Call me suspicious, but I bet that’s not my real year end bonus notification.
Call me suspicious, but I bet that’s not my real year end bonus notification.
2 weeks in and GitHub still hasn’t replied to my urgent support ticket for a security-related audit log request, except to close it twice and make me re-open it.
And we pay good money for this privilege.
We’re this close to me asking my CTO if I can pilot a Forgejo POC.
My coworker Secret Santa gets me.
My coworkers weren’t sure what my “2600” baseball cap referred to. I sense an upcoming lunch and learn.
I talked to my company today and told them how phishers use a sense of 1) danger, and 2) urgency, to push smart people to do rash things. I offered to be their personal, confidential fear consultant: “hey, I got this scary thing. Is it real?” Let me do the worrying for them.
This, more than goofy phishing tests that make people feel dumb, is how we help our friends avoid scams.
The current art exhibit at SFO D gates is a bunch of old phones.
We’re having visitors in our office tonight, and the office manager reminded us to put away valuables, etc., and also to put away USB chargers so no one would be tempted to sneak over and top off their phone.
If you borrow a random data cable from a desk of the security team, whatever happens next is on you.
From the letters to the editor in a recent issue of “2600”:
We used to subscribe to Wired Magazine, but their direction changed. Aside from the content of their articles, their pages became too colorful and hard to read.
So they stopped in, what, 1994?
To the younguns amongst us, Wired was (in)famous for running print articles in color schemes like neon yellow on day-glo pink. Yes, it was fun and cool to read. Yes, it was sometimes nearly impossible to focus on the page.
New hotel, new cloned keycard.
The previous version of NIST SP 800-63B, section 5.1.1.2, said that organizations SHOULD NOT require users to update their passwords on a regular basis, unless they believe that the password was compromised. The 2025-05-30 version moved that to section 3.1.1.2 and updated it to say organizations SHALL NOT do that.
Now whenever a website emails me to say I have to update my password because it’s been a month or two since I last did it, I report a security bug to them:
The website has a security flaw: it makes users rotate their passwords periodically. This is against the security controls in NIST Special Publication 800-63B-4, “Digital Identity Guidelines”, section 3.1.1.2, clause 6, which reads:
“6. Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.”
Please fix the website to remove this requirement. Thank you.
If we all do this, maybe it’ll get into their heads that it’s a bad idea to make users change their passwords just for the sake of it.