Rory
@rorybray.ca
I do stuff. Mostly security, compliance and cryptography stuff. I work for a big three-letter-name company. Not that one, the other one.
Also on Mastodon https://infosec.exchange/@rory
#introvert #security #privacy #cryptography #appsec #civictech
Also on Mastodon https://infosec.exchange/@rory
#introvert #security #privacy #cryptography #appsec #civictech
Good point but this is just TZ data, not time sync.
December 7, 2024 at 10:46 PM
Good point but this is just TZ data, not time sync.
Not great but not the worst case, I've seen. Two general things that cause me concern:
- The long history of XML parsing exploits
- The potential for side effects related to forced time-shifts.
Both are reasons to be concerned about MITM attacks or spoofing. It's unnecessarily dumb, IMO.
- The long history of XML parsing exploits
- The potential for side effects related to forced time-shifts.
Both are reasons to be concerned about MITM attacks or spoofing. It's unnecessarily dumb, IMO.
December 7, 2024 at 10:44 PM
Not great but not the worst case, I've seen. Two general things that cause me concern:
- The long history of XML parsing exploits
- The potential for side effects related to forced time-shifts.
Both are reasons to be concerned about MITM attacks or spoofing. It's unnecessarily dumb, IMO.
- The long history of XML parsing exploits
- The potential for side effects related to forced time-shifts.
Both are reasons to be concerned about MITM attacks or spoofing. It's unnecessarily dumb, IMO.
Ah, got it. Both do tend to ruin good things.
December 3, 2024 at 10:44 PM
Ah, got it. Both do tend to ruin good things.
Wait, I think I missed something. Why am I required to take my place on the ash heap of olds? I mean, I am old, but still ...
December 3, 2024 at 10:42 PM
Wait, I think I missed something. Why am I required to take my place on the ash heap of olds? I mean, I am old, but still ...
In what cases are a real-life binding necessary, though? In some cases, like a journalist, I can see it; domain or '.well-known' types of verification can serve that case, as imperfect as they are. Me, I'm mostly a nobody in 'real life' and so I'm mostly concerned about spoofing in my wee circle.
December 3, 2024 at 3:48 PM
In what cases are a real-life binding necessary, though? In some cases, like a journalist, I can see it; domain or '.well-known' types of verification can serve that case, as imperfect as they are. Me, I'm mostly a nobody in 'real life' and so I'm mostly concerned about spoofing in my wee circle.
I'm a fan (sort of) of the type of identity proofs provided by keyoxide or keybase (anyone still on that?). They aren't RAs either, obviously, but they do bind multiple social IDs together to provide assurance that you are you in the social realm.
Not a fan of some centralised authority/regulator.
Not a fan of some centralised authority/regulator.
December 3, 2024 at 3:35 PM
I'm a fan (sort of) of the type of identity proofs provided by keyoxide or keybase (anyone still on that?). They aren't RAs either, obviously, but they do bind multiple social IDs together to provide assurance that you are you in the social realm.
Not a fan of some centralised authority/regulator.
Not a fan of some centralised authority/regulator.
MoD still uses passwords for stuff? Like it's 2005 or something?
December 2, 2024 at 11:18 PM
MoD still uses passwords for stuff? Like it's 2005 or something?
That is impressive. I regularly have to declare Slack bankruptcy, I can never get it all.
December 2, 2024 at 11:06 PM
That is impressive. I regularly have to declare Slack bankruptcy, I can never get it all.
Who cares about NBC? 😄 Seriously, though, domain verification is perfect for that case.
December 1, 2024 at 12:32 AM
Who cares about NBC? 😄 Seriously, though, domain verification is perfect for that case.
There's a fallacy in the notion that you should use gov't id on social. I don't give a rat's if you are Bob Smith according to your state, only that you're the Bob Smith from other socials and not a bot farm called Bob Smith. Domain verification itself isn't enough but a keyoxide-like tools could be
November 29, 2024 at 10:20 PM
There's a fallacy in the notion that you should use gov't id on social. I don't give a rat's if you are Bob Smith according to your state, only that you're the Bob Smith from other socials and not a bot farm called Bob Smith. Domain verification itself isn't enough but a keyoxide-like tools could be
Reposted by Rory
Can someone who thinks domain verification is insufficient to prove identity explain why? It’s one thing to police the identity of public personalities but there should continue to be a way for someone to verify an identity that doesn’t require providing ID to Bluesky.
Second Stage
xkcd.com
November 29, 2024 at 9:02 PM
Can someone who thinks domain verification is insufficient to prove identity explain why? It’s one thing to police the identity of public personalities but there should continue to be a way for someone to verify an identity that doesn’t require providing ID to Bluesky.
Ick. Keep the gov't out of it. It doesn't work well globally anyway.
November 29, 2024 at 9:48 PM
Ick. Keep the gov't out of it. It doesn't work well globally anyway.
Keybase proofs are interesting as are keyoxide proofs. Supporting external proofs like this would be a good start.
November 29, 2024 at 9:47 PM
Keybase proofs are interesting as are keyoxide proofs. Supporting external proofs like this would be a good start.
Yeah, put me in the "no" camp as well.
November 29, 2024 at 9:45 PM
Yeah, put me in the "no" camp as well.