πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈ

I don't know. Trying not to be the problem.
I swear to resist information pollution.

Furry, IT, veteran (of course) 🦊
Python, data science, GIS

I stand on the shoulders of giants.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-13

@xale @eosfpodcast

That's called moving the goal post.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-13

@Tealfuleyes

Artists are sometimes the best people to ask. We don't care about power, just about the art.

Well... As much as existence allows us to. Gotta live.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-13

@lffontenelle @SrRochardBunson

That seems like it might be reasonable honestly and I'm in the US.

The problem is more of a country torn in two in terms of what it believes in. Unfortunately, I believe one side believes in propaganda, and the other is split between well meaning idiots and people trying to keep the country from going under from it's own stupidity.

It also seems Israel has infiltrated our country through Christianity. (somehow)

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-13

Apple be like,

Noooo don't leave us behind!.....
LLM's don't even work!

Copium.

To be clear the future still terrifies me and I hate how many bad actors language models can enable. I tried to say more, but it's too complicated a subject.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-13

@eosfpodcast

Yup, that Google Collab that I just wrote using a simple prompt and a math equation to help a coworker understand a very difficult concept that would have probably taken me a whole day to write traditionally is an illusion.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-12

youtu.be/RGQf1CO7hmY

I tend to find this guy (Atrioc) pretty enlightening. It's always dangerous to say you trust someone, but he posts good stuff generally.

Here is hoping I don't wake up one day going what nonsense is he saying!?

Anyways check him out.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-12

@alice @alttexthalloffame

I think it's fun.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-11

@wdlindsy

I'm surprised so many people don't know that Christy Walton is not the owner of Walmart.

She just has money from Walmart.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-11

@grumpygamer @iveyline

I use VScode on my Linux work device.

Unless that's not the same as VS in some very meaningful way I'm unaware of.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-11

@beka_valentine

Alerts are incredibly broken.

Alerts should be like emails in your device. You should have a spam filter and be able to create rules.

They should not be able to say we are going to send you whatever we feel like or you get nothing at all.

You should be able to set limits on how often it can go off on an OS level.

We need control over how companies try to contact us through our notification systems.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-10

@grumpygamer

I'm not using x, or Facebook.

I barely use Amazon. I would like to use less perhaps, but I have limited knowledge of the consumer space and that makes it hard to know where to get things.

I'm very seriously considering switching to Linux. Probably my upcoming PC rebuild. If you take issue with Windows.

I kind of have to use Google. That one would take a while to unwind.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-10

@grumpygamer

Strong opinions. If you ever want to voice why, I would be very interested to know.

But no pressure. I understand your time is valuable.

Alternatively, who is good? What organization is doing good work and having a positive impact from your point of view.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-10

@grumpygamer

What's your opinion on Google?

I hate Apple and Facebook. Others I side eye.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-10

@grumpygamer

I agree. (That these need to be better. Not necessarily that an LLM would be the solution. Though I think it might be part of the solution in the case of email)

Spell check needs to learn the words I use and email needs to be set on fire most likely.

But really we could probably actually fix email with better access to it on a programmatic level. I just don't want to.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-09

@futzle

All computer people go to the farm eventually.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-09

youtu.be/3ZTGwcHQfLY

Interesting video on the difficulty of attempting to manufacture anything in the US. The current market reality.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-08

@mcc

criminal
Edit: I'm wrong

Okay so it is possible through other steps, but not as an add on. I still don't like it. But that's a bit better.

Okay a Firefox thing only. Works on chrome. Double not as bad πŸ˜‚

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-08

@skinnylatte

Agreed. Those who preach ignorance and hate should be in fear, not those who just wish to love safely how they want.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈBlueBee@infosec.exchange
2025-06-08

@kenwhite.bsky.social

Links? I have no idea where I would find this sort of stuff.

πŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈ boosted:
Terence Eden’s Blogblog@shkspr.mobi
2025-06-08

I've locked myself out of my digital life

shkspr.mobi/blog/2022/06/ive-l

Imagine…

Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes.

In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle.

This presents something of a problem.

In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can remember the password to that. But logging in to the manager also requires a 2FA code. Which is generated by my phone.

The phone which now looks like this:

Oh.

Backups

I'm relatively smart and sensible. I regularly exported my TOTP secrets and saved them in an encrypted file on my cloud storage - ready to be loaded onto a new phone.

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in - you guessed it - my Password Manager.

I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

Perhaps I can use my MFA FIDO2 Key?

Oh.

Emergency Contacts

Various services allow a user to designate an "emergency contact". Someone who can access your account in extremis. Who do you trust enough with the keys to your digital life?

I chose my wife.

The wife who lives with me in the same house. And, obviously, has just lost all her worldly possessions in a freak lightning strike.

Oh.

Recovery Codes

Most online services which have Multi-Factor Authentication, also provide "recovery codes". They are, in effect, one-time override passwords. A group of random characters which will bypass any security. Each can only be used once, and then is immediately revoked.

I was clever. I hand-wrote the codes on a piece of paper (so they can't be recovered from my printer's memory!) and stored them in a fire-proof safe, secured with a key hidden under the cat's litter-box.

Sadly, the fire-proof safe wasn't lightning-strike safe and is now obliterated. Along with the cat's litter-box. The cat is fine.

I know… I know… I should have kept them in a lock-box in my local bank. The only problem is, virtually no banks offer safe deposit boxes in the UK. The one that does charges Β£240 per year. A small price to pay, for some, to avoid irreversible loss. But it adds up to a significant ongoing cost.

But, suppose I had stored everything off-site. All I'd need to do is walk up to the bank and show some ID which proved that I was the authorised user of that box.

The ID which has just been sacrificed in tribute to mighty Thor and now looks like a melted waxwork.

Oh.

Friendly Neighbourhood Storage

Perhaps what I should have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend?

There are a few problems with that.

  1. Every time I sign up to a new service, I would need to add it to the USB stick. How many times can I pop round with a fresh stick before it becomes an imposition?
  2. What if my friend (or their kid) accidentally wipes the drive?
  3. If a freak lightning storms hits both our houses at the same time, I still lose everything.
  4. Even if I did all that, I would have to give the USB stick a strong password to make sure my friend didn't betray me. So I either need to remember that, or I'm stuck in the password-manager-paradox.

Perhaps I could split the USB sticks between multiple friends using Shamir's Secret Sharing? That solves some problems - mostly the accidental losses and remembering a strong password - but creates even more issues. Now I have to do a lot more admin and worry about all my friends conspiring against me!

Phone Home

One of the weakest forms of identity is the humble phone number. Several of my accounts use my mobile number to text me authorisation codes. SMS isn't the most secure way to deliver passwords - it can be intercepted or the SIM can be swapped to one controlled by an attacker. But, if I can get my phone number back, I stand a chance of getting in to my email and perhaps some other services.

That's a weakness in my security posture. But one I may need to take advantage of.

The only question is - how do I prove to the staff at my local phone shop that I am the rightful owner of a SIM card which is now little more than soot? Perhaps I can just rock up and say "Don't you know who I am?!?!"

I know, I'll show them my passport!

Oh.

Bootstrapping of trust

I am lucky. I have a nice middle-class life and know lots of professionals - doctors, lawyers, teachers - who I hope would be happy to vouch for me. I could use one of my friends to confirm my identity for a replacement passport. Once I have a passport, I should be able to get a SIM card with my phone number. And, I hope, some online services.

I would, however, need to use a credit or debit card to apply for a replacement passport. But all of my cards are melted to slag - and I can't prove to the bank that I am who I say I am because I don't know my account number, password, or mother's maiden name.

You see, I was "clever" and took some idiot's advice about setting your mother's maiden name to being a random string of characters. Those details are, of course, stored in my inaccessible password manager!

Hopefully one of my friends will be prepared to lend me the Β£75.50 to get a new passport.

I'll just call up one of my friends. Hmmm… now, where did I store their phone number?

Oh.

Starting over

Again, I'm lucky. I live relatively close to some friends and family. And I'm confident that they'd be gracious enough to pay an emergency cab fare if I started hammering on their door at silly o'clock in the morning.

With their help, I think I could probably call up enough insurance companies to figure out which one covered the property. I would hope the insurance company would have some way of validating with the emergency services that the house is, indeed, a smoking crater. I don't know if that would get me emergency cash, or if I'd have to rely on friends until I get access to my bank account.

I assume my credit card companies can probably be convinced to send out replacement cards. But will they also be willing to change my address - or will the card go to the pile of ashes which was formerly my home?

I don't know whether my insurance policy covers me for access to digital files. Even if it did, I'm not sure how they can force a company like - say - Google to give me access to my account. It isn't like Google went through a KYC (Know Your Customer) process when I signed up.

Code Is Law

This is where we reach the limits of the "Code Is Law" movement.

In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.

But when things are secured by an unassailable algorithm - I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn't have access to my passwords. There is no-one to convince. Code is law.

Of course, if I can wangle my way past security, an evil-doer could also do so.

So which is the bigger risk:

  • An impersonator who convinces a service provider that they are me?
  • A malicious insider who works for a service provider?
  • Me permanently losing access to all of my identifiers?

I don't know the answer to that. If you have a strong opinion, please let me know in the comment section.

In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal

#2fa #passwords #security

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst