Tech Solvency / Royce Williams / Twitter

Hello, Twitter!

Cheesy Gravatar headshot

I'm Royce Williams (@TychoTithonus).

This is my Twitter-specific landing page. For general information about me, start here.

My interests

I tweet in two streams:

Everything that I tweet or retweet from both accounts should usually be SFW, other than the occasional expletive (usually in retweets).

All opinions expressed and activities are my own, and not of any other org/company/club that I am or have previously been associated with.

You can review my recent Twitter analytics at SocialBearing.

My blocking policies

Recommendations and tips

Selected tweets

Am I worth following? Here are some of my non-retweet tweets - that I and/or others found interesting. ;)

In the spirit of "We are a way for the cosmos to know itself" (Sagan): infosec is a way for IT to know itself.

July 31, 2015

Windows 10 caught in an upgrade failure loop? SetupDiag parses the upgrade logs and will interpret the diagnostic codes for you. Many hangs are related to problems with specific devices - disabling them during the upgrade can get you past the problem.

October 21, 2018

My #BSidesLV talk "Password Cracking 201: Beyond the Basics" - video:; slides and errata:

August 2, 2017

Never underestimate the power and convenience of having an old laptop, with modern Linux on it ... stashed offline at your parents' house.

July 28, 2018

Even a weak hash will protect a strong password.

November 21, 2018

There's a special place in hell for software projects who publish changelogs without dates.

October 26, 2018

If your website logs digital interactions with your support team (emails, webforms, chat):

It's common for users to *volunteer* their passwords for troubleshooting (trying to be helpful!).

Those logs now contain your users' passwords.

June 10, 2018

Relatively new ice cream shop in #ANC called @WildScoops.

Their loyalty card says: "Double stamps when the temperature is below 32°, or it's actively snowing" and "It's never too cold for ICE CREAM"

They *get* me.

December 12, 2017

Note that "desensitiz[ing] and indoctrinat[ing] ... through memes" is also deeply common on both YouTube and Facebook - & because of algorithmic bubbles, it is invisible & underestimated)

With each hit of dopamine ... your friends, family, and co-workers are being weaponized.

October 9, 2018

Nobody's going to crack my new password. It's actually a nice, long passphrase - "penguins are skating slowly while ordering raspberry donuts" - but then I just take the first letter of each word, so it looks totally random. #winning

February 26, 2018

To make amends for treating @cperciva badly after discovering a serious CPU architecture bug (, Intel should retroactively reward @cperciva (or his designee; @FreeBSDFndation?) the same bounty that a vulnerability of equivalent severity will now receive.

February 15, 2018

A thorough summary of considerations when a web application is managing passwords. /ht @solardiz

August 17, 2018

"An organization performs pentests because they’re mandated, but an organization performs a red team assessment to learn about themselves" - nailed it.

September 3, 2018

Dear companies making appliances with true NTP under the hood, but a web UI only allowing 1 or 2 NTP servers:

You're *breaking* the NTP algorithms. Please allow a high # of servers - 10+. Just a single long field separated w/spaces would make big difference.

Time's a-wastin'!

March 2, 2018

Vernor-Vinge-plot-grade theory:

Resurgence of flat earthers in the US is the byproduct of a demo / trial run of an influence ops framework. Vulnerable population id'd and exploited; YouTube as primary delivery vehicle.

Scariest part: we only see the edges of it spilling over.

March 11, 2018

Among many changes and fixes in the upcoming #hashcat 4.1.0 is the addition of some new algorithms!

All benchmarks are on a box with 6x stock 1080s, no overclock. (Just a preview - there may be changes before release!) 1/2

January 31, 2018

One of the compelling reasons to drop 'trivial' subdomains in Chrome is to make the base domain more obvious on smaller screens?

Maybe it would be useful to make this behavior dynamic, based on screen real estate (instead of the default across all screen sizes and platforms)?

September 28, 2018

Ads are a vector for malware and fraud. But Google is A) slowly reducing the visual difference between search results and ads, and B) forcing real search results below the fold.

Users trust Google results. But that trust - and user safety - is being exchanged for revenue.

January 9, 2018

"If an entity which does not control a domain can issue a certificate, our view is that is misissuance […] the party who has that private key must have demonstrated control during the lifetime of that certificate. ~@sleevi_ 👍👍👍

February 10, 2018

Any book endorsed by Ken Thompson is destined for greatness.

April 1, 2018

Thanks to @reporturi, I just discovered that a Javascript slideshow widget that I use ( was loading remote images. Not anymore! Thanks, @Scott_Helme !

October 25, 2018

In 2010, it was reported that student James M. Hall found this, the first public DES crypt collision:


(Any idea where James M. Hall is now? He should post his code to GitHub!)

November 24, 2018

There's something uniquely and remarkably tone-deaf about the use of "Sincerely" and "Thanks" in canned email signatures.

Sincerity and gratitude cannot be automated.

June 8, 2018

CMIYC - the password-cracking version of the Olympics - is back at DEF CON:

* 48 hours, mostly Aug 10-11
* Open entry - no tiers
* Points-based
* Better with teams
* At least one member has to be in attendance

April 11, 2018

A good overview of WebAuthn, U2F operability, and good broad observations about the gotchas and benefits of pushing authentication forward. Great talk, @bradgirardeau !

August 8, 2018

ME: Maybe ping your in-house legal counsel about whether GDPR applies to this data?
CLIENT (w/European customers): Not necessary, we're US-based.
ME: ...
ME: Then why even have legal counsel?
CLIENT: I know this. Not gonna bug him. If EU cares, they can sue us.
ME: ¯\_(ツ)_/¯

March 1, 2018

Have had same device in my Amazon cart "save for later" area for 5 years. It was obsoleted by a new model last month. Upgraded.

November 11, 2017

Whenever I look at the followers of an obvious bot, the "1 Follower you know" is always @AsteroidDay.

November 19, 2018

Beware conventional/cargo-cult wisdom.

(Yes, this is an infosec metaphor)

March 2, 2018

Conf organizers: I'm seriously tempted to boycott any conf that has more than one "keynote" speech. A true keynote provides a single point of thematic unity and interest.

If there are 8 "keynotes", your conference either has an identity problem, a speaker ego problem - or both.

May 10, 2018

A *fantastic* crash course on the concepts, vocabulary, motives, and leverage points of dealing with credit reporting agencies. [@patio11]

September 10, 2017

For people who want to use the Pwned Password corpus in "top X") manner, here are the top 20,000 (35 not yet cracked, will update as I go). I do not recommend the list (as blacklist) beyond the top 20,000. Data also has obvious artifacts; use with caution:

February 22, 2018

Perhaps the highest concentration of security wisdom ever assembled in a single tweet.

August 22, 2018

There is a special place in hell reserved for companies who force senior citizens to A) move to paper-only statements and B) give every statement the filename "Statement.pdf".

December 31, 2017

Not enough. To rescue Android security fragmentation, OEMs & carriers should only be allowed to keep branding / bloatware while they provide patches. If patches stop, Google releases a clean replacement ROM - and OEM/carrier loses control of handset.

Never happen, of course.

May 12, 2018

Hey, $‍website - if I've gone to the trouble of enabling your 12 Javascript dependencies, do something useful with that Javascript: switch focus to *the only field that requires input on the page* (password, 2FA code, yes/no/OK/cancel button ...)

March 19, 2018

Another same-quad public recursive DNS - this one from @Cloudflare. (And since is used in documentation & dummy/example configs, it should get some interesting traffic indeed!)

And if you've ever wondered who owns all the other same-quad IPs:

March 29, 2018

Yes! But at this writing, Chrome 69 does not support 'require-sri-for' unless you enable chrome://flags/#enable-experimental-web-platform-features (you'll see "The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.")

September 15, 2018

"When you watch an advertisement, you are being attacked by a psyop with a goal to change how you are thinking and suborn your otherwise rational decisionmaking process." -@munin

February 21, 2018

TFW you use both the meeting app's mute button *and* your phone's mute button, to doubly ensure any indelicate things said under your breath go unheard ...

... thereby making your un-mute process so complex that the other attendees think you're asleep at the wheel

May 4, 2018

See more general information about me.

Back to Tech Solvency.