • tester
  • anitta
  • normalnudes
  • JUstTest
  • All magazines
    •