> Just think of all the nonsense you have to deal with in the name of "security."
Well, the good news is that everything you listed is known as a bad idea to both end users and people who understand security (which is, sadly, not most people who implement security policies).
Using 4 or more dictionary words provides excellent password security and you can do the same for all of your security answers too. There's a variety of free and paid for password managers that solve the issue of trying to remember all your secrets (great for backing up 2FA secrets too).
I'm not sure what you mean by "complicated error messages" but I assume it's errors that they expect the user to fix themselves, otherwise they could return a generic nonspecific error and a unique ID for you to provide when you contact support to get help. While it sucks to get jargon spammed, I feel like pretty standard human ineptitude at explaining an error rather than anything specific to security. I also think it's how many people feel about any error message that contains computer jargon (PC LOAD LETTER!?!?).
> I often wonder how they get away with it all.
My thinking (and experience...) is that most organizations are failing at a lot of things at any given time, even if the business overall is successful. Security is just one of those things. I wouldn't be surprised at a small elite organization not following that trend, but any sufficiently large organization is going to have incompetent people doing incompetent things.
Is there actually some "professional consensus" on password reset policies (in form of report or journal article or something similar)? If someone could share, I'd love to refer to it in my org to stop resetting passwords every n months.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
It has much to say on all kinds of other password nonsense:
> Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well.
> Truncation of the secret SHALL NOT be performed.
> Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret.
> In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered.
> Using 4 or more dictionary words provides excellent password security
I would not call 44-48 bits "excellent". It works if there's a good password hash being used, but if someone left PBKDF on basic settings then a GPU might be able to do 50 million guesses per second, or for a plain old salted hash 50 billion guesses per second.
Location: NYC
Remote: Preferred, but I'm willing to commute anywhere within a few hours if hybrid, less for always on-site.
Willing to relocate: No.
Technologies:
- penetration testing, architecture review, and code review of web and mobile applications across hundreds of projects and dozens of companies (from startups to FAANG and other Big Tech)
- various programming languages
- project and account management
Résumé/CV: (removed address and phone as this is a public forum) - https://hn-resume.nyc3.digitaloceanspaces.com/hn_resume.pdf
Email: hn_resume@blacksheepwall.com
I have ~8.5 years of experience as a security consultant and I would prefer to do more defensive/blue team work, but I'm fine doing offensive work or more consulting again. I'd also prefer to manage people because I enjoy it and I think I'm pretty good at it, but I don't mind being a pure IC.
While I am interested in being hired, I'm also very interested if anyone has constructive feedback for me about why they wouldn't hire me (no need to be gentle). I've only applied to a handful of jobs so far, and none have given me interviews or feedback, so I'm not sure why I don't appear appealing for roles I think I'm more than qualified for like Senior Security Engineer (Manager).
I think you can fix that incentive issue relatively easily by allowing people to choose the allocation arbitrarily after some sort of minimum tax, e.g.
The first $4 of your monthly sub is divided amongst all artists you listen to based on time spent listening, and any additional money you decide to add to your subscription is distributed to artists as you see fit. You can elect to use the same distribution algorithm as the first $4 of your subscription, use the same algorithm with different weights (e.g. your favorite artists listen time is doubled before payout is computed) or you can choose to have an arbitrary percent of it go to whatever artists you want, even if you don't listen to any of their music. Spotify already has to have a payment engine to support paying all the artists anyway, generalizing it beyond fixed subscriptions seems like an organic way to address the issue of unfair income distribution if they were interested in doing so (I don't think they are).
In the above system, the issue of "don't listen to other artists" only comes up if you don't have enough money to give to the artists you want to support, no different than the incentives of "don't buy the CD of artist A or you won't be able to afford the CD of artist B, who you like and wish to support more."
- Way too much access to hardware: I wish browsers had less access to hardware due to privacy and security, and I don't know how low level the APIs get, but it's something you can play around with as a random person with a web browser, so that's neat.
I was hoping this post would have at least an implication that they knew how Brother worked internally and that they were somewhat certain that the company had virtually no innovation for most of their history or something insightful like that. But no. It's just some random person who was told to buy Brother printers and wanted to say something that sounds cool.
There's a lot of differences between the US and France that result in different suburb/city situations, but I think "white flight" and "redlining" cover a decent chunk of it:
recently though white flight (if we refer to the general progression of people to suburbs away from cities) is dominated by people of color. Suburbia is basically about as representative demographically as the rest of the country at this point.
Not sure how this is hooked up, but there can be quite a bit of heat generated if it's possible for people to print (lots of) fully black pages, like wasting someone's fax toner/ink but with a risk of fire.
Receipt printers are thermal and they print all day long.
Thermal printers use a thin wire that heats up in certain sections. The paper is heat sensitive. Funny though I discovered you can erase a thermal image using a highlighter pen (at old job where clerks had to highlight a section. Ooops!)
The paper is probably more of a danger since thermal paper supposedly is loaded with BPA.
Recently bought that same printer on Temu for like $5 so this is very interesting.
Would love to connect it to something allowing me to control it remotely.
They're designed to be able to print solid black. Some printers even have an 'invert' mode which prints white on black. It doesn't look very good though (uneven), which is why it's rarely done.
The entry level for this group of goods is more expensive than you can afford, but it's not representative of the entry level of all cars, just Lucid's. You wouldn't say appetizers are something you can no longer afford just because there exists a restaurant that does not have any appetizers you can afford.
There aren't a lot of places where going into academia has significant opportunity cost (like for example, losing out on the prospect of a yacht paid for by reactjs work).
Phone -> Silence Unknown Callers is close, it'll only let callers in your contacts ring the phone, everyone else will be sent to voicemail (and still show up in call history so you can add them as a contact easily).
Also looks like you can set up external apps to maintain block lists and filter based on that rather than your address book, but nothing that would act as a concierge to prompt callers.
iOS 17 comes with a voicemail transcription feature. Not sure how useful that would be since I don't even remember when was the last time I got a voicemail, everyone just hangs and sends a WhatsApp message (if anything) at least in my country.
Well, the good news is that everything you listed is known as a bad idea to both end users and people who understand security (which is, sadly, not most people who implement security policies).
Using 4 or more dictionary words provides excellent password security and you can do the same for all of your security answers too. There's a variety of free and paid for password managers that solve the issue of trying to remember all your secrets (great for backing up 2FA secrets too).
I'm not sure what you mean by "complicated error messages" but I assume it's errors that they expect the user to fix themselves, otherwise they could return a generic nonspecific error and a unique ID for you to provide when you contact support to get help. While it sucks to get jargon spammed, I feel like pretty standard human ineptitude at explaining an error rather than anything specific to security. I also think it's how many people feel about any error message that contains computer jargon (PC LOAD LETTER!?!?).
> I often wonder how they get away with it all.
My thinking (and experience...) is that most organizations are failing at a lot of things at any given time, even if the business overall is successful. Security is just one of those things. I wouldn't be surprised at a small elite organization not following that trend, but any sufficiently large organization is going to have incompetent people doing incompetent things.