Twitter

Hello, Twitter!

I was Royce Williams (@TychoTithonus).

But now I am @tychotithonus@infosec.exchange .

Some Mastodon tips:

For me, the killer feature - so essential that any platform without it is broken - is Mastodon's rich filtering capability. My post about why.
While it's still allowed, people who mention their Mastodon account in their profile can be automatically harvested in your following list with tools like fedifinder.glitch.me and Movetodon.
If you get an export of your Twitter data, you can also generate a local browsable tweet archive .
On mobile, I like the PWA best because it always tracks the featureset of your home instance. unrelated app, but good howto for PWAs.
The "advanced web interface" is a lot like TweetDeck - I use it all the time. Enable "slow mode" to not see constantly updating columns - it makes a link at the top of each column with "X new posts" you can click on to reveal them. If it feels slow after a few hours, refresh the page.
Supply alt text for images - that text is also scanned by people's filters. Mastodon will even OCR the text from images for you! And you can configure most clients to warn you if you've forgotten.
There is no full text search on many instances (though infosec.exchange does run a patch to enable it.
You can follow a hashtag - just search for it, then hit the follow "+" icon.
DMs aren't really DMs, in that if you happen to mention another account, they're automatically added to the group conversation!
Don't get cute with euphemisms or obfuscated versions of strings. There's much less of a problem of people getting harrassed based on keywords. It also makes filtering for those words harder.
There's limited analytics, so favorite / like things to encourage the poster. Liking also adds to what's searched when you perform your own searches.
If you have your own domain, you can set up a redirect that points [anything]@example.net to your chosen Mastodon. Generate the file using this tool, or just copy an example like mine (replacing my domain with yours!). And you can validate with webfinger.net
Threading isn't great currently. When replying to one person when there are multiple people in the thread, I'm seeing a convention where you put the person you're replying to first, then your reply, then anyone else on the thread at the bottom.
-

Stuff I wish Mastodon had:

Visual indicator of whether or not I'm following the poster
Filter import/export
A way to temporarily disable a given filter
-

Good references and info:

Fedi.Tips
joyeusenoelle/GuideToMastodon
feditrends
Make your own simple, public, searchable Twitter archive
hydrate-twitter-archive (reconstruct data not part of your Twitter export - followed usernames, etc.)
Nikodemus' Guide to Mastodon
Mastodon 101 for Journalists
-

The rest below is preserved for now as representative of my microblogging perspectives and policies.

This is my Twitter-specific personal landing page. (See also general information about me and general Twitter tips.)

Blocked or unfollowed?

I can make mistakes, especially when blocking in bulk. Some folks see blocking as an irrevocable blow-off, but I don't - I've seen too many false positives and genuine misunderstandings. If I've blocked you inadvertently, my apologies! Please let me know.
I've recently (May 2021) reached my following cap (5000 follows). To make room, I've moved some accounts to private lists until I reach the next threshold. If my unfollow seems inadvertent, please let me know.

What I follow

I've reached (as of May 2021) my followee cap (5000), so I'm having to selectively move some people to lists. If/when the cap is removed or the threshold is met, I'll re-follow. :) Apologies in advance - I almost certainly didn't unfollow you because of ideological differences.

What I tweet about

I tweet in two streams:

Tweeting personally as @TychoTithonus, I average about three tweets per day, tweeting on a range of topics:
- security architecture and threat analysis
- identity and authentication/password security (IDAM, TOTP, MFA/2FA, U2F/FIDO/FIDO2/WebAuthn, and hardware security keys including YubiKeys)
- password hashing, cracking, and related tools (hashcat, John the Ripper, MDXfind, Hashtopolis)
- web security (Content Security Policy, security headers, SSL/TLS hardening, Google, Chrome)
- ISP-ish stuff (NTP, DNS, email, spam)
- digital misinformation, disinformation, and propaganda
- human general and digital rights, and public-interest technology (I am a public-interest technologist at heart)
- Alaskan things (including Alaskan license plates (rarely))
- occasional other random stuff
As @techsolvency, I tweet about general information security (in the Alaskan context, but also generally useful). Mostly retweets, low volume (usually averaging a couple of tweets per day).

You can review my recent Twitter analytics at SocialBearing and whotwi.

The emoji

The emoji sequence at the end of my profile is intended to compactly express the following:

❤️: - (red heart, then colon) = "What follows is a list of things I love:"
⚛ - atom symbol = "I believe in science" (located in a Unicode block of religious symbols)
👨‍👩‍👧 - "Family (man, woman, girl)" = a snapshot of my current nuclear family
🛡 - shield = a general expression of defender / blue team
🙊 - speak-no-evil monkey = trying to be nice :D
🌻 - sunflower = Maude's commentary on uniqueness and self-conception
🗽 - Statue of Liberty = liberty, democracy, inclusivity/welcoming
😼 - "cat face with wry smile" = an oblique hashcat reference
💻 - "Personal computer" = I like and work in computers/tech
✏ - pencil = I like and admire writing
🎥 - movie camera = really, mostly just watching them
🍦- "soft ice cream" = really, any ice cream - but especially Cado
🌶 - hot pepper = spicy food
🍫 - chocolate bar

(Not necessarily in that order ;) )

DMs

Go for it. But if it's an unsolicited cracking request, be aware that my bar for proving chain of authorization is high. The steady stream of "bro pls help me crack a hash", and "hi" messages with no other context, are ignored.

Disclaimers and warnings

Likes and retweets indicate notability / interest / bookmarking, not necessarily approval.

All opinions expressed and activities are my own, and not of any other org/company/club that I am or have previously been associated with.

Everything that I tweet (or retweet) from either account should usually be SFW (other than the occasional expletive, usually in retweets).

If you send me an unsolicited DM and pre-emptively include an unprovenanced hash, you will be ignored - and likely blocked. Professional cracking requires careful provenance and hash handling - and shoving a hash at someone is almost never a sign of legitimate possession.

My blocking policies

(I make mistakes, especially when blocking in bulk. If I've blocked you inadvertently, my apologies! Please let me know.)
I tend to force-to-unfollow (by blocking, then unblocking) any Twitter accounts that:
- appear to have followed me automatically (without human oversight), or due to the presence of a hashtag or trend
- appear to be following me in order to appear in my list of followers for advertising/exposure purposes
- are protected, do not respond to my request to follow them back, and look sketchy (this can vary - privacy is reasonable!)
- have bios about "capitalizing on social media", "influencing", "brand management", or "SEO"
- have default/stock avatars, or with usernames ending in more than a few digits (though Twitter is defaulting to this more aggressively now :/
- have a high percentage of bot-looking followers (correlated with bot-ness; see also BotSentinel)
- appear to be following me for ironic or antagonistic purposes
- appear to be engaging in trend spam or hashtag spam
- comment out of the blue on prominent threads after a long period of infrequent tweeting, with the appearance of attempting to incite controversy (correlated with bot-ness)
- otherwise appear to have followed me for no apparent reason at all, and have completely unrelated interests (in other words, likely SEO-driven, bot-driven, or framework-driven following)
(In other words, my follower numbers are not inflated - which the Twitter ecosystem penalizes me for, but so it goes).
I tend to block Twitter accounts that:
- indiscriminately follow obvious bots (this can sometimes cause collateral damage)
- engage in threatening behavior (whether subtle or overt)
- seek help ... but then willfully, persistently, and belligerently ignore the advice given
- demonstrate a wanton disregard for basic human rights (or deliberately invoke well-known memes or phrases that are dog whistles for same)
- repeatedly engage in inflammatory debate for its own sake
I use automated tools (Twitter Block Chain, etc.) to block bots, and accounts that follow obvious bots. Because some people/orgs use automated following tools, there can be false positives.

Twitter tips

My general Twitter tips are here.

Other places

You can also follow me at:

@TychoTithonus@infosec.exchange (primary, security-specific community)
@TychoTithonus@mastodon.social (backup, not active)

Selected tweets

Am I worth following? Here are some of my non-retweet tweets - that I and/or others found interesting. ;)

In the spirit of "We are a way for the cosmos to know itself" (Sagan): infosec is a way for IT to know itself.
– July 31, 2015

Windows 10 caught in an upgrade failure loop? SetupDiag parses the upgrade logs and will interpret the diagnostic codes for you. Many hangs are related to problems with specific devices - disabling them during the upgrade can get you past the problem. https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag
– October 21, 2018

My #BSidesLV talk "Password Cracking 201: Beyond the Basics" - video: https://www.youtube.com/watch?v=-uiMQGICeQY&t=20260; slides and errata: https://www.techsolvency.com/talks/
– August 2, 2017

Never underestimate the power and convenience of having an old laptop, with modern Linux on it ... stashed offline at your parents' house.
– July 28, 2018

Even a weak hash will protect a strong password.
– November 21, 2018

There's a special place in hell for software projects who publish changelogs without dates.
– October 26, 2018

If your website logs digital interactions with your support team (emails, webforms, chat):

It's common for users to *volunteer* their passwords for troubleshooting (trying to be helpful!).

Those logs now contain your users' passwords.
– June 10, 2018

Relatively new ice cream shop in #ANC called @WildScoops.

Their loyalty card says: "Double stamps when the temperature is below 32°, or it's actively snowing" and "It's never too cold for ICE CREAM"

They *get* me.
– December 12, 2017

Note that "desensitiz[ing] and indoctrinat[ing] ... through memes" is also deeply common on both YouTube and Facebook - & because of algorithmic bubbles, it is invisible & underestimated)

With each hit of dopamine ... your friends, family, and co-workers are being weaponized. https://twitter.com/aprilaser/status/1049658138247516161
– October 9, 2018

Nobody's going to crack my new password. It's actually a nice, long passphrase - "penguins are skating slowly while ordering raspberry donuts" - but then I just take the first letter of each word, so it looks totally random. #winning
– February 26, 2018

To make amends for treating @cperciva badly after discovering a serious CPU architecture bug (http://www.daemonology.net/hyperthreading-considered-harmful/), Intel should retroactively reward @cperciva (or his designee; @FreeBSDFndation?) the same bounty that a vulnerability of equivalent severity will now receive. https://twitter.com/cperciva/status/963931969292664832
– February 15, 2018

A thorough summary of considerations when a web application is managing passwords. /ht @solardiz https://twitter.com/harwoeck/status/1029639087882493952
– August 17, 2018

"An organization performs pentests because they’re mandated, but an organization performs a red team assessment to learn about themselves" - nailed it. https://twitter.com/malcomvetter/status/1036530885972119553
– September 3, 2018

Dear companies making appliances with true NTP under the hood, but a web UI only allowing 1 or 2 NTP servers:

You're *breaking* the NTP algorithms. Please allow a high # of servers - 10+. Just a single long field separated w/spaces would make big difference.

Time's a-wastin'!
– March 2, 2018

Vernor-Vinge-plot-grade theory:

Resurgence of flat earthers in the US is the byproduct of a demo / trial run of an influence ops framework. Vulnerable population id'd and exploited; YouTube as primary delivery vehicle.

Scariest part: we only see the edges of it spilling over.
– March 11, 2018

Among many changes and fixes in the upcoming #hashcat 4.1.0 is the addition of some new algorithms!

All benchmarks are on a box with 6x stock 1080s, no overclock. (Just a preview - there may be changes before release!) 1/2 pic.twitter.com/WqjCz97gWI
– January 31, 2018

One of the compelling reasons to drop 'trivial' subdomains in Chrome is to make the base domain more obvious on smaller screens?

Maybe it would be useful to make this behavior dynamic, based on screen real estate (instead of the default across all screen sizes and platforms)?
– September 28, 2018

Ads are a vector for malware and fraud. But Google is A) slowly reducing the visual difference between search results and ads, and B) forcing real search results below the fold.

Users trust Google results. But that trust - and user safety - is being exchanged for revenue. https://twitter.com/lucasng/status/844067629602021377
– January 9, 2018

"If an entity which does not control a domain can issue a certificate, our view is that is misissuance […] the party who has that private key must have demonstrated control during the lifetime of that certificate. ~@sleevi_ 👍👍👍 https://twitter.com/konklone/status/961811000834969600
– February 10, 2018

Any book endorsed by Ken Thompson is destined for greatness. https://twitter.com/mwlauthor/status/980299889061003266
– April 1, 2018

Thanks to @reporturi, I just discovered that a Javascript slideshow widget that I use (https://slideshow.triptracker.net/) was loading remote images. Not anymore! Thanks, @Scott_Helme ! pic.twitter.com/hXGGtVW87h
– October 25, 2018

In 2010, it was reported that student James M. Hall found this, the first public DES crypt collision:

hiH9IOyyrrl4k:cqjmide
hiH9IOyyrrl4k:ifpqgio

(Any idea where James M. Hall is now? He should post his code to GitHub!) https://slashdot.org/submission/1381082/Traditional-DES-collision https://security.stackexchange.com/questions/5204/can-des-based-hashed-password-be-recovered-if-salt-is-known/5207#5207
– November 24, 2018

There's something uniquely and remarkably tone-deaf about the use of "Sincerely" and "Thanks" in canned email signatures.

Sincerity and gratitude cannot be automated.
– June 8, 2018

CMIYC - the password-cracking version of the Olympics - is back at DEF CON:

* 48 hours, mostly Aug 10-11
* Open entry - no tiers
* Points-based
* Better with teams
* At least one member has to be in attendance
https://twitter.com/CrackMeIfYouCan/status/984069333155504128
– April 11, 2018

A good overview of WebAuthn, U2F operability, and good broad observations about the gotchas and benefits of pushing authentication forward. Great talk, @bradgirardeau ! https://twitter.com/PwdRsch/status/1027313950478618624
– August 8, 2018

ME: Maybe ping your in-house legal counsel about whether GDPR applies to this data?
CLIENT (w/European customers): Not necessary, we're US-based.
ME: ...
ME: Then why even have legal counsel?
CLIENT: I know this. Not gonna bug him. If EU cares, they can sue us.
ME: ¯\_(ツ)_/¯
– March 1, 2018

Have had same device in my Amazon cart "save for later" area for 5 years. It was obsoleted by a new model last month. Upgraded.
– November 11, 2017

Whenever I look at the followers of an obvious bot, the "1 Follower you know" is always @AsteroidDay.
– November 19, 2018

Beware conventional/cargo-cult wisdom. https://www.nytimes.com/2015/08/25/upshot/no-you-do-not-have-to-drink-8-glasses-of-water-a-day.html

(Yes, this is an infosec metaphor) pic.twitter.com/9JEsn8upBY
– March 2, 2018

Conf organizers: I'm seriously tempted to boycott any conf that has more than one "keynote" speech. A true keynote provides a single point of thematic unity and interest.

If there are 8 "keynotes", your conference either has an identity problem, a speaker ego problem - or both.
– May 10, 2018

A *fantastic* crash course on the concepts, vocabulary, motives, and leverage points of dealing with credit reporting agencies. https://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/ [@patio11]
– September 10, 2017

For people who want to use the Pwned Password corpus in "top X") manner, here are the top 20,000 (35 not yet cracked, will update as I go). I do not recommend the list (as blacklist) beyond the top 20,000. Data also has obvious artifacts; use with caution: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
– February 22, 2018

Perhaps the highest concentration of security wisdom ever assembled in a single tweet. https://twitter.com/thegrugq/status/1032328600047869952
– August 22, 2018

There is a special place in hell reserved for companies who force senior citizens to A) move to paper-only statements and B) give every statement the filename "Statement.pdf".
– December 31, 2017

Not enough. To rescue Android security fragmentation, OEMs & carriers should only be allowed to keep branding / bloatware while they provide patches. If patches stop, Google releases a clean replacement ROM - and OEM/carrier loses control of handset.

Never happen, of course. https://twitter.com/DaveKSecure/status/995122341276401664
– May 12, 2018

Hey, $‍website - if I've gone to the trouble of enabling your 12 Javascript dependencies, do something useful with that Javascript: switch focus to *the only field that requires input on the page* (password, 2FA code, yes/no/OK/cancel button ...)
– March 19, 2018

Another same-quad public recursive DNS - this one from @Cloudflare. (And since 1.1.1.1 is used in documentation & dummy/example configs, it should get some interesting traffic indeed!)

And if you've ever wondered who owns all the other same-quad IPs:https://gist.github.com/roycewilliams/6cb91ed94b88730321ca3076006229f1 https://t.co/qcLqDikZOH
– March 29, 2018

Yes! But at this writing, Chrome 69 does not support 'require-sri-for' unless you enable chrome://flags/#enable-experimental-web-platform-features (you'll see "The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.") https://twitter.com/Scott_Helme/status/1040830165251588103
– September 15, 2018

"When you watch an advertisement, you are being attacked by a psyop with a goal to change how you are thinking and suborn your otherwise rational decisionmaking process." -@munin
– February 21, 2018

TFW you use both the meeting app's mute button *and* your phone's mute button, to doubly ensure any indelicate things said under your breath go unheard ...

... thereby making your un-mute process so complex that the other attendees think you're asleep at the wheel
– May 4, 2018

See more general information about me.

Back to Tech Solvency.