Feeling ambitious? Contemplate how the tightest compartments of your org compare to the long-pole infosec suggestions in https://standard.sl5.org/
searchable
| web | https://n2vi.com/ |
Eric Grosse
- 258 Followers
- 108 Following
- 18 Posts
infosec, husband/father/grandad
searchable
searchable
Yes, "anonymity" was a poor word choice. What I meant was there are domestic abuse scenarios in which avoiding a monthly payment trail helps in staying low profile, and I'm glad to subsidize that. But Signal does not protect perfectly against metadata analysis by law enforcement. Building such a system is challenging, not least because of unintended consequences.
I don't agree with all Signal's choices, but I think we do all agree that (as far as we know) they're not egregiously wasting their donations and that among the widely available communication channels, they're relatively good.
The Signal Foundation at signal.org/donate also makes it easy to contribute from Donor Advised Funds.
By keeping the service free of charge, those of us who don't need to hide enable anonymity for the vulnerable.
Google Security has a great Leaving Tradition, which I commend to other orgs aspiring to excellence: https://bughunters.google.com/blog/6355265783201792/the-great-google-password-heist-15-years-of-hacking-passwords-to-test-our-security-and-build-team-culture
(I don't post often, and am not sure whether mastodon or @n2vi.bsky.social is best for it. But their nice blog post deserves the extra pointer.)
Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog post for details.
@SteveBellovin As a poll worker, I too encountered a confused-family-member-already-voted situation, and (after consulting the precinct supervisor) let this scared first-time-voter cast a ballot. Also, I gave her my card and assured her I'd testify on her behalf if somebody later claimed she had voted illegally. There's too much litigation replacing common sense.
Today, June 16, Google tells me Album Archive is going away on July 19 and I need to use Google Takeout before then. Google Takeout then tells me "You have Advanced Protection switched on, which means that it could take days or even weeks for your files to be ready"
@mat @matthew_d_green If you keep one on your person with house and car keys, and one in your safe deposit box, then loss is a very rare event. And you don't need security-key-2FA for every website, only the ones of substantial value like email bank github.
I grant that "keep on person" is harder for some people than others. For example, my pants have pockets, but a woman I know carries hers on a necklace.
Just describing the one auth I've seen that stops cold state actors' phishing. Everyone can make their own risk/reward choices.
@matthew_d_green The best Yubikey backup strategy is for the auth server to allow registering multiple security keys. This has been the canonical solution since the dawn of time, i.e. when security keys existed only inside Google and Yubico.
Also, the auth server needs to allow revoking individual security keys in case of loss, so be sure to give them names at time of registration.
Former LastPass users, slowly updating passwords everywhere, are encountering buggy flows even from major services. If you're responsible for auth, now is an especially good time to listen to your help desk staff.
PÄ“teris Caune
@cuu508, thank you for healthchecks.io; that's a great public service you run! I wonder if, in place of "OK" response to pings, it would as easy for your server to reply with my IP address, thus enabling me to trigger rare dynamic DNS updates without burdening any other pro bono servers?
@cuu508, thank you for healthchecks.io; that's a great public service you run! I wonder if, in place of "OK" response to pings, it would as easy for your server to reply with my IP address, thus enabling me to trigger rare dynamic DNS updates without burdening any other pro bono servers?