Teddy Katz

@not_aardvark

Programming language design/security/formal verification enthusiast. Working on privacy (this is a personal account). May contain traces of nuts. he/him

Vrijeme pridruživanja: rujan 2016.

Tweetovi

Blokirali ste korisnika/cu @not_aardvark

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @not_aardvark

  1. Prikvačeni tweet
    5. stu 2019.

    I wrote a blog post about that time I broke GitHub's OAuth flow

    Poništi
  2. proslijedio/la je Tweet
    4. velj

    You are building a tabulation system on the critical path of human history. Do you: a) Have your decent public university CS dept build an open-source solution and ask for public review? b) Pay the lowest bidder and keep it secret from election security experts?

    Poništi
  3. proslijedio/la je Tweet
    20. sij
    Poništi
  4. proslijedio/la je Tweet
    7. sij

    Anyway, back to SHA1. It’s really heartening that CAs have been forced to actually upgrade this time. That’s why they had to run this attack on (janky) PGP WoT and not something that matters. This is good news!

    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    11. pro 2019.

    My 4yo son has been asking about how each day went at work, and I always try to explain. The other day he asked, "Daddy, why do the computers break all the time? Can you make them not break?" ... And it's just just it's hard and we're really trying

    Poništi
  6. 23. stu 2019.

    New blogpost about an account takeover bug. This one took awhile to figure out

    Poništi
  7. 12. stu 2019.

    How I accidentally took down GitHub Actions

    Poništi
  8. 29. lis 2019.

    The .new TLD, aka "the ICANN-approved enterprise-edition URL shortener"

    Poništi
  9. proslijedio/la je Tweet

    Text Rendering Hates You, a random collection of weird problems you need to deal with when rendering text:

    Prikaži ovu nit
    Poništi
  10. 26. ruj 2019.

    (And if you can, start supporting U2F/WebAuthn on your site so that this whole space becomes less of a mess.)

    Prikaži ovu nit
    Poništi
  11. 26. ruj 2019.

    You should be able to change your 2FA settings/scan a new TOTP code without disabling 2FA entirely as an intermediate step. This is particularly true if disabling 2FA will result in your account immediately getting kicked from something on the site due to a 2FA requirement.

    Prikaži ovu nit
    Poništi
  12. 26. ruj 2019.

    If you do invalidate backup codes, you should make it explicit that the old codes won't work. When you give people backup codes to download, include a timestamp in the file so that they can tell which set of codes is newer.

    Prikaži ovu nit
    Poništi
  13. 26. ruj 2019.

    If your site supports multiple forms of 2FA (e.g. TOTP and backup codes), you should be able to change or view your TOTP secret without also invalidating your backup codes. Managing backup codes is a pain, and I don't want to be worried about lockout from storing outdated codes.

    Prikaži ovu nit
    Poništi
  14. 26. ruj 2019.

    I just did the "got a new phone, reset 2FA for dozens of accounts" ritual. Some thoughts about desirable UX for 2FA settings:

    Prikaži ovu nit
    Poništi
  15. proslijedio/la je Tweet
    15. ruj 2019.

    welcome to computer security world, where the best advice you can give is to install a password manager, and all the password managers suck

    Prikaži ovu nit
    Poništi
  16. proslijedio/la je Tweet
    27. kol 2019.

    I blogged about plugin/extension system design

    Prikaži ovu nit
    Poništi
  17. proslijedio/la je Tweet
    16. kol 2019.

    I avoid password re-use by getting a new pet and naming each one a random 32-character string. But my house is overrun with cats.

    Prikaži ovu nit
    Poništi
  18. proslijedio/la je Tweet
    16. kol 2019.

    On Monday (August 19th), the ESLint team will release a fix for a security issue. The issue affects users that run ESLint on untrusted code (e.g. websites that lint a project's code as a service). More details about the issue will be available when the release is published.

    Prikaži ovu nit
    Poništi
  19. proslijedio/la je Tweet
    4. srp 2019.

    we understand fault tolerance in terms of properties of the system: we build things that are robust in the face of network partitions, unexpected load, and so on. but it seems like incredibly bad engineering to build systems that only work if the designer never made a mistake.

    Prikaži ovu nit
    Poništi
  20. 25. svi 2019.

    This isn't an easy problem to solve. But something needs to change, because having so many major organizations using vulnerable software isn't sustainable. We have an obligation to protect users from security problems, and that includes making sure they can always easily update.

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·