iamkale

@iamkale@infosec.exchange

Full Stack web dev, WebAuthn expert. Creator of SimpleWebAuthn, maintainer of py_webauthn, steward of webauthn.io. Duonaut @ Cisco.

I also like video games and gadgets 👾

My toots are my own.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

iamkale, to random

Where tf are all these campaign text messages coming from? I know elections are coming up but when did I consent to receive these?? And is the best way to stop them to really respond STOP to each? Seems that just gives them confirmation that a real person is on the other end.

iamkale, to random

We bought Just Dance 2024 on sale on Switch yesterday and they only use a single joycon in your right hand to gauge your dancing? 🤨

Dance Central with a Kinect for full-body dance tracking were the pinnacle of dancing games and I have to spend the rest of my life knowing we'll never again be graced with such gaming perfection 😭

iamkale, to passkeys

This is the future that stole from us 😤

iamkale, to random

Has anyone gone all in on Verizon's 5G home internet service? The clock's started on my 30-day free trial bur I haven't even cracked the box open. I have reservations already and not as much free time to experiment...

The main issue is I've read stories of people like me (who work from home) suffering from intermittent 30-second windows of dropped internet throughout their workdays. I don't have that problem with my current ISP, and I don't know if I want to even bother seeing if I'll have that same issue.

But the price is a bit cheaper and I'm not sacrificing any speed we couldn't live without before (currently paying $60/mo for 500/50, Verizon promises $45/mo for 380/50), and maybe "5G as a path to fiber-like speeds" has come far enough that it's worth it? The theory being it's 380Mbps now, maybe it'll hit 1Gbps at some point?

Anyway I'm hoping someone here can help me understand better what I might be getting myself into if I do try out the service.

#verizon #isp

iamkale, to random

Lawful Neutral, "userID", compared to "userId" a.k.a. "why would I want to store whether the user has instinctual desires?" https://mastodon.social/@nixCraft/111814188367227644

iamkale, (edited ) to microsoft

I'm trying to manage my Microsoft Account protections, with an ultimate goal of protecting it with a passkey and maybe dropping my password to make the account truly paswordless. However I'm running into some weird idiosyncracies on https://account.live.com/proofs/manage/additional that have prevented me from achieving this:

  1. I couldn't actually see the WebAuthn option at all in the latest macOS Safari - I had to switch to macOS Chrome before the "Windows Hello" option appeared that let me then register an iCloud Keychain-synced passkey.
  2. I removed my phone number as a second factor because SIM jacking is a thing. However the next time I tried to log in I was prompted to add my phone number to "never lose access to your Microsoft account"...but I have other BETTER second-factors configured, so why would I want to continue to allow use of weak SMS OTP? At least I could cancel out and continue on without giving them my phone number again...
  3. Attempting to turn on "Passwordless account" forces you down a path that wants you to set up the Microsoft authenticator app. But I already have a synced passkey in the mix, so why are you bothering with app-based push? Push bombing is also an easy way to get past 2FA protections.

Another example of how the left hand doesn't know what the right hand is doing...

iamkale, to node

I can't believe Deno gets you a testing framework AND coverage reports without any additional downloads. 2010's me would have killed for something like this instead of the weird soup that was mocha and sinon no wait now let's use jest oh and don't forget nyc er wait it's istanbul now and...

https://fosstodon.org/

Love to see it 😍

iamkale, to apple

So SCOTUS didn't hear the Epic v Apple case, which means Apple mostly wins except now they can't forbid app developers from mentioning making payments on their website to bypass Apple's IAP mechanisms:

https://arstechnica.com/tech-policy/2024/01/supreme-court-denies-epic-v-apple-petitions-opening-up-ios-payment-options/

But what's stopping Apple from requiring developers to self-report earnings through web payments and then send Apple a cut of that? I'm getting flashbacks here to Apple's decision to require Dutch dating apps, that handle payments through their website thus bypassing Apple's IAP, to send Apple a 27% commission 🙄

https://techcrunch.com/2022/02/04/apple-to-charge-27-fee-for-dutch-dating-apps-using-alternative-payment-options/

iamkale, to random

I bought an iPhone X way back when to play around with ARKit, and to date have created zero apps with it. Can I repeat my success with a Vision Pro? 🤔

iamkale, to python

Attention Python WebAuthn devs: I'm contemplating removing Pydantic as a dependency of py_webauthn due to maintenance burden related to the Pydantic v2 update. For more context, and to chime in with your support or questions, please check out the following GitHub issue:

https://github.com/duo-labs/py_webauthn/issues/196

I've got a PR open too that has all the work completed, I'm just waiting a few days now to see if anyone has compelling reasons now to move forward with this:

https://github.com/duo-labs/py_webauthn/pull/195

Thanks for your feedback 🐍

iamkale, to DoctorWho

Catching up on Doctor Who and boy am I glad I heard how to pronounce "Gloucester" before ever visiting. Because let me tell you, they'd have known I was a foreigner the moment I opened my mouth and asked how to get to "Gl-ow-kester"...

Now I'd fit right in 😂

iamkale, (edited ) to passkeys

Wow, Discord just launched support for passkeys for everyone today!

The app calls them "security keys" everywhere, but I had no issues registering and authenticating with an iCloud Keychain synced passkey.

It's only 2FA for now (I still have to provide a username and password) but they announced their intent to take things all the way:

"Now that our backend supports WebAuthn our next aim is WebAuthn-based passwordless login. Stay tuned!"

Love to see it 🎉

https://discord.com/blog/how-discord-modernized-mfa-with-webauthn

#passkeys #discord

iamkale, to mastodon

Boy, as much as I love the idea of using markdown in toots most of the major iOS apps now just straight-up strip it all out.

I give up, back to formatting my toots like I did on Twitter (i.e. not at all) 🫠

iamkale, to passkeys

This "BPoP" (Browser Proof of Possession) proposal out of Microsoft is really interesting! If you've bemoaned the loss of Token Binding then you owe it to yourself to read this explainer they just published:

https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BindingContext/explainer.md

I think the tl;dr is "bind session tokens to browsers using browser-managed public-key cryptography."

And I'm excited by the idea as a potential solution to the question of, "how do we defend against session token theft after passkeys lock down credential theft as a vector of attack?" 🤔

iamkale, to meta

I ended up on Meta's cookie notice somehow through Threads last night, and instead of blindly clicking "Accept" on the cookies banner I actually took the time to read it and see what i could turn off. Instead I found a page so intentionally hostile to users I couldn't believe it:

  • On mobile you can't zoom the page out to see everything in portrait mode, so the right side of the page is cut off unless you flip the phone to landscape
  • The page lists all 35 cookies that might be set in the course of using one of their sites, and even breaks them up into strictly necessary, analytics, functional, advertising, and social media cookies, which, like, cool but also yikes!
  • You're assured "you are given the option to fully or partially agree to placing cookies and similar technologies on your devices" but there's no actual ability to control any of this from the page...
  • There's a CTA to "read such information carefully and keep yourself up to date by periodically re-visiting the Cookie Notice" which is so laughable, no one's doing that
  • If you have any questions they say to "contact us" and then immediately after is an unclickable "Meta" and nothing else

Wild what they're allowed to get away with

https://engineering.fb.com/privacy/

iamkale, to random

It looks like BitWarden is following suit with 1Password and returning "uv:true" in WebAuthn authentication requests even though the user isn't prompted for anything more than to confirm the use of a passkey. The unlocking of the vault is considered the user-verifying event...

As an end user I appreciate the streamlined experience. But as an RP I'm disappointed - what if vault unlock occurred 5/10/30 minutes prior? Someone could cruise by someone's desk when the vault is unlocked and auth as the vault owner and the RP would be none the wiser 😢

It's a tough middle point that passkey providers have to try and find 🥴

iamkale, to random

One month since launch and it is surprisingly difficult to buy an unlocked iPhone 15 Pro right now. Target and Best Buy will only sell one to you if it's to start/upgrade a line with Verizon/T-Mobile/etc..., B&H isn't selling them, Costco.com doesn't have the color I want, Apple doesn't have in-store the color and storage combo I want and delivery dates are two-three weeks out!

What the heck...

iamkale, to random

The EFF published a pretty optimistic article about passkeys and privacy 🎉

For most purposes, passkeys will represent a significant improvement in security at nearly zero cost to privacy. As described in the previous post, there are still significant growing pains in the passkey ecosystem, but they will likely be resolved in the near future.

https://www.eff.org/deeplinks/2023/10/passkeys-and-privacy

iamkale, to android

I've been so long in Apple land that I listen to the MKBHD podcast and have no idea what the acronym "LTPO" actually stands for. I know it's screen tech because all of the headliner Android devices seems to use it, but that's all. I guess OLED met its match or something? 😅

iamkale, to random

Anyone here going to Authenticate 2023 this week? I'm giving two talks tomorrow - "Demystifying WebAuthn and Passkeys," and "Tips for Painless Passkeys." Feel free to say hi if you see me there!

https://authenticatecon.com/event/authenticate-2023/

iamkale, to random

What do you get when you mix SimCity 2000 jokes with passkeys? A very niche meme.

A remixed SimCity 2000 dialog box, with a black-and-white photo of a young Steve Jobs next to all-caps text saying, "YOU CAN'T DISABLE ICLOUD KEYCHAIN! YOU WILL REGRET THIS!" An OK box appears below the photo.

iamkale, to random

Testing out some markdown using Mona on iOS:

Header

  • list item
  • list item

bold
italics

const foo = bar

Code block<br></br>

Random quoted text

iamkale, to python

TIL Python 3.12 introduces a new command line interface for simple querying of SQLite databases 🎉 🐍

python -m sqlite3 [-h] [-v] [filename] [sql]<br></br>

https://docs.python.org/3.12/library/sqlite3.html#sqlite3-cli

iamkale, to random

It's 2023 and I still can't wrap my head around the fact that I can't freely move my cursor around the terminal, either by keyboard or by mouse, like I can a text editor. I know Ctrl+A to jump to the start of a line, but it's Opt + Arrow keys for anything else.

It's muscle memory at this point, sure, but please, someone, anybody: there's gotta be a better way.

iamkale, to firefox

Huh, you can set up certain sites to open in specific Safari profiles in macOS Sonoma and iOS 17...did Apple bake into Safari a version of Firefox's Multi-Account Containers? 🤯

https://support.apple.com/en-us/HT212544

For comparison, I've been using Firefox' Containers extension to keep Google and Facebook-adjacent URLs in their own respective containers to (ideally) keep as much of that tracking siloed as possible:

https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

I have no idea how effective it's been but I have to imagine it's better than nothing.

Time to update to Sonoma...

  • All
  • Subscribed
  • Moderated
  • Favorites
  • provamag3
  • InstantRegret
  • ngwrru68w68
  • osvaldo12
  • magazineikmin
  • tacticalgear
  • rosin
  • thenastyranch
  • Youngstown
  • Durango
  • slotface
  • everett
  • kavyap
  • DreamBathrooms
  • JUstTest
  • khanakhh
  • mdbf
  • ethstaker
  • cisconetworking
  • tester
  • Leos
  • cubers
  • GTA5RPClips
  • megavids
  • normalnudes
  • anitta
  • modclub
  • lostlight
  • All magazines
    •