Tech Solvency / Royce Williams / Twitter


Hello, Twitter!

Cheesy Gravatar headshot

I was Royce Williams (@TychoTithonus).

But now I am @tychotithonus@infosec.exchange .


Some Mastodon tips:

Stuff I wish Mastodon had:

Good references and info:




The rest below is preserved for now as representative of my microblogging perspectives and policies.


This is my Twitter-specific personal landing page. (See also general information about me and general Twitter tips.)

Blocked or unfollowed?

What I follow

I've reached (as of May 2021) my followee cap (5000), so I'm having to selectively move some people to lists. If/when the cap is removed or the threshold is met, I'll re-follow. :) Apologies in advance - I almost certainly didn't unfollow you because of ideological differences.

What I tweet about

I tweet in two streams:

You can review my recent Twitter analytics at SocialBearing and whotwi.

The emoji

The emoji sequence at the end of my profile is intended to compactly express the following:

(Not necessarily in that order ;) )

DMs

Go for it. But if it's an unsolicited cracking request, be aware that my bar for proving chain of authorization is high. The steady stream of "bro pls help me crack a hash", and "hi" messages with no other context, are ignored.

Disclaimers and warnings

Likes and retweets indicate notability / interest / bookmarking, not necessarily approval.

All opinions expressed and activities are my own, and not of any other org/company/club that I am or have previously been associated with.

Everything that I tweet (or retweet) from either account should usually be SFW (other than the occasional expletive, usually in retweets).

If you send me an unsolicited DM and pre-emptively include an unprovenanced hash, you will be ignored - and likely blocked. Professional cracking requires careful provenance and hash handling - and shoving a hash at someone is almost never a sign of legitimate possession.

My blocking policies

Twitter tips

My general Twitter tips are here.

Other places

You can also follow me at:

Selected tweets

Am I worth following? Here are some of my non-retweet tweets - that I and/or others found interesting. ;)

In the spirit of "We are a way for the cosmos to know itself" (Sagan): infosec is a way for IT to know itself.

July 31, 2015

Windows 10 caught in an upgrade failure loop? SetupDiag parses the upgrade logs and will interpret the diagnostic codes for you. Many hangs are related to problems with specific devices - disabling them during the upgrade can get you past the problem. https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag

October 21, 2018

My #BSidesLV talk "Password Cracking 201: Beyond the Basics" - video: https://www.youtube.com/watch?v=-uiMQGICeQY&t=20260; slides and errata: https://www.techsolvency.com/talks/

August 2, 2017

Never underestimate the power and convenience of having an old laptop, with modern Linux on it ... stashed offline at your parents' house.

July 28, 2018

Even a weak hash will protect a strong password.

November 21, 2018

There's a special place in hell for software projects who publish changelogs without dates.

October 26, 2018

If your website logs digital interactions with your support team (emails, webforms, chat):

It's common for users to *volunteer* their passwords for troubleshooting (trying to be helpful!).

Those logs now contain your users' passwords.

June 10, 2018

Relatively new ice cream shop in #ANC called @WildScoops.

Their loyalty card says: "Double stamps when the temperature is below 32Β°, or it's actively snowing" and "It's never too cold for ICE CREAM"

They *get* me.

December 12, 2017

Note that "desensitiz[ing] and indoctrinat[ing] ... through memes" is also deeply common on both YouTube and Facebook - & because of algorithmic bubbles, it is invisible & underestimated)

With each hit of dopamine ... your friends, family, and co-workers are being weaponized. https://twitter.com/aprilaser/status/1049658138247516161

October 9, 2018

Nobody's going to crack my new password. It's actually a nice, long passphrase - "penguins are skating slowly while ordering raspberry donuts" - but then I just take the first letter of each word, so it looks totally random. #winning

February 26, 2018

To make amends for treating @cperciva badly after discovering a serious CPU architecture bug (http://www.daemonology.net/hyperthreading-considered-harmful/), Intel should retroactively reward @cperciva (or his designee; @FreeBSDFndation?) the same bounty that a vulnerability of equivalent severity will now receive. https://twitter.com/cperciva/status/963931969292664832

February 15, 2018

A thorough summary of considerations when a web application is managing passwords. /ht @solardiz https://twitter.com/harwoeck/status/1029639087882493952

August 17, 2018

"An organization performs pentests because they’re mandated, but an organization performs a red team assessment to learn about themselves" - nailed it. https://twitter.com/malcomvetter/status/1036530885972119553

September 3, 2018

Dear companies making appliances with true NTP under the hood, but a web UI only allowing 1 or 2 NTP servers:

You're *breaking* the NTP algorithms. Please allow a high # of servers - 10+. Just a single long field separated w/spaces would make big difference.

Time's a-wastin'!

March 2, 2018

Vernor-Vinge-plot-grade theory:

Resurgence of flat earthers in the US is the byproduct of a demo / trial run of an influence ops framework. Vulnerable population id'd and exploited; YouTube as primary delivery vehicle.

Scariest part: we only see the edges of it spilling over.

March 11, 2018

Among many changes and fixes in the upcoming #hashcat 4.1.0 is the addition of some new algorithms!

All benchmarks are on a box with 6x stock 1080s, no overclock. (Just a preview - there may be changes before release!) 1/2 pic.twitter.com/WqjCz97gWI

January 31, 2018

One of the compelling reasons to drop 'trivial' subdomains in Chrome is to make the base domain more obvious on smaller screens?

Maybe it would be useful to make this behavior dynamic, based on screen real estate (instead of the default across all screen sizes and platforms)?

September 28, 2018

Ads are a vector for malware and fraud. But Google is A) slowly reducing the visual difference between search results and ads, and B) forcing real search results below the fold.

Users trust Google results. But that trust - and user safety - is being exchanged for revenue. https://twitter.com/lucasng/status/844067629602021377

January 9, 2018

"If an entity which does not control a domain can issue a certificate, our view is that is misissuance […] the party who has that private key must have demonstrated control during the lifetime of that certificate. ~@sleevi_ πŸ‘πŸ‘πŸ‘ https://twitter.com/konklone/status/961811000834969600

February 10, 2018

Any book endorsed by Ken Thompson is destined for greatness. https://twitter.com/mwlauthor/status/980299889061003266

April 1, 2018

Thanks to @reporturi, I just discovered that a Javascript slideshow widget that I use (https://slideshow.triptracker.net/) was loading remote images. Not anymore! Thanks, @Scott_Helme ! pic.twitter.com/hXGGtVW87h

October 25, 2018

In 2010, it was reported that student James M. Hall found this, the first public DES crypt collision:

hiH9IOyyrrl4k:cqjmide
hiH9IOyyrrl4k:ifpqgio

(Any idea where James M. Hall is now? He should post his code to GitHub!) https://slashdot.org/submission/1381082/Traditional-DES-collisionhttps://security.stackexchange.com/questions/5204/can-des-based-hashed-password-be-recovered-if-salt-is-known/5207#5207

November 24, 2018

There's something uniquely and remarkably tone-deaf about the use of "Sincerely" and "Thanks" in canned email signatures.

Sincerity and gratitude cannot be automated.

June 8, 2018

CMIYC - the password-cracking version of the Olympics - is back at DEF CON:

* 48 hours, mostly Aug 10-11
* Open entry - no tiers
* Points-based
* Better with teams
* At least one member has to be in attendance
https://twitter.com/CrackMeIfYouCan/status/984069333155504128

April 11, 2018

A good overview of WebAuthn, U2F operability, and good broad observations about the gotchas and benefits of pushing authentication forward. Great talk, @bradgirardeau ! https://twitter.com/PwdRsch/status/1027313950478618624

August 8, 2018

ME: Maybe ping your in-house legal counsel about whether GDPR applies to this data?
CLIENT (w/European customers): Not necessary, we're US-based.
ME: ...
ME: Then why even have legal counsel?
CLIENT: I know this. Not gonna bug him. If EU cares, they can sue us.
ME: Β―\_(ツ)_/Β―

March 1, 2018

Have had same device in my Amazon cart "save for later" area for 5 years. It was obsoleted by a new model last month. Upgraded.

November 11, 2017

Whenever I look at the followers of an obvious bot, the "1 Follower you know" is always @AsteroidDay.

November 19, 2018

Beware conventional/cargo-cult wisdom. https://www.nytimes.com/2015/08/25/upshot/no-you-do-not-have-to-drink-8-glasses-of-water-a-day.html

(Yes, this is an infosec metaphor) pic.twitter.com/9JEsn8upBY

March 2, 2018

Conf organizers: I'm seriously tempted to boycott any conf that has more than one "keynote" speech. A true keynote provides a single point of thematic unity and interest.

If there are 8 "keynotes", your conference either has an identity problem, a speaker ego problem - or both.

May 10, 2018

A *fantastic* crash course on the concepts, vocabulary, motives, and leverage points of dealing with credit reporting agencies. https://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/ [@patio11]

September 10, 2017

For people who want to use the Pwned Password corpus in "top X") manner, here are the top 20,000 (35 not yet cracked, will update as I go). I do not recommend the list (as blacklist) beyond the top 20,000. Data also has obvious artifacts; use with caution: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7

February 22, 2018

Perhaps the highest concentration of security wisdom ever assembled in a single tweet. https://twitter.com/thegrugq/status/1032328600047869952

August 22, 2018

There is a special place in hell reserved for companies who force senior citizens to A) move to paper-only statements and B) give every statement the filename "Statement.pdf".

December 31, 2017

Not enough. To rescue Android security fragmentation, OEMs & carriers should only be allowed to keep branding / bloatware while they provide patches. If patches stop, Google releases a clean replacement ROM - and OEM/carrier loses control of handset.

Never happen, of course. https://twitter.com/DaveKSecure/status/995122341276401664

May 12, 2018

Hey, $‍website - if I've gone to the trouble of enabling your 12 Javascript dependencies, do something useful with that Javascript: switch focus to *the only field that requires input on the page* (password, 2FA code, yes/no/OK/cancel button ...)

March 19, 2018

Another same-quad public recursive DNS - this one from @Cloudflare. (And since 1.1.1.1 is used in documentation & dummy/example configs, it should get some interesting traffic indeed!)

And if you've ever wondered who owns all the other same-quad IPs:https://gist.github.com/roycewilliams/6cb91ed94b88730321ca3076006229f1 https://t.co/qcLqDikZOH

March 29, 2018

Yes! But at this writing, Chrome 69 does not support 'require-sri-for' unless you enable chrome://flags/#enable-experimental-web-platform-features (you'll see "The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.") https://twitter.com/Scott_Helme/status/1040830165251588103

September 15, 2018

"When you watch an advertisement, you are being attacked by a psyop with a goal to change how you are thinking and suborn your otherwise rational decisionmaking process." -@munin

February 21, 2018

TFW you use both the meeting app's mute button *and* your phone's mute button, to doubly ensure any indelicate things said under your breath go unheard ...

... thereby making your un-mute process so complex that the other attendees think you're asleep at the wheel

May 4, 2018

See more general information about me.

Back to Tech Solvency.