Mastodawn

James LaPlaine Dec 23, 2022

Graham Sutherland / Polynomial Dec 22, 2022

if you run into anyone trying to discount the severity of the lastpass breach by saying the master keys are impossible to crack, ask them how lastpass' key derivation works, what a credential stuffing attack is, and how well PBKDF2 scales on GPUs.

given the details, it looks like anyone whose data was in the breach and who also reused their master password elsewhere is in imminent danger of having all their passwords compromised, as is anyone who used a relatively common password.

James LaPlaine Dec 23, 2022

Show thread

Cranky David Dec 22, 2022

@simon
there are definitely a few of these opaque issues i'm figuring out as i see them.

related to this is looking up followers/follows - unless you go to a user's instance directly you only see the list of users on your instance that also follow/are followed.

would love to have a way to pull in the full federated data set from where i am and not have to open a web browser or other trick to see.

James LaPlaine Dec 23, 2022

Simon Willison Dec 22, 2022

My least favourite sharp edge of Mastodon is the fact that when you view someone else's post you only see replies to it that are known to your server - so there's actually a good chance there will be replies that are completely invisible to you, especially if you run your own instance

I'd love it if tapping a post kicked off a request back to the original server that fetched the current reply count and provided a "view all replies" button if there were replies not yet visible to me

James LaPlaine Dec 23, 2022

LastPass has a lot to answer for. They haven’t handled this breach with the right level of transparency. https://www.theverge.com/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vault-hackers #Lastpass #Breach

Hackers stole encrypted LastPass password vaults, and we’re just now hearing about it

LastPass has announced that during a November data breach of its cloud storage, hackers copied a backup of customer vault data that includes encrypted usernames and passwords.

The Verge

James LaPlaine Dec 23, 2022

Rand Fishkin Dec 22, 2022

"Americans have real privacy concerns about their online data."

No. We do not.

If Facebook, Amazon, and Google's vacuuming of personal data hasn't proved it, TikTok surely closes the case.

We are happy to trade every scrap of private data, that we know will be used in problematic, unregulatable ways by a non-allied, semi-antagonistic, foreign govt in exchange for a more convenient source of short, entertaining videos.

A small, vocal few may care, but "Americans" broadly do not.

James LaPlaine Dec 20, 2022

Unexpectedly, as uncertainty and complexity rise, making the outcome less predictable, we find that overconfidence rises too. #ParadoxPairs #Paradox #Overconfidence https://www.paradoxpairs.com/overconfidence-performance/

Overconfidence & Performance (Paradox Pair #73)

Unexpectedly, as uncertainty and complexity rise, making the outcome less predictable, we find that overconfidence rises too.

Paradox Pairs

James LaPlaine Dec 19, 2022

Bob Lord 🔐

Dec 19, 2022

You will all be surprised that I've been thinking about MFA lately. 😂

I asked @jerry for some infosec.exchange MFA stats a couple of weeks ago. The resulting exchange was interesting. I typed up some thoughts here:
https://medium.com/@boblord/mastodon-mfa-stats-96e271708f97

The summary is that we need to move responsibility for staying cyber safe from end-users to service providers. Nudges, sometimes aggressive ones, can be a powerful tool to achieve that goal.

I'd love to hear your thoughts so I can continue to learn and to refine my thinking. 🙏

Mastodon MFA Stats - @boblord - Medium

A few weeks ago I asked the administrator of infosec.exchange (a node in a social media network called Mastodon) to find out what percentage of accounts had MFA enabled. I was curious because this…

Medium

James LaPlaine Dec 19, 2022

I enjoyed doing this ...