We’re having visitors in our office tonight, and the office manager reminded us to put away valuables, etc., and also to put away USB chargers so no one would be tempted to sneak over and top off their phone.
If you borrow a random data cable from a desk of the security team, whatever happens next is on you.
From the letters to the editor in a recent issue of “2600”:
We used to subscribe to Wired Magazine, but their direction changed. Aside from the content of their articles, their pages became too colorful and hard to read.
So they stopped in, what, 1994?
To the younguns amongst us, Wired was (in)famous for running print articles in color schemes like neon yellow on day-glo pink. Yes, it was fun and cool to read. Yes, it was sometimes nearly impossible to focus on the page.
New hotel, new cloned keycard.
The previous version of NIST SP 800-63B, section 5.1.1.2, said that organizations SHOULD NOT require users to update their passwords on a regular basis, unless they believe that the password was compromised. The 2025-05-30 version moved that to section 3.1.1.2 and updated it to say organizations SHALL NOT do that.
Now whenever a website emails me to say I have to update my password because it’s been a month or two since I last did it, I report a security bug to them:
The website has a security flaw: it makes users rotate their passwords periodically. This is against the security controls in NIST Special Publication 800-63B-4, “Digital Identity Guidelines”, section 3.1.1.2, clause 6, which reads:
“6. Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.”
Please fix the website to remove this requirement. Thank you.
If we all do this, maybe it’ll get into their heads that it’s a bad idea to make users change their passwords just for the sake of it.
The emergency room I went to a couple weeks ago texted me a link to pay the bill. It’s to some generic payment system called “Papapapay”, which couldn’t sound scammier if it tried, and it shows a white screen if you open it in Safari.
Sometimes I’d swear they’re trying to train us to open phishing emails.
I think someone at Target’s having a bad day. I got a store credit card there a while back. It’s never left my house except to take it to Target. Today I got an unauthorized transaction message. Now I’m on the phone with their fraud department, with a wait time of 15 minutes.
Bathroom poster, Brickhouse, SF.
I did not add that sticker.
The GL.iNet GL-AXT1800 travel router I bought a year ago is on sale today for 38% off. If you’ve been on the fence, get this now.
Summary: check into a hotel and connect this, instead of your phone, to the paid WiFi instead. Then connect your phone, laptop, Switch, whatever to the router’s WiFi. Only pay for the one device, have your own firewall in place, and route everything through your own VPN if you want (we watched American Netflix from Germany).
I’ll never travel without one again.
In March, Waltz came under scrutiny after he put together a Signal chat and mistakenly included The Atlantic’s Jeffrey Goldberg, disclosing discussions with top national security officials about plans for a military strike on Houthi targets in Yemen.
Part of being a security adviser is being, you know, competent at security.
Screenshot your LinkedIn app home screen.
Make a web page with that background.
Add a link at the top to display the QR code of your choice.
Add a link to that on your home screen.
Voila. Now you can make anyone at any tech conference open the QR code of your choosing. “Hey, let’s be buddies!”
