Posts

Not everyone will miss Ross Anderson. Ross was not afraid to speak truths that made people uncomfortable. His ideas and arguments threatened the beliefs, status, power, ego, and bank balances of others — often those with power. His writings and talks undermined proponents of hardware attestation, chip-and-pin authentication, and surveillance, to name just a few. Many of those threatened by what Ross had to say professed to be faithfully working to serve the public....

The US government’s latest recommendations acknowledge that password composition and reset rules are not just annoying, but counterproductive. The story of why password rules were recommended and enforced without scientific evidence since their invention in 1979 is a story of brilliant people, at the very top of their field, whose well-intentioned recommendations led to decades of ignorance. These mistakes are worth studying, in part, because the people making them were so damn brilliant and the consequences were so long lasting....

Getting people’s pronouns right is a struggle when attending large events, even when those running and attending the events care about gender inclusivity. When I watch others struggle with pronouns at these events, it’s both a relief that I’m not alone and a disappointment that we are all so bad at this. Even in 2023, most events I attend don’t even have pronouns on name tags.1 Even when they do, we can rarely read someone’s third-person pronouns off their name tag when we need them—we use those third-person pronouns when speaking about them to others....

Mastodon’s current option for embedding posts (“toots”) on other websites is inefficient, inflexible, and insecure.1 It embeds posts via an iframe element which loads over a megabyte of content and scripts from the Mastodon server. That iframe gives those scripts full control over your webpage.2 You, the embedder, get no control over how the content is rendered on your page. Important content can be cropped out of view, as journalists have complained when trying to embed toots....

Before creating that dating profile… Consider that you might be travel outed (or trouted) The makers of dating apps mostly present ‘safety’ as a matter of managing the risks of interacting with matches online and in person, and not the risks of trusting an app to facilitate this process. Whether it’s safety guidance of Tinder 📄, Bumble 📄, Hinge 📄, Grindr 📄, or Feeld, the advice they offer focuses on these risks that exist whether you use an app or not....

Reviewing other’s work for the purpose of scoring it does not advance science. Scoring work does not help authors improve it. Scoring does not help a work’s audience understand the work, identify its limitations, or evaluate its credibility. Scoring does, however, undermine our objectivity as peer reviewers because scoring activates our biases. We are predisposed to like works that are familiar in approach, language, and style to our own work; we trust results more easily when they confirm our existing beliefs and hopes....

I’ve started self-hosting all my blog posts to wean myself away from commercial platforms. I wanted to support discussion, but didn’t want all the code infrastructure to support them. My blog is a static website. I wanted to keep it simple. But, I did want people reading my blog to feel invited to discuss articles and to see others’ discussing them. What I realized I really wanted was for my blog to mirror the discussion about an article that follows my announcement of the article on (non-commercial) social media....

Would you try a new medication recommended in an article titled ‘Why You Need an Antidepressant’ that earns its publisher a commission each time someone clicks on a link to purchase the recommended product? I’d hope not. Yet, much of the news media openly collects commissions for recommending less-regulated products with surprising potential hazards. Consider password managers. The New York Times has, in fact, published an article with the headline ‘Why You Need a Password Manager....

I cringe when I hear self-proclaimed experts implore everyone to “use a password manager for all your passwords” and “turn on two-factor authentication for every site that offers it.” As most of us who perform user research in security quickly learn, advice that may protect one individual may harm another. Each person uses technology differently, has a unique set of skills, and faces different risks. In case you haven’t received this advice, or didn’t understand what it was, Password managers are programs that remember passwords for you, along with the email address or other user identifier you use for each account**....

Many online accounts allow you to supplement your password with a second form of identification, which can prevent some prevalent attacks. The second factors you can use to identify yourself include authenticator apps on your phone, which generate codes that change every 30 seconds, and security keys, small pieces of hardware similar in size and shape to USB drives. Since innovations that can actually improve the security of your online accounts are rare, there has been a great deal of well-deserved enthusiasm for two-factor authentication (as well as for password managers, which make it easy to use a different random password for every one of your online accounts....