Sumana

Free digital security checkups for people/organizations concerned about the incoming US government

2024-11-12T16:51:25Z

My friend Jacob is offering:

Free digital security checkups for people/organizations concerned about the incoming US government

Anyone is eligible for this - whatever your concern.

Whatever form any sort of resistance takes, it’s going to need to rest on a foundation of security and private communication. I’ve spent nearly twenty years working in the security industry, including actual experience protecting against nation-state-level adversaries. I’d like to use those skills and that experience to help those most at risk from the incoming regime (and the vigilante hangers-on that surround it).

So, if you — as an individual or a group — want to re-assess your digital security posture, I’d like to try to help. I’m offering free digital security check-ups to anyone who feels like they need it now. We’ll talk through your current digital security practices and review the risks that worry you, and I’ll give you some suggestions about practices and tools that might help. If needed (and my availability permitting), we can schedule follow-up time for some hands-on walkthroughs and tutorials.

comments

Excised from elsewhere, on trust

2024-01-08T16:19:33Z

I'm writing a blog post over at my name blog about how open source maintainers can think about trusting new co-maintainers, what that trust entails, how to check for trustworthiness, etc. I was writing this bit, and then a friend reminded me that including something about sex in this piece would mean that she could not share it in her starchy workplace. So I'm saving it here instead, and will replace it with an analogy that won't raise as many eyebrows.

...some intake processes concentrate quite a lot on checking for trustworthiness, specifically for the candidate's capacity to be a responsible colleague and take criticism well.....

In the subculture of people who engage in nonmonogamy or other alternative sexual experiences together, "vetting" is sometimes informal, but sometimes groups do require new members to go through a formal process. This Bay Area-based group's application asks whether any existing group members have endorsed the candidate's application, and asks questions like
How do you know when someone consents to an experience you invite them to share with you? What information do you look for and how do you seek it out?
In Bonobo, we understand that people may make mistakes, cross other people's boundaries, or just impact one another without necessarily realizing it. But we also expect that people will own up to their impacts and mistakes, and take responsibility for them. Tell us about a time you crossed someone's boundary and took responsibility for it. What happened, how did you respond when you realized you crossed their boundary, and how did you deal with it after that?

https://www.bonobonetwork.com/apply
vetting, asking them to think about their values (Oakland play application), asking for references,.....

comments

Dreamwidth is working on two-factor auth

2023-01-02T20:33:16Z

~~Dreamwidth has now added two-factor authentication, though~~ ~~the FAQ doesn't mention it yet~~. [see January 3rd edit below]

You can go to "Account Settings" and check under the "Account" tab -- under "Password" is "Two-Factor Authentication".

Dreamwidth's 2FA implementation, as with most sites, depends on you having one of those standard apps on your phone or computer that generates one-time 6-digit passcodes, like Google Authenticator or Authy. (The jargon for this is TOTP: Time-based one-time passwords.) Once you do the setup and turn on 2FA in your Dreamwidth account, then your login is more secure, because having your password isn't enough to let someone log in to your account -- they also have to have access to your computer or phone.

Since it's not in the FAQ and wasn't mentioned in any of the recent code tours I think this feature might be in beta. I am subscribed to a GitHub issue where I might learn more.

EDITED A FEW HOURS LATER TO ADD: I just tried logging out and in again and the site didn't demand a 2FA code. So I don't know whether this feature actually works right now.

EDITED 3 JANUARY TO CHANGE TITLE: Changed the title of this post from "Dreamwidth has two-factor auth now (in beta?)" to "Dreamwidth is working on two-factor auth". Per this GitHub comment, the 2FA feature is not yet actually functional.

comments

Switch from LastPass to another password manager

2022-12-02T05:31:21Z

Bad news about the LastPass password manager: https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.

My friend Jacob writes:

This is your regular reminder that if you're still using LastPass you should, uh, stop that.

It's not just this one incident; they've had a series of terrible incidents & appear to learn nothing. Eg: E2E encryption is littered with bugs and has been broken/bypassed repeatedly. The master key is accessible by the sever. Malicious plugins can exfil your master password. The support forum (phpbb) somehow knows your master password. And more.

This isn't about scorning; LastPass is actively unsafe and people need to not use it.

He and others recommend 1Password (paid, USD $34/yr) -- there are also other recommended alternatives in that thread.

comments