Backup options in many Android #TOTP #2FA apps share personal info w/ 3rd parties, have serious crypto flaws, and/or allow app devs to access TOTP secrets 😱 A 🧵 on our @USENIXSecurity '23 📜 "Security and Privacy Failures in Popular 2FA Apps" https://t.co/KehOVknjut #infosec

Come join us!

I am recruiting 1~3 PhD students in CS or ML to join NLP X lab at Georgia Tech. Topics include but not limited to: (1) multilingual multimodal LLM (2) RLHF, text generation models (3) NLP+X (X = privacy, science, etc) Apply by Dec 15: https://t.co/ae62WD6BSj (📷Colin Gough)

Are you implementing 2FA for your mobile or web app? You need to understand the privacy and security risks associated with various 2FA apps. Today's comic is inspired by a recent paper written by @conorgil, Fuzail Shakir, @Noura_7N, and @v0max. 🧵[1/8] #privacy #cybersecurity

Police auction off many of the items they come into possession of. This includes cellphones. In a study led by @stack__trace we asked: are police wiping phones before they sell them? @briankrebs wrote about our study. In this 🧵, I'll give some highlights.

I went to book a hotel thru Amex’s travel site to get the extra points and perks, but I noticed the price I’d pay through them was significantly higher than booking thru the hotel directly. To the point that the Amex points were pointless. Has anyone else experienced this?

Texas Republicans are trying to force public schools to display the Ten Commandments in every classroom. I told the bill author: “This bill is not only un-constitutional and un-American, it’s deeply un-Christian.” #txlege

Big news from Chrome Security Team! With HTTPS encryption now nearly ubiquitous, they're finally killing off the browser🔒icon, which tends to give users a false sense of security about other threats. https://t.co/oU5jQulwjb A huge milestone for web security. h/t @davidcadrian

"You can do this in R, and R is free!" R: https://t.co/1gXfMU52xn

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

Good things come to those who wait. New and improved @Google Authenticator. (Feels like an appropriate start to @RSAConference week). https://t.co/AaBqP3B2Gh

When your institution has a >$50B endowment and accepts an unrestricted $500 million but can’t pay their grad student workers and employees wages that align with cost of living and inflation 💖

If guns made us safer, America would be the safest place in the world. But the opposite is true. Nowhere else do students, concertgoers and bank patrons get slaughtered on a daily basis. Because as it turns out, it's all the guns that make us so unsafe.

Happy to be part of the @SOUPSConference poster session - You can submit until May 25, 2023 🙂 https://t.co/UVTQSr78lg #UsableSecurity #soups2023

As @PrivacyMatters speculated, Authy sends too much analytics for an authenticator app. It associates analytics with the user's ID, which is tied to phone number and email. The analytics include the issuer name of each scanned QR code. Try to use a different #2FA app. #Privacy

Being a good researcher does not necessarily make you a good leader.

The room was filled, but not by quantity but by quality 🥹 to the one person who I didn't recognize and stayed for the whole thing and asked a question and kept nodding and smiling during my presentation, you made it all worth it - thank you so much! ♥️ #SRCD2023

ON TENNESSEE BANNING DRAG SHOWS

I don't know who needs to hear this, but if you're in a toxic workplace, it's ok for you to leave. You have the strength to heal from the damage done by this workplace & find something new. Commenters, back me up: raise your hand if you have walked away from a toxic workplace.