pallas's recent activity
-
Comment on Phishing tests, the bane of work life, are getting meaner in ~tech
-
Comment on Phishing tests, the bane of work life, are getting meaner in ~tech
pallas (edited )Link ParentAs others have noted, this is a significant part of what makes a good phishing test. It's also very far from what many people receive. For comparison, the phishing tests I receive at a...The simulated emails look just like an attacker email would. They're marked as external emails from our email filtering system, they come from an outside domain, if you hover over the links in them (which we train users to do), they direct users to domains that we don't control.
As others have noted, this is a significant part of what makes a good phishing test. It's also very far from what many people receive.
For comparison, the phishing tests I receive at a Microsoft-handled university email are not even actual emails sent through the mail server. They don't have valid headers; they're just put into my inbox directly. The links in them go to Microsoft-registered domains, with valid Microsoft certificates, on IPs that are validly Microsoft's. When I first received one, I spent the morning assuming that our email system had been compromised.
The emails linked to a typical user-and-password collection scheme. It appears to be connected to a short training course that teaches users to ignore SSL certificates, and instead judge whether a domain asking for a username and password is valid on whether it has "onmicrosoft" in the domain name; rather unusual advice when the university's mail system also mangles all links in emails so that most users can't actually see the URLs.
I now just have my email client route emails that don't have any Received headers to a special spam folder.
Meanwhile, the actual phishing scams we get are usually impersonation-based emails that try to route the users onto phone calls, texts, or an email conversation, usually with the goal of getting fraudulent payments made. They don't involve links at all. And of course, there is no IT training about this at all, despite it actually being a problem for some of our staff.
-
Comment on UK orders Apple to let it spy on users’ encrypted accounts in ~tech
pallas That is at least restricted to their jurisdiction. This demand is for global reach, which seems absurd and likely to result in insurmountable legal conflicts: can Apple comply with data privacy...That is at least restricted to their jurisdiction. This demand is for global reach, which seems absurd and likely to result in insurmountable legal conflicts: can Apple comply with data privacy laws in other countries, for example, while also giving the UK a back door even to data stored in those countries?
Surely if China demanded that Apple give it access to UK users' data, stored in the UK, and unrelated to China, the UK government would decry that as abusive and unacceptable. Yet that appears to be exactly what the UK is demanding.
-
Comment on How to cook the perfect boiled egg, according to science in ~food
pallas That's just a fundamentally different cooking method, with different goals. It cannot cook the yolk and albumen uniformly to two different temperatures, as this method does.Or simply buy this and never think about it again.
That's just a fundamentally different cooking method, with different goals. It cannot cook the yolk and albumen uniformly to two different temperatures, as this method does.
-
Comment on How to cook the perfect boiled egg, according to science in ~food
pallas What they are trying to replicate is a much more complicated technique, involving deconstructing the egg, cooking the yolk and white separately, and putting them back together into an egg....What they are trying to replicate is a much more complicated technique, involving deconstructing the egg, cooking the yolk and white separately, and putting them back together into an egg.
However, it does not appear that they did a systematic search on the timing parameters here, or any optimization on them. It seems possible that simpler or faster parameters could be found that would work, and that there could be a tradeoff in complexity vs transition sharpness/uniformity.
-
Comment on How to cook the perfect boiled egg, according to science in ~food
pallas (edited )LinkThe actual paper is open access, and available here. This is a research paper on an interesting question of how to cook the albumen uniformly to 85°C, while cooking the yolk uniformly to 65°C,...The actual paper is open access, and available here.
This is a research paper on an interesting question of how to cook the albumen uniformly to 85°C, while cooking the yolk uniformly to 65°C, with a sharp transition between them. This is not achievable with a constant external temperature source: the transition won't be sharp enough, so you'll either overcook the yolk, or not get all of the albumen to set.
The method is not intended to be a method that is practical for common domestic use, and comparing it doesn't really make sense. It's instead competing with modernist techniques where it is actually significantly more practical, for example separating the yolk and albumen, cooking them separately (but in compatible shapes), and putting them back together. By comparison, a 32 minute cooking time, transferring eggs between two water baths at 2 minute intervals, is quite easy.
-
Comment on Right to root access in ~tech
pallas An insidious problem with that, too, is that the applications will often not be honest about refusing to run; instead, they'll claim network problems, or temporary failures, or just not work, and...applications will refuse to run on any modified system.
An insidious problem with that, too, is that the applications will often not be honest about refusing to run; instead, they'll claim network problems, or temporary failures, or just not work, and sometimes will do so inconsistently. I had to stop using GrapheneOS when FreeNow suddenly just stopped actually calling taxis, while I was trying to get to the airport in a city where taxis simply can't be hailed without a smartphone in practice.
That standard corporate security practice often involves lying now is quite disappointing.
-
Comment on What are everyone’s favourite pens and stationery items? in ~creative
pallas To give an unusual answer: over the last several months, I've stopped regularly using any of my other fountain pens, and have entirely switched to vintage safety fountain pens. "Safety" is an odd...To give an unusual answer: over the last several months, I've stopped regularly using any of my other fountain pens, and have entirely switched to vintage safety fountain pens.
"Safety" is an odd term for them. In a safety pen a retraction mechanism makes it so that, when closed, the nib is actually in the ink reservoir, entirely, and the reservoir is fully closed. In some sense, this maybe makes it less likely to leak if shaken very strongly, something that seems unlikely. It comes with the downside that, if opened improperly, it will dump the ink out.
But the real advantage is that it is completely reliable. The ink never dries out, and the nib never dries out: there are stories of pens being found in from fallen soldiers in European battlefields that are still usable with the ink that had been put in them at the time. When opened, the nib is always in the same state, and writes consistently. There are also models with the sorts of flexible nibs that simply aren't produced today.
-
Comment on Soldering irons/stations - Buy once, cry once advice needed in ~hobbies
pallas I have a nice Hakko somewhere, which cost significantly more than my Pinecil. I'm not actually sure where it is, however, as the Pinecil is simply useful enough that I haven't needed to find it....I have a nice Hakko somewhere, which cost significantly more than my Pinecil. I'm not actually sure where it is, however, as the Pinecil is simply useful enough that I haven't needed to find it.
Since I already carry a large enough USB C power supply for my laptop, and often have a battery pack with me, I can carry the Pinecil in a bag about as easily as I can carry a pen and use it, even if I'm not planning on doing any soldering, which makes it even more useful.
It may be 'not as good' in some ways, but the advantages that these sorts of cheap modern devices have over more traditional ones shouldn't be ignored.
-
Comment on I hate 2FA in ~tech
pallas In principle, they can just ask for consent at the time to use it for other purposes, and I have seen instances of that; it does mean that you can be at least somewhat confident they won't do so...In principle, they can just ask for consent at the time to use it for other purposes, and I have seen instances of that; it does mean that you can be at least somewhat confident they won't do so unless you check a box, at least, though they will sometimes a bit more dubiously put that box (unchecked) in a list of things like "I agree to the ToS".
In practice, they can try sketchier things, like the 'pay or OK' tactic (pay us or consent to everything if you want to see our site). And even if they just ignore the GDPR on a point like this, enforcement is dependent on who they are and where they are; they could be in a country with a strict DPA and find themselves quickly fined, or they could be in a country where the DPA really doesn't care.
-
Comment on Need a haircut (a good one) in ~life.style
pallas I'd argue that online ones are not necessarily all scams, but in order to not be scammed, you'd have to know enough about tailoring, the industry, and measuring and fitting, that anyone asking for...Made to order will be in the 500-1500 range. Do not do the online ones. They’re all a scam.
I'd argue that online ones are not necessarily all scams, but in order to not be scammed, you'd have to know enough about tailoring, the industry, and measuring and fitting, that anyone asking for basic help like this would get scammed if they tried to go an online route.
Prices are rather dependent on location; I feel like currently, for, eg, London or other major city prices, it would be more around double the prices you list for each of those categories (with the exception of Savile Row itself, where both bespoke and mtm prices are significantly higher than double those prices, and at that point you're really paying more for the name; those higher price interestingly don't extend even to Jermyn Street).
-
Comment on Need a haircut (a good one) in ~life.style
pallas To add to this: I'd emphasise that getting the tailoring right is very important, and the person doing the measurements and fittings, and deciding on what to tell the tailor to do, is equally if...The suit just needs to be tailored. You can get a great looking suit from men's warehouse if they have a proper sales person who takes your measurements, holds the garments for their tailor, and helps you pick pieces that look good on you.
To add to this: I'd emphasise that getting the tailoring right is very important, and the person doing the measurements and fittings, and deciding on what to tell the tailor to do, is equally if not more important than the tailor doing the actual alterations. Finding a person who does a good job can be a challenge, but is important. There are limits to how far a suit can be altered, so looking around for a company that makes suits that already fit you at least somewhat well can be helpful.
I'd also argue that in terms of how you appear, especially when they are reasonably new, an extremely good fit is more important than quality of construction or materials, above a rather low bar (some cheap polyester, for example, is going to look bad regardless). While it is dependent on how well-suited the base size is to you, when I buy ready-to-wear suits, the amount I spend on tailoring and alterations can be comparable with the price of the untailored suit.
I wear a mix of bespoke, made to measure, and well-tailored ready-to-wear, and it is specifically some of the RTW that gets the most positive comments, even from people in the men's fashion industry. The suits are not nearly as well-constructed as some of my much more expensive ones, they aren't necessarily as comfortable, and they don't last as long, but they look very good, and that is entirely from how well they fit me.
Also: shirt alterations are much rarer than suit alterations. Bespoke shirtmakers usually don't alter shirts at all: they do fittings by making a shirt, doing a fitting, and then making a new shirt based on that fitting for the next fitting, until they have them right. However, when wearing a suit, shirt fit can be less important: sleeve length matters, but can be adjusted with bands if necessary, the shirt front needs to look reasonable, and the collar needs to fit, but most everything else is hidden by the suit.
-
Comment on I hate 2FA in ~tech
pallas That assumes the point of 2fa for these companies is to secure accounts, not to get contact information.Phone numbers/emails are recognized as a terrible way to do 2fa.
That assumes the point of 2fa for these companies is to secure accounts, not to get contact information.
-
Comment on I hate 2FA in ~tech
pallas Periodic password changes have had a SHOULD NOT recommendation from NIST for at least a decade or two. The recent proposed change was to make it SHALL NOT. Considering that, the number of state...This is partly the reason why NIST(I think?) recently decided to remove this recommendation from their standards.
Periodic password changes have had a SHOULD NOT recommendation from NIST for at least a decade or two. The recent proposed change was to make it SHALL NOT.
Considering that, the number of state and federal agencies in the US that require periodic password changes, often saying it is a federal government requirement, is infuriating.
-
Comment on I hate 2FA in ~tech
pallas (edited )Link ParentIt is not a mild annoyance when it is implemented poorly. And unfortunately, it is often implemented poorly. Then, when people complain about those poor implementations, they generally get...- Exemplary
Yes, it's a mild annoyance, but it provides enough additional security to justify it (imo).
It is not a mild annoyance when it is implemented poorly. And unfortunately, it is often implemented poorly. Then, when people complain about those poor implementations, they generally get responses like yours about how the security is so important that it is necessary "regardless of convenience".
I have students who need to enter a 2FA code every time they log in to their student accounts for their classes. The system also has an automatic logout set at around ten minutes. Students can easily need to enter codes dozens of times per day, for a single site. (Edit: unrelated to 2fa, but as another frustrating security implementation: the automatic logout has no warning or notification. The only way students know they have been logged out is when, for example, they submit the written responses to questions they have been entering, or the comment they have been making in a class forum, and the system instead unrecoverably discards everything they have entered, and asks them to log in again.)
I have one account that nominally requires a new code every 14 days. In practice, it is at least every 14 days, per device, per program, but then also has some significant chance of needing one whenever a device switches networks. I need to enter a code at least a few times a week for that account in order to keep that email working. At one point it seemed they might even restrict 2fa to only Microsoft Authenticator, at which point I had to demand that they at least continue to support the hardware keys I was already using (fortunately, they ended up keeping both hardware key and totp support).
I have another account that just doesn't allow 2fa settings to be updated, at all. I have no way of updating to another 2fa method. At this point I now need to use a recovery code every time I log in.
I have yet another service where I've simply not been able to log in since they switched 2fa on, because they use email-based 2fa, and they simply don't send them to my email address (not a spam filter problem, or anything else: they never even connect to my SMTP server).
Then I have multiple services that require 2fa on every login, and only support SMS 2fa. Why!? It's well known this isn't secure.
I'm strongly in favor of 2fa. I use hardware keys quite often myself. And many services, especially in tech, do a good job implementing it. But in many cases where users are complaining about 2fa, it is the result of bad implementations, and those implementations can go far beyond mild inconvenience.
-
Comment on The Just World Cultural License—a copyleft license to make the world a better place in ~creative
pallas And even with that one hard question, CC-NC seems like it's a dangerous non-free license, often used by people who want to seem open without being open. I'm reminded of claims like 'ordering a 3d...CC non-commercial, there's one hard question you may need to answer.
And even with that one hard question, CC-NC seems like it's a dangerous non-free license, often used by people who want to seem open without being open. I'm reminded of claims like 'ordering a 3d print of my NC model from a printing company rather than printing it yourself is an NC violation'.
This license would be far worse.
-
Comment on Thousands of Americans see their savings vanish in Synapse fintech crisis in ~finance
pallas I'm not really sure. A fund itself becoming insolvent is bad, and is something that wouldn't be covered by any insurance, including SIPC. But I'm not sure the extent to which funds created by a...I'm not really sure. A fund itself becoming insolvent is bad, and is something that wouldn't be covered by any insurance, including SIPC. But I'm not sure the extent to which funds created by a larger company are affected by the larger company's insolvency: I think that there is a separation of assets or potentially legal entities involved such that the fund's assets would not be part of the insolvency.
-
Comment on Thousands of Americans see their savings vanish in Synapse fintech crisis in ~finance
pallas That doesn't appear to be the case. The legal claim to pass through the FDIC insurance was valid. See here, or here, for example. The coverage would have covered the bank (Evolve) becoming...the legal basis of their claim to pass through the FDIC insurance from the partner banks was invalid.
That doesn't appear to be the case. The legal claim to pass through the FDIC insurance was valid. See here, or here, for example.
The coverage would have covered the bank (Evolve) becoming insolvent, and would have done so using Synapse's records of the balances for each customer (since the accounts were pooled). In principle, Synapse becoming insolvent would have no effect on customer assets, and would not need insurance, because Synapse would be depositing the entirety of customer deposits into Evolve, and those assets would not be Synapse's or vulnerable in insolvency. But what was not covered was the case where Synapse didn't actually deposit the entire amount into their account at Evolve, and didn't keep good enough records of what amount actually belonged to each customer in the pooled account.
I came into this thinking that it was a set of completely sketchy companies making fraudulent or at least very misleading claims about FDIC coverage, with the FDIC having no involvement. Instead, it appears that while the FDIC may be legally correct here, it may be the FDIC that allowed their insurance to be both handled and advertised by intermediaries in unsafe and misleading ways.
-
Comment on Thousands of Americans see their savings vanish in Synapse fintech crisis in ~finance
pallas (edited )Link ParentYotta might not have directly, but it appears that Synapse was pooling money into a (potentially single) FBO / for-the-benefit-of account with Evolve. This post seems to suggest that, as does this...Yotta might not have directly, but it appears that Synapse was pooling money into a (potentially single) FBO / for-the-benefit-of account with Evolve. This post seems to suggest that, as does this one. Thus Evolve, at least, did not have accounting of what money was in the account of which end-user: Synapse was supposed to keep track of that, and that seems to be a major part of the problem.
Edit: Hmmm... after looking at this a bit more, I'm not entirely convinced that this situation is as it seems, and that the FDIC has no involvement or responsibility at all. It appears that the FDIC has a pass-through system such that it does cover deposits of customers of non-banks that the non-banks put in FDIC-insured FBO accounts at banks, and that coverage is per-customer, even when the accounts pool customer assets (see here and here). That coverage would be based on which assets in the covered account belonged to which individual customers, according to the records of the fintech/non-bank. This would mean that both Synapse and its clients like Yotta were not lying, or even being misleading, when they said the accounts were FDIC insured.
The problem here is that because Synapse's records didn't make sense and didn't have the same total as the amount in the FBO account, that's a specific failure mode that isn't covered by the FDIC, even though the FDIC did nominally cover those accounts, using Synapse's records, not Evolve's. It appears that the FDIC recognizes this is a problem, and is making rules changes to ensure banks have direct access to non-bank records of individual customers.
-
Comment on Thousands of Americans see their savings vanish in Synapse fintech crisis in ~finance
pallas It's worth noting that FDIC insurance is actual insurance, not a government-funded coverage program. Member banks pay insurance premiums. Synapse was not a member, and it appears that they didn't...For FDIC to say it's not their problem seems crazy to me.
It's worth noting that FDIC insurance is actual insurance, not a government-funded coverage program. Member banks pay insurance premiums. Synapse was not a member, and it appears that they didn't actually put all their customer deposits into the bank accounts they were supposed to put them in (where they would have been FDIC-covered). So the FDIC has a reasonable argument that they shouldn't be expected to cover the failure of a non-bank that wasn't paying premiums.
When the consequence is needing to do a 5-15 minute online video/text course, and nothing else, I'm not sure how important it is to avoid overreaching.
I found it obnoxious when the obviously-fake (not even real emails with valid headers) tests used out our university, to a department with some security researchers, counted going to the link via Tor in a VM as failing the test. But ultimately, spending 5 minutes watching a course wasn't that bad, and it was good to know the bad advice being given in it.