LastPass’s local-only decryption only technically so

December 17th, 2015

LastPass is a password manager and service that promises local-only password decryption: "Your key never leaves your device, and is never shared with LastPass." (, 2015-06-15.) That claim sounds good, and it's technically true under normal usage, but they completely fail to ensure that it *can't* happen -- that is, even under an attack scenario.

Read full entry »

New hybrid games

November 29th, 2015

With the success of chess-boxing, here are some ideas for other hybrid games, some of which probably already exist but I'm too lazy to look up:

  • Marathon Tic-Tac-Toe: Opponents play successive games of tic-tac-toe with only short breaks for biological necessities (except for sleep) until one of them forgets how to not lose.
  • Archery Tic-Tac-Toe: Probably too easy for people who are already good archers.
  • Archery Chess: Firing downward from a balcony onto a chess board, opponents must nudge pieces in legal chess moves.
  • Billiards Chess: A chess board is laid out on a billiards table with balls as pieces, and the cue is used to tap, bounce, or ricochet the balls in legal chess moves.

(Thanks to Alex T. for joining me in brainstorming. She wants no credit or blame for the marathon tic-tac-toe idea. That one is entirely my fault.)

Prediction: Spam and old OAuth clients

October 13th, 2015

Just dropping in for a quick prediction... I've been thinking about how many different sites people have authorized to access their Twitter, Facebook, Google, etc. accounts via OAuth2. Those authorizations don't expire, do they? What happens when the client sites expire and new owners grab the domains? I'm thinking that in a few years, we'll see bad actors take over dead startups and exploit the social media access for data harvesting and spamming.

Learning biofeedback

April 1st, 2014

On and off for the past few months I've been practicing biofeedback so that I can increase circulation to my hands and feet on demand. (Biofeedback is about learning to control what would normally be autonomic bodily processes. Some people do it with expensive equipment, but if you have good body awareness like I do you may be able to do some of it without even a thermometer for feedback.) And the cool thing is, it's working! I had a really dramatic experience a week or two ago when I had just gone to bed and wanted to warm up my legs. I relaxed while "pushing" heat towards my legs, and within a minute I started to feel prickling, and then a throbbing sensation over the entire surface of my legs. (It subsided after maybe 10-20 seconds, and then my legs were just warm.) How awesome is that?

Read full entry »

Ameliorating the effects of malware in a web of trust

January 23rd, 2013

Let's say it's the future, and everyone has at least one public key and is a full participant in a global web of trust. Wonderful, until EvilWorm9000 hijacks your mail client and starts spamming everyone within 4 degrees of separation. How does the ideal network respond? In this post I provide a possible approach (temporary key tainting), but the main goal here is to stimulate a conversation.

Read full entry »