Show more
Paco Hope boosted

OK. Just saw someone posting "8 Character Passwords are Dead"

To support this they say how a 2080Ti GPU has passed 100 Billion guesses per second and how that means in 2.5 hours they can try every single possible password.


That's in the case of NTLM hash. A notoriously bad hash that has *no* *salt*. Even more ridiculous, because the NTLM hash is just as good as having the password. You don't need to crack the hash.

Yes, 8 character passwords should be dead, but this is bogus.

Super cool and simultaneously creepy. It’s now an arms race between things like fingerprint scanners and facial recognisers and GANs.

I'm running a pi-hole in the house now to block ads and trackers. It's absurdly easy to setup and very effective. Plus the stats are so interesting to see all the ads blocked. The best thing is that because it works at the DNS level, it affects things like TVs, mobile apps, game consoles, and other embedded devices.

So... I accidentally left a DNS recursive resolver open to the Internet for a day or two. Someone noticed.

If you have a and you want to forget the open access points that your mac has joined, this handly little python script does the trick. It leaves alone any wifi that has a password. Only deletes the WiFi networks that have no password. If you use keychain, this will have the lovely side-effect of deleting them from your /#iPad at the same time.
You might also want to disable the captive network assistant on your mac:

Maybe I’ll put a password on this zip file. Why bother? Crypto implemented like a CS undergrad. With many eyes, all bugs are someone else’s job to find.

Paco Hope boosted

I just noticed that, now that I migrated my mail server to and and assigned an ipv6 address to it, I'm actually accepting connections over ! Yay.

Paco Hope boosted

I have this idea that tooling that turns specs into documentation (like Swagger or JavaDoc or whatever) should keep a giant list of apologetic modifiers and prepend them to the front of every paragraph or section or something.

"Unfortunately, this function takes and string and…" "Deplorably, a Segment object is used to model…" "Tragically, a responds code of 304 indicates…"

Not learning a thing from 3D printing of TSA keys or all the data breaches that have happened in the last decade, a firm has created photos-of-keys-as-a-service. It is a bad idea beyond bad ideas.
This year's announcement.
Why that's bad.

Looks like is a manager to watch. It's multi-platform, open source, and free. Reading the github issues, it sounds a little rough around the edges. Ready for early adopters, but not ready for the masses.

Paco Hope boosted

Interesting: you can fingerprint people based on their browser extensions, and LinkedIn has been doing so for years #privacy

This is not a joke. This was an actual progress bar on a web site I use. Microsoft has nothing on these folks. :)

I just disabled on my email server. I'm not sure that it detects anything of value, but it uses half the instance's RAM trying. I suspect the RAM-to-value ratio is not good enough.

If you're in and you're in Europe, the Middle East, or Africa, there's a great award to recognise an outstanding contributor: the ISLA (Information Security Leadership Award). Nominations close in 2 weeks:

OMFG! I suck. I just did a classic rookie move. Terminated an EC2 instance that was precious. Checked Lifecycle Manager and it wasn't making backups. I feel like such a fool. Embarassing.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.