TofuSec @tofusec@octodon.social
TofuSec official Mastodon account! https://tofusec.me
Admin: @alana
4276 1236 23DE 0C0E 9A35 90C7 B9E9 B0F0 07AF B2F0
*flesh gosh darn
I'm gonna go to a Starbucks~~ see if I can flush out the new article today ^_^
So #deletefacebook is trending on Masto :P
I think the most important thing for (especially technically apt) people to understand about InfoSec is how terrible humans are at isolating aspects of our life.
If you're on FB, they can probably infer your more "sensitive" info.
Working on a slightly controversial article about responsible disclosure :P
Daily reminder to be REALISTIC about security. Ain't nobody setting up Bitmessage or X-Raying their Novena boards to send nudes
Ok hi tech journalists, if some software/hardware organization/corporation releases a patch for Meltdown in their products, PLEASE don't report that as "a patch for meltdown and spectre" unless Spectre is ALSO patched. Thank you.
@aschmitz People don't seem to have a problem adding their friends via Snapchat QR or w/e. Viability of solutions vary a lot. To each their own I guess.
@aschmitz >start software
>software auto-authenticates with device key/login token/whatever
>Code displayed in prominent location in UI
This can be made easy
@aschmitz Although you raise a good point about hex, it'd make to just use Arabic nums, yes.
@aschmitz You don't have to memorize it. It's synonymous to a username not a password. You can write it down or w/e.
@aschmitz (0/4) Well hex codes is just like numbers except it can be ever shorter. Is 9ABC really harder to type than 1789?
@aschmitz Restricting to numbers or hex codes is MUCH less complex and erases issues of cultural bias.
@aschmitz Although I'm worried in the case of Mastodon that if some instance does a custom font, you're going to have issues with ls and Is etc
@aschmitz I mean Mastodon restricts the char set quite a bit. That works, I guess. I still like numbers better though.
@aschmitz Yes, but the normal handle is still vulnerable to lookalike attacks unless you restrict a lot. At which point it may as well be a string of numbers
@aschmitz You'd use a hex code for adding friends in IMs, for instance.
@aschmitz No. The idea is you still have your normal vanity username. The hex code is used for sensitive things like logins, profile page URLs, etc.
Hey Twitter, can you like seriously stop? Thanks. https://octodon.social/media/WFB7_ETHkPHdk1Vct3I
Much more secure because hex sets don't have a lot of lookalikes, and you can allow diverse vanity names in non-security sensitive contexts
There's a trend to use unique numbers/hex-codes instead of usernames for identification. This is a good trend IMO
