Lightnews — Scholar-powered news

Royce Williams

@tychotithonus.infosec.exchange.ap.brid.gy

53 followers 12 following 920 posts

Just doing my undue diligence. ISP vet, password cracker (Team Hashcat), security demi-boffin, YubiKey stan, public-interest technologist, AK license plate […] 🌉 bridged from ⁂ https://infosec.exchange/@tychotithonus, follow @ap.brid.gy to interact

infosec.exchange

Posts Media Videos Starter Packs

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 6h

It's 2025 and Gmail still doesn't let you filter based on contents of SMTP headers?

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 8h

Something has managed to make my onboard passkey on my Pixel phone unrecognized (the "try another way" infinite loop). NFC to YubiKey also fails. Only thing that works is if I connect the YubiKey to the USB port on the phone.

And the workflow within your Google account to do things like look at […]

Original post on infosec.exchange

infosec.exchange

Reposted by Royce Williams

Jonathan Kamens 86 47 @jik.federate.social.ap.brid.gy · 9h

When you log into #bluesky, it emails a security code you need to enter.
Here's a recent code I was sent: FPTQS-MPJJG
This is dumb.
6-digit codes are the gold standard for two critical reasons: (1) the range of a million possible codes is more than enough for adequate security; (2) most people […]

Original post on federate.social

federate.social

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 9h

@jik Absolutely agree. "More characters must be more secure", without thinking about the actual threat models -- or the UX -- is all too common.

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 9h

@jameshubbard I'm sure there's a spectrum, but since it also seems like basic minification and deliberate obfuscation have sufficiently different goals that you could probably be pretty accurate at distinguishing between the two. Especially when there are specific popular obfuscation tools and […]

Original post on infosec.exchange

infosec.exchange

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 16h

Are there seriously no browser extensions that detect common JavaScript obfuscation, and block execution (pending approval, etc.)?

1 1

Reposted by Royce Williams

Glyph @glyph.mastodon.social.ap.brid.gy · 1d

the biggest problem we *already have* in open source right now, which we have oversimplified into the term "supply chain security", is the lack of understanding that putting a dependency in your project's dependency set (package.json, pyproject.toml, requirements.txt, cargo.toml, etc) is not […]

Original post on mastodon.social

mastodon.social

1 15 3

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 1d

Framework laptop feature request: Kensington lock slot.

Reposted by Royce Williams

Terence Eden @edent.mastodon.social.ap.brid.gy · 1d

🆕 blog! “How to *actually* test your readme”

If you've spent any time using Linux, you'll be used to installing software like this:

The README says to download from this link. Huh, I'm not sure how to unarchive .tar.xz files - guess I'll search for that. Right, it says run setup.sh hmm, that […]

Original post on mastodon.social

mastodon.social

7 1

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 2d

I miss Gordon Mah Ung. Always looked forward to his columns.

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 3d

If you and your teen both have security keys enabled for your Google accounts, and you have Advanced Protection enabled, and you also have security keys enabled for your Apple account, and you are helping your teen migrate apps and data from an Android phone to an Apple phone for the first time […]

Original post on infosec.exchange

infosec.exchange

1 2

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 3d

TUR (the Termux User Repository) now has hashcat 7.1.2!

#hashcat

Reposted by Royce Williams

Matt Blaze @mattblaze.federate.social.ap.brid.gy · 3d

We went from "we will deport the worst of the worst" to "we will deport anyone here illegally" to "we will round up anyone who looks wrong" to "people who live in cities are the enemy" essentially overnight.

5 150 19

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 3d

Windows "Files On Demand" feature, _applied to files in the base OS_ , can die in a fire.

Its entire purpose is to make the system as cloud-dependent as feasible. It is unconscionable.

Ooh, I am _steamed_.

2 4

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 4d

Very sad to learn that I can't just plug my Logitech QuickCam 3000 into my work laptop and use it with Teams.

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 4d

@johntimaeus That is legit impressive -- and a deep callback.

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 4d

Hashtags have become grass-roots, decentralized AOL keywords and I think that's great.

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 4d

SlackBuilds and Homebrew now have hashcat 7.1.2!

#hashcat

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 4d

So ... it looks like Gmail's "Send mail as" feature:

https://support.google.com/mail/answer/22370?hl=en

... started breaking towards AOL/Yahoo in the past few weeks, due to increased authentication enforcement (DKIM/SPF etc.). Specifically, they are requiring alignment between the "MAIL FROM" […]

Original post on infosec.exchange

infosec.exchange

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 5d

TIL Google's Advanced Protection that extends to mobile A) forces call screening (which I'm OK with) ... but B) doesn't let the user opt into _stronger enforcement_ than the one required?!

Screenshot from Google phone settings, where the automatic screening of calls is on but grayed out so it cannot be changed, with three options: maximum protection, medium protection, and basic protection. The median protection is selected. There is no way to change it.

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 5d

Today's unreasonable curmudgeonly irritation, magnified by the associated earworm:

The way Sabrina Carpenter pronounces "singer" to rhyme with "finger" in Espresso

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 6d

TIL (indirectly, it's not me) that if you take tamsulosin / Flomax long enough, your swelling prostate can start to grow directly into the bladder, making operation options significantly more complex. It seems as though treating the symptom too long masked the urgency of surgery for my […]

Original post on infosec.exchange

infosec.exchange

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 6d

Good evening to everyone except Google, who decided to stick an ad directly in the place I've been clicking in the Play Store app for years.

Full-On accidentally clicked on it the first time due to sheer muscle memory, and now have to catch myself just about every time. 😐

Screenshot from Google Play Store settings, where what used to be the first option ("Manage apps and device") has been pushed down the list, to be replaced with a "Join Google Play Games" option.

Reposted by Royce Williams

John Kristoff @jtk.infosec.exchange.ap.brid.gy · 6d

I had just assumed Steve Bellovin was in the Internet Hall of Fame, but he's not.This seems like something that needs remedying when nominations open up again.

1 6

Royce Williams @tychotithonus.infosec.exchange.ap.brid.gy · 6d

Welp, I guess Shellshock made the KEV?