Royce Williams

@tychotithonus@infosec.exchange
3.2K Followers
3.8K Following
11.6K Posts

Just doing my undue diligence.

ISP vet, password cracker (Team Hashcat), security demi-boffin, YubiKey stan, public-interest technologist, AK license plate geek. Husband to a philosopher, father to a llama fanatic. Views his.

Day job: Enterprise Security Architect for an Alaskan ISP.

Obsessed with security keys:
techsolvency.com/mfa/security-keys

My 2017 #BSidesLV talk "Password Cracking 201: Beyond the Basics":
youtube.com/watch?v=-uiMQGICeQY&t=20260s

Followed you out of the blue = probably stole you from follows of someone I respect.

Blocked inadvertently? Ask!

Am I following a dirtbag? Tell me!

Photo: White 50-ish man w/big forehead, short beard, & glasses, grinning in front of a display of Alaskan license plates.

Boosts not about security ... usually are.

Banner: 5 rows of security keys in a wall case.

#NonAIContent

#hashcat #Alaska #YubiKeys #LicensePlates

P.S. I hate advance-fee scammers with the heat of 400B suns

❀️:βš›πŸ‘¨β€πŸ‘©β€πŸ‘§πŸ›‘πŸ™ŠπŸŒ»πŸ—½πŸ’»βœπŸŽ₯🍦🌢🍫!

Stuffhttps://www.techsolvency.com/roycewilliams/mastodon
Keybasehttps://keybase.io/royce
GitHubhttps://github.com/roycewilliams
LinkedInhttps://www.linkedin.com/in/roycewilliams
Gravatarhttps://gravatar.com/tychotithonus
Not "dehashed"!https://www.techsolvency.com/passwords/dehashing-reversing-decrypting/
Royce Williams4h ago

Security key that's new to me: Thetis Nano-C!

https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c

Also news to me, I'm clearly behind: FIDO2 has levels:

https://fidoalliance.org/certification/authenticator-certification-levels/

This key is FIDO2 L1, and different applications may require different levels. Notably here, L1 is the minimum to get any certification at all, and you can't get L2 unless you have an actual secure hardware element. So with the device at this level, you get the independence of a separate physical object with a dramatically simpler software surface, but I suspect it might be easier to get secrets right off the key with physical possession.

(Note that this is an organic post, not sponsored in any way. Happened upon it in an eBay listing. I never do solicited or compensated endorsements)

#SecurityKeys

Royce Williams1d ago
From the National Bureau of Standards (precursor to NIST) NBS Technical Note 827, "Controlled Accessibility Workshop Report", May 1974, p3:
Royce Williams3d ago

OK, that's a quote.

https://www.youtube.com/watch?v=UrgucAPeqIs&list=PL7D89754A5DAD1E8E

#CriterionCloset

Royce Williams3d ago
Go home, SANS ISC blog text encoding -- you're drunk.
Royce Williams4d ago

I'm basically dead in the water for anything that wants to [Google] reauthenticate occasionally (Google Finance, etc.) on this device (which is my daily driver). The issue is that the device-bound passkey isn't validating and it won't let me use anything else (like a security key).

Either the passkey on my Pixel 7 is corrupted, or the process of verifying it has a bug / wedge. Anything Google that wants to prompt for a passkey fails with the "2-Step Verification" flow's "Try another way" step. And even worse, the "other ways" (like the other passkeys I have on other devices, or the FIDO2 security keys that I have that predate passkeys) appear to succeed ... but then I'm redirected back to the same "try another way" as if presenting the key is being ignored even though it worked.

This was happening before the June update, and is still happening afterwards.

There also appears to be no way to delete a passkey from the Google Account side.

Edit: screenshot added (Sorry for the photo, had to take it from another device because you can't screenshot the auth flow)

Edit: this is only happening on one device. Other Google devices with automatically generated passkeys are working fine.

Edit: clearing all data for Chrome - not just cache, but all storage - fixed the issue for me!

#Android #Pixel #passkeys

Royce Williams6d ago
Was mostly AFK for a bit πŸ˜…
Royce WilliamsJun 12
Huh, never saw this before - at the bottom of an email thread in the Android Gmail client. Dots pulse for a second, and then the whole section vanishes.
Show threadRoyce WilliamsJun 12

Ah, I get it now. Pixel VIP is an unblockable ad correlation engine -- one that efficiently exploits your connections with your closest contacts.

I'm out.

2/2

#PixelVIP

Royce WilliamsJun 3

Well, this cracking attack is going to take 5.5 days on 2x 4090s.

#PasswordCracking #hashcat

Royce WilliamsJun 2

Just found out about this SPAM can variant. Kinda cool tie-in with the new CGI Lilo & Stitch movie.

Couple of SPAM+movie commercials, too:

https://www.youtube.com/watch?v=UTXR3ym-J-0
https://www.youtube.com/shorts/WCTsteRHe2I

#SPAM #LiloAndStitch