Go piss girl

I'm not the most security savvy but two-factor authentication makes me deeply suspicious. Is it actually more secure or is it just annoying? Especially the ones that send a code to your phone that pops up in your notifications.

It is genuinely, massively, TREMENDOUSLY more secure to use 2FA/MFA than to not use it.

One of our clients is currently under attack by a group that appears to be using credential stuffing; they are making educated guesses about the accounts they're trying to lot into based on common factors showing up in the credentials in years of pastes and breaches and leaks. Like, let's say it's a professional arborist's guild and their domain is arborist.tree and they've had three hundred members who have had their credentials compromised in the last ten years and the people looking at all the passwords associated with arborist.tree noticed that the words "arboreal" and "conifer" and "leaf" and "branch" show up over and over and over again in the passwords for the members of the professional arborist's guild.

So they can make an educated guess for how to log in to accounts belonging to the tree-loving tree lover's club, combine that with the list of legitimate emails, and go to town.

And they are in fact going to town. We're getting between 1000 and 4000 login attempts per hour. It's been happening for a couple weeks.

And every single one of those attempts is failing - in spite of some pretty poor password practices that believe me, I have been doing some talking about - as a result of having MFA enforced for the entire group. They all use an app that is synced to their individual accounts with a mobile device, except that sometimes you have trouble getting a code when you're up in a tree so some of them have physical MFA tokens.

People try to sign into my tumblr sometimes. To those people I say: lol, good luck, I couldn't guess my own password with a gun to my head. But if I *did* have some password that was, like "tiny-bastard-is#1" they would also need access to my email address because I've got MFA set up on tumblr. And to THAT I say: lol, good luck, it's complex passwords and MFA all the way down.

Of the types of MFA that most people will run across, the most secure to least secure hierarchy goes physical token>app based one-time-passwords>tie between email and SMS. Email and SMS are less preferred because email is relatively easy to capture and open in transit and cellphone SIMs can be cloned to capture your text messages. But if you are using email or SMS for your authentication you are still miles and miles and miles ahead of people who are not using any kind of authentication.

MFA is, in fact, so effective that I only advise people to turn it on if they are 100% sure that they will be able to access the account if they lose access to the device that had the authenticator on it. You usually can do this by saving a collection of recovery codes someplace safe (I recommend doing this in the secure notes section of your password manager on the entry for the site in question - if this is not a feature that your password manager has, I recommend that you get a better password manager, and the password manager I recommend is bitwarden).

A couple weeks ago I needed to get into a work account that I had created in 2019. In 2022, my boss had completely taken me off of managing that service and had his own account, so I deleted it from my authenticator. Then in 2024 my boss sold the business but didn't provide MFA for a ton of the accounts we've got. I was able to get back into my account because five years earlier I had taken a photo of the ten security codes from the company and saved them in a folder on my desktop called "work recovery codes." If you are going to use MFA, it is VITALLY IMPORTANT that you save recovery codes for the accounts you're authenticating someplace that you'll be able to find them, because MFA is so secure that the biggest problem with it is locking people out of their accounts.

In any kind of business context, I think MFA should be mandatory. No question.

For personal accounts, I think you should be pointed and cautious where you apply it, and always leave yourself another way in. There are SO MANY stories about people having their phones wiped or stolen or destroyed and losing MFA with the device because they didn't have a backup of the app or hadn't properly transferred it to a new device.

But it's also important to note that MFA is not a "fix all security forever" thing - I've talked about session hijacking here and the way you most often see MFA defeated is by tricking someone into logging in to a portal that gives them access to your cookies. This is usually done by phishing and sending someone a link to a fake portal.

That is YET ANOTHER reason that you should be using a good password manager that allows you to set the base domain for the password you're using so that you can be sure you're not logging in to a faked portal. If your password manager doesn't have that feature (setting the domain where you can log in to the base domain) then I recommend that you get a better password manager (get bitwarden.)

In 2020 my terrible boss wanted me to write him a book about tech that he could have run off at a vanity press and could give to prospect customers as a business card. That was a terrible idea, but I worked on the book anyway and started writing it as a book about security for nontechnical people. I started out with a very simple statement:

If every one of our customers did what we recommend in the first four chapters of this book (make good backups, use a password manager and complex unique passwords, enable MFA, and learn how to avoid phishing), we would go out of business, because supporting problems that come from those four things is about 90-95% of our work.

So yes, absolutely, please use MFA. BUT! Save your recovery codes.

Mister Rogers

Have you seen this post?

You probably have. It currently has over 120,000 notes, largely because of this addition.

Of course it's going to get reblogged, this kind of unsourced factoid does numbers on here. But something about it wasn't quite right.

A bit of searching turned up the origin of the "fact".

Alright, so it's someone who posted this on reddit 4 years ago and somehow ended up in the search hits. And the post confuses the electric eel (from South America) with the electric catfish (from the Nile, which the Egyptians would have known about).

Reminder: this is an electric eel (Electrophorus electricus). It is from South America. (image from Wikipedia)

And this is an electric catfish (Malapterurus electricus). It is from the Nile and would have been familiar to the ancient Egyptians. (image from Wikipedia)

And then of course people were speculating in the notes to that post about trade routes between South America and Egypt. Excellent scholarship everyone.

At this point I was ready to call it another made-up internet fact that gets reified by people repeating it. But something was still bothering me.

An ancient Egyptian slab from 3100 BC. What could that be...

Oh.

The Narmer palette. It's the goddamn Narmer palette. (image, once again, from Wikipedia)

So where is this "angry catfish"?

It's not the Egyptian name for the electric catfish.

It's... Narmer. It's Narmer himself.

Narmer's name is written as above (detail of top middle of the palette), using the catfish (n`r) and the chisel (mr), giving N'r-mr. The chisel is associated with pain, so this reads as "painful catfish", "striking catfish", or, yes, "angry catfish" or other similar variants, although some authors have suggested that it means "Beloved of [the catfish god] Nar".

So.

Where does this leave us?

It would appear that this redditor not only confused electric eels with electric catfish, but also confused a Pharaoh's name with the name of a fish. And then it got pushed to the top search hits by a crappy search engine and shared uncritically on tumblr.

In short, "the electric eel is called angry catfish" factoid actually literacy error. Angry Catfish, who ruled upper Egypt and smote his enemies, is an outlier adn should not have been counted.

Also the Arabic name for the electric catfish is raad (thunder) or raada (thunderer).

References

Afsaruddin, A., & Zahniser, A. H. M. (1997). Humanism, culture, and language in the Near East: studies in honor of Georg Krotkoff. Eisenbrauns.

Clayton, P. A. (2001). Chronicle of the Pharaohs. Thames & Hudson.

Godron, G. (1949). A propos du nom royal. Annales du Service des antiquités de l'Egypte, 49, 217-221.

Sperveslage, G., & Heagy, T. C. (2023). A tail's tale: Narmer, the catfish, and bovine symbolism. The Journal of Egyptian Archaeology, 109(1), 3-319.

Just a little reminder for anyone who could use it. ଘ(੭ˊᵕˋ)੭♡ It feels validating to have your efforts acknowledged.

Chibird store | Positive pin club | Instagram

today's bug thing is this dessert snail!

crab crab crab hand hand hand frighten

learning that constantly thinking about and analyzing and interpreting my traumas isn’t actually healing . and don’t get me wrong its made me a very effective communicator and emotionally intelligent person. but actually im supposed to be moving on and experiencing new things and happiness and stuff and not just compulsively reliving and recontextualizing the past. oops!

this meeting could've been an email or perhaps an emotionally charged and indecipherable moment of eye contact as we both swing our longswords at each other in battle, fighting under the banners of kings who don't even know our names, and we both wonder whether we might have been friends in another life. perhaps even lovers. but it doesn't matter now. your blade makes contact with a sickening crunch. anyway can you send the Zoom password again I can't get into the room

Apparently, I hadn't posted these here yet, for some reason ?

(I'm currently back in my cave working on Les Songes du Roi Griffu.)

vodun day, 2020 benin. julio sacristan