I'm Royce Williams (@TychoTithonus).
This is my Twitter-specific landing page. For general information about me, start here.
I tweet in two streams:
Everything that I tweet or retweet from both accounts should usually be SFW, other than the occasional expletive (usually in retweets).
All opinions expressed and activities are my own, and not of any other org/company/club that I am or have previously been associated with.
You can review my recent Twitter analytics at SocialBearing.
Am I worth following? Here are some of my non-retweet tweets - that I and/or others found interesting. ;)
In the spirit of "We are a way for the cosmos to know itself" (Sagan): infosec is a way for IT to know itself.– July 31, 2015
Windows 10 caught in an upgrade failure loop? SetupDiag parses the upgrade logs and will interpret the diagnostic codes for you. Many hangs are related to problems with specific devices - disabling them during the upgrade can get you past the problem. https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag– October 21, 2018
My #BSidesLV talk "Password Cracking 201: Beyond the Basics" - video: https://www.youtube.com/watch?v=-uiMQGICeQY&t=20260; slides and errata: https://www.techsolvency.com/talks/– August 2, 2017
Never underestimate the power and convenience of having an old laptop, with modern Linux on it ... stashed offline at your parents' house.– July 28, 2018
Even a weak hash will protect a strong password.– November 21, 2018
There's a special place in hell for software projects who publish changelogs without dates.– October 26, 2018
If your website logs digital interactions with your support team (emails, webforms, chat):– June 10, 2018
It's common for users to *volunteer* their passwords for troubleshooting (trying to be helpful!).
Those logs now contain your users' passwords.
Relatively new ice cream shop in #ANC called @WildScoops.– December 12, 2017
Their loyalty card says: "Double stamps when the temperature is below 32°, or it's actively snowing" and "It's never too cold for ICE CREAM"
They *get* me.
Note that "desensitiz[ing] and indoctrinat[ing] ... through memes" is also deeply common on both YouTube and Facebook - & because of algorithmic bubbles, it is invisible & underestimated)– October 9, 2018
With each hit of dopamine ... your friends, family, and co-workers are being weaponized. https://twitter.com/aprilaser/status/1049658138247516161
Nobody's going to crack my new password. It's actually a nice, long passphrase - "penguins are skating slowly while ordering raspberry donuts" - but then I just take the first letter of each word, so it looks totally random. #winning– February 26, 2018
To make amends for treating @cperciva badly after discovering a serious CPU architecture bug (http://www.daemonology.net/hyperthreading-considered-harmful/), Intel should retroactively reward @cperciva (or his designee; @FreeBSDFndation?) the same bounty that a vulnerability of equivalent severity will now receive. https://twitter.com/cperciva/status/963931969292664832– February 15, 2018
A thorough summary of considerations when a web application is managing passwords. /ht @solardiz https://twitter.com/harwoeck/status/1029639087882493952– August 17, 2018
"An organization performs pentests because they’re mandated, but an organization performs a red team assessment to learn about themselves" - nailed it. https://twitter.com/malcomvetter/status/1036530885972119553– September 3, 2018
Dear companies making appliances with true NTP under the hood, but a web UI only allowing 1 or 2 NTP servers:– March 2, 2018
You're *breaking* the NTP algorithms. Please allow a high # of servers - 10+. Just a single long field separated w/spaces would make big difference.
Vernor-Vinge-plot-grade theory:– March 11, 2018
Resurgence of flat earthers in the US is the byproduct of a demo / trial run of an influence ops framework. Vulnerable population id'd and exploited; YouTube as primary delivery vehicle.
Scariest part: we only see the edges of it spilling over.
Among many changes and fixes in the upcoming #hashcat 4.1.0 is the addition of some new algorithms!– January 31, 2018
All benchmarks are on a box with 6x stock 1080s, no overclock. (Just a preview - there may be changes before release!) 1/2 pic.twitter.com/WqjCz97gWI
One of the compelling reasons to drop 'trivial' subdomains in Chrome is to make the base domain more obvious on smaller screens?– September 28, 2018
Maybe it would be useful to make this behavior dynamic, based on screen real estate (instead of the default across all screen sizes and platforms)?
Ads are a vector for malware and fraud. But Google is A) slowly reducing the visual difference between search results and ads, and B) forcing real search results below the fold.– January 9, 2018
Users trust Google results. But that trust - and user safety - is being exchanged for revenue. https://twitter.com/lucasng/status/844067629602021377
"If an entity which does not control a domain can issue a certificate, our view is that is misissuance […] the party who has that private key must have demonstrated control during the lifetime of that certificate. ~@sleevi_ 👍👍👍 https://twitter.com/konklone/status/961811000834969600– February 10, 2018
Any book endorsed by Ken Thompson is destined for greatness. https://twitter.com/mwlauthor/status/980299889061003266– April 1, 2018
In 2010, it was reported that student James M. Hall found this, the first public DES crypt collision:– November 24, 2018
(Any idea where James M. Hall is now? He should post his code to GitHub!) https://slashdot.org/submission/1381082/Traditional-DES-collisionhttps://security.stackexchange.com/questions/5204/can-des-based-hashed-password-be-recovered-if-salt-is-known/5207#5207
There's something uniquely and remarkably tone-deaf about the use of "Sincerely" and "Thanks" in canned email signatures.– June 8, 2018
Sincerity and gratitude cannot be automated.
CMIYC - the password-cracking version of the Olympics - is back at DEF CON:– April 11, 2018
* 48 hours, mostly Aug 10-11
* Open entry - no tiers
* Better with teams
* At least one member has to be in attendance
A good overview of WebAuthn, U2F operability, and good broad observations about the gotchas and benefits of pushing authentication forward. Great talk, @bradgirardeau ! https://twitter.com/PwdRsch/status/1027313950478618624– August 8, 2018
ME: Maybe ping your in-house legal counsel about whether GDPR applies to this data?– March 1, 2018
CLIENT (w/European customers): Not necessary, we're US-based.
ME: Then why even have legal counsel?
CLIENT: I know this. Not gonna bug him. If EU cares, they can sue us.
Have had same device in my Amazon cart "save for later" area for 5 years. It was obsoleted by a new model last month. Upgraded.– November 11, 2017
Whenever I look at the followers of an obvious bot, the "1 Follower you know" is always @AsteroidDay.– November 19, 2018
Beware conventional/cargo-cult wisdom. https://www.nytimes.com/2015/08/25/upshot/no-you-do-not-have-to-drink-8-glasses-of-water-a-day.html– March 2, 2018
(Yes, this is an infosec metaphor) pic.twitter.com/9JEsn8upBY
Conf organizers: I'm seriously tempted to boycott any conf that has more than one "keynote" speech. A true keynote provides a single point of thematic unity and interest.– May 10, 2018
If there are 8 "keynotes", your conference either has an identity problem, a speaker ego problem - or both.
A *fantastic* crash course on the concepts, vocabulary, motives, and leverage points of dealing with credit reporting agencies. https://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/ [@patio11]– September 10, 2017
For people who want to use the Pwned Password corpus in "top X") manner, here are the top 20,000 (35 not yet cracked, will update as I go). I do not recommend the list (as blacklist) beyond the top 20,000. Data also has obvious artifacts; use with caution: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7– February 22, 2018
Perhaps the highest concentration of security wisdom ever assembled in a single tweet. https://twitter.com/thegrugq/status/1032328600047869952– August 22, 2018
There is a special place in hell reserved for companies who force senior citizens to A) move to paper-only statements and B) give every statement the filename "Statement.pdf".– December 31, 2017
Not enough. To rescue Android security fragmentation, OEMs & carriers should only be allowed to keep branding / bloatware while they provide patches. If patches stop, Google releases a clean replacement ROM - and OEM/carrier loses control of handset.– May 12, 2018
Never happen, of course. https://twitter.com/DaveKSecure/status/995122341276401664
Another same-quad public recursive DNS - this one from @Cloudflare. (And since 220.127.116.11 is used in documentation & dummy/example configs, it should get some interesting traffic indeed!)– March 29, 2018
And if you've ever wondered who owns all the other same-quad IPs:https://gist.github.com/roycewilliams/6cb91ed94b88730321ca3076006229f1 https://t.co/qcLqDikZOH
Yes! But at this writing, Chrome 69 does not support 'require-sri-for' unless you enable chrome://flags/#enable-experimental-web-platform-features (you'll see "The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.") https://twitter.com/Scott_Helme/status/1040830165251588103– September 15, 2018
"When you watch an advertisement, you are being attacked by a psyop with a goal to change how you are thinking and suborn your otherwise rational decisionmaking process." -@munin– February 21, 2018
TFW you use both the meeting app's mute button *and* your phone's mute button, to doubly ensure any indelicate things said under your breath go unheard ...– May 4, 2018
... thereby making your un-mute process so complex that the other attendees think you're asleep at the wheel
See more general information about me.
Back to Tech Solvency.