What a misleading and deliberately inflammatory title.

@Viss Huh, I had never really thought about how that work work if it didn't traverse the same inbound email path as everything else without special handling. I don't mean to pry, but I'd be interesting in learning about that!

@Viss I mean, to be fair, if your goal is to track which people click on the thing, the thing has to go through. They're testing a different layer of the controls, so to speak.

Though I am not personally a fan of that -- it feels like "gotcha infosec" when done wrong, and it usually is, and I usually recommend people take that money and spend it on phishing-resistant MFA instead - I do see why it needs a clear path inward to test what it's testing for.

What a misleading and deliberately inflammatory title.
I am incensed. Public communication matters.

Your Password Needs To Be 25 Characters or Longer Due to AI and Quantum Attacks

Prior to my further research into AI and quantum for my latest book, How AI and Quantum Impact Cyber Threats and Defenses, I had pretty solid password...

(blog.knowbe4.com)

@pkhuong @jsmall

Ah, sure. My reply to that, as always, is:

The SSO Wall of Shame

A list of vendors that treat single sign-on as a luxury feature, not a core security requirement.

The SSO Wall of Shame (sso.tax)

Why not just make it opt-in?

The fact that Anthropic closed (as a WONTFIX) this request for adding TOTP to the Claude email magic link flow, locking the thread with no commentary ... speaks volumes, unfortunately. I'm not getting strong "for the benefit of humanity" vibes.

Again, why would someone want to make sure that if their email box got pwned ... all of their LLM context was still safe? ️

Auth: Add 2FA requirement to magic link login flow · Issue #12480 · anthropics/claude-code

Summary Add 2FA (TOTP) verification requirement to magic link login when users have mfaPreference.twoFA enabled, matching the security of password login. Current Behavior Password login (post-login-password.ts) checks mfaPreference.twoFA...

GitHub (github.com)

@kwf Hey, I've been following along a long sporadically and enjoying it thoroughly. Maybe you already mentioned this, but it occurs to me that because of the volume you're doing, I assume you are grabbing other instances of less common variants, for trading or bootstrap purposes? If not, you might consider it. You could basically give some kid a starter kit that gets them 80% of the way there out of the gate, etc. Heck, I'm tempted to commission you to start making a set for me, since you're going to all this trouble anyway.

@jsmall Yeah, why would someone want to make sure that if their email box got pwned that all of their their LLM context was still safe?

It's gonna be a file '/dev/null' already exists kind of day, isn't it?

A shout out to all the folks who are getting up to try to do the right thing, but can't tell anybody what it is.

I see you, and I appreciate you! Keep going! 🫡

Has anybody built a matrix of the lawful compliance transparency or policies or reporting across the various llm platforms? I wonder how often they get requests, and for what kind of data

TIL The Google Takeout backup I did in 2020, that I intended to explicitly include absolutely everything, does not include Gmail. (Not catastrophic, was just going to test against an older backup, and found it empty)

Check your backups, people.

@mcc no lies detected

Turns out that GPU Autocomplete as a Service works a lot like regular autocomplete:

• It works better if it has more samples of what people actually type -- the two edged sword of user benefit and privacy concerns, and

• If you don't check if it's right before you hit send ... that's on you.