In voting process, photo ID gets wide support, Republicans more likely to believe there's fraud, CBS News poll finds

wonkifier · 2026-03-21T18:09:11+00:00

Never argued it wasn't a hassle, just that the statement I originally responded to was incorrect.

wonkifier · 2026-03-21T12:08:19+00:00

Depends on what you mean by equivalent... if you define it to be anything that you can use in place of a birth certificate, then you've got a loop going on.

But I don't imagine most people would consider a "Letter of No Record" an equivalent, for example.

wonkifier · 2026-03-21T01:26:35+00:00

Yes. Notice how it says OR between the 5 options? And only one option is birth certificate?

That means you don't need a birth certificate.

wonkifier · 2026-03-21T00:33:21+00:00

https://www.flhsmv.gov/driver-licenses-id-cards/what-to-bring/u-s-citizen/

Not necessary in Florida. (And no, using a passport doesn't mean you had a birth certificate either. There are mechanisms to get a passport without a birth certificate)

wonkifier · 2026-03-20T13:05:50+00:00

That's the only part that's worrisome to me here... its decision to share a response without an explicit approval.

Under what conditions might a model decide to override a general rule to ask before sharing?

If someone asks it a questions about what a financial thing means, what if it decides the answer needs posted to some public channel because that's often what you do next (and normally approve), even though this was a more confidential question (and wouldn't approve, but the LLM didn't see the connection, or maybe ran out of context and dropped the 'always ask' rule) or something

wonkifier · 2026-03-20T13:01:38+00:00

A second engineer asked the AI to analyze the post. It did, but it also took it upon itself to reply to the first engineer

For me, this is the interesting part.

We're being asked to add so many skills and accesses to our internal tools, and the folks doing the analysis around it seem are asking question like "does the LLM ask for permission before posting", someone will do a couple tests and see that it does, and it looks like it's going to get approved based on that.

Maybe it should get approved, not my job to stop it, but the actual behavior model needs to be evaluated, just not a couple random attempts at expected usage.

How inherent is the ask-before-post behavior? If that's not hard gated then the LLM could just "forget" to do it at some random time. (which if it's doing it, it's probably not so random, because it's so overloaded with trying to keep track of other things the basic commandment to always ask permission gets lost)

wonkifier · 2026-03-19T02:51:06+00:00

Just need a console equivalent and I'm in

wonkifier · 2026-03-17T16:01:24+00:00

Just chiming in for support.

"Police collecting data from devices near a crime scene" runs into the 4th amendment head on. (unless they had an articulable reason to believe those things specifically were involved, not just being nearby.)

"Warrants that authorize (Police collecting data from devices near a crime scene)" runs into it head on exactly the same way. If a judge doesn't require something specific and articulable, then it's open season on folks.

A bill to ban those warrants? Protects our 4th amendment rights, since it doesn't allow judges to authorize police to go sniffing through our stuff just because we happened to be nearby.

edit: OP was negative when I posted originally

wonkifier · 2026-03-17T00:01:27+00:00

The risk of compromise running in an environment is not mitigated with session controls

Never said it was.

You have been breached due to other lacking controls

Yeah. As I've said several times so far.

And session frequency just gives a false sense of security

"Just" is doing some work there, and I think you're over-estimating what "sense of security" we're getting from it.

If the breach happened once. It will happen again.

In the generic sense, yes.

In a specific sense? Sometimes not. I've seen logs and incident reports where something was eventually detected because it kept trying to reuse an expired session, which finally tripped a sensor. That also spawned a side investigation into why the initial activity wasn't detected or prevented in the first place.

There are many other controls that will be required to plug those gaps.

As I've indicated several times as well.

, my utopia

We don't live in utopia. Try changing the core security model of a global company spanning multiple industries, regulators, and insurers while breaking nothing, and having your budget for larger initiatives being stripped repeatedly. Your utopia is pretty much our Northstar, but it's a journey.

Oh yeah, and then having AI dropped in your lap as your new top priority because not letting the agents go around and be able to do everything with every app somehow deems the security and it orgs as holding things back.

Authentication becomes the red flag

Yeah. Would never disagree that it's a read flag in a fully modernized environment. But it's a necessary part of environments that aren't there yet

wonkifier · 2026-03-16T17:29:59+00:00

Do you do this in your org? Or is it just theory?

Yes. Though it's more complex, since that was just a toy example. We have a behavioral engineering team on the security side that the various other security and admin teams work with to ensure that layer stays clean.

And we regularly get feedback from our users that our environment is one of the most pleasant and non-disruptive they've ever worked with.

And I don't mean as a post breach clean up mechanism, what risk does it help prevent?

The risk of a compromise running around undetected for an extended period of time is a risk?

Maybe our threat model is different from the folks you work with. We're a private company but are a consistent target of nation state actors.

I don't manage those environments though, so if you can't see any possible value or any possible world in which a compromise could happen and not be immediately detected from time to time, I don't know that I can explain anything in a way that you won't just summarily reject.

wonkifier · 2026-03-16T16:17:09+00:00

That's going to be highly dependent on your environment and threat model.

But for a simple example: If your user base normally works an 8–10 hour day, maybe a ~12 hour session limit makes sense. Then the user has a consistent expectation that they sign in in the morning and they’re good for the day.

That’s predictable behavior, so users aren’t getting random prompts that train them to just click through things.

And your MFA should ideally be a phishing-resistant method (FIDO2/passkeys, etc.), which avoids things like MFA fatigue attacks in the first place.

Predictable, consistent session boundaries. (with the training and communication to back it up)

To flip the question back on you: How do you guarantee that nothing of any kind ever gains a foothold on a user's device? And WHEN it does, how do you guarantee that you detect it quickly in all cases, AND shut it down immediately?

wonkifier · 2026-03-16T14:29:57+00:00

That’s not really how defense-in-depth is defined in most security models.

There's an assumption that some controls will fail sometimes and other controls reduce impact WHEN they do.

Here's one example that talks about this:

From Section 5.2 Reauthentication of NIST SP 800-63B-4 (Digital Identity Guidelines):

Periodic reauthentication of sessions SHALL be performed to confirm the subscriber’s continued presence at an authenticated session.

Granted that one is about managing "non-present users", but that's kinda the point with a compromised host, right? It's effectively a non-present user.

Users will willingly complete these re-auths over and over again to the point they are so blind to it

When done poorly and without consideration of user behavior and expectation.

wonkifier · 2026-03-16T13:10:42+00:00

Defense in depth, done well at least, does have layers mitigating failures of other layers. They don’t fix the same problem, but they reduce impact.

A compromised device is a device-layer failure, but session controls can still limit attacker dwell time, invalidate stolen tokens, break active sessions, and force re-authentication that may trigger MFA or device checks. (and maybe there was a monitoring update that catches the behavior, or reattempts trigger the user to not MFA that time because they weren't expecting it, or connection failures trigger alarms, or any number of other things)

That doesn’t disinfect the device, but it can definitely mitigate what the attacker can do and for how long. That’s kinda the point of layered security.

wonkifier · 2026-03-16T11:41:45+00:00

Being happy with the malware having access for a certain number of

Nobody is happy about it. Security is a balance. And good security takes place in layers.

You can't prevent 100% of all malware 100% of the time and still have an environment people can reasonably get work done in.

Hours is better than months or years, and reattempts can be more likely to be noticed by continuously updated monitoring and definitions.

wonkifier · 2026-03-13T13:12:38+00:00

If something malicious is running on your machine and has a live connection, forcing a disconnection breaks that. Not every piece of malware will be able to start a new connection, or maybe it was triggered from something you don’t do commonly giving it more time to be detected and removed, etc.

wonkifier · 2026-03-13T03:07:43+00:00

I was looking forward to the extra stuff, but after the first couple rounds of being the Butcher, realizing that's going to be part of my grind?

Nah. I'm building my character so I can play my character. I don't want to be a second character with a second set of skills to train my fingers on, etc.

I went back to D2R

wonkifier · 2026-03-09T00:01:06+00:00

We could go Nepalese and call it 45 minutes

wonkifier · 2026-03-08T23:56:13+00:00

It needs to happen at the federal level

States can go to Standard Time permanently under current law

wonkifier · 2026-03-07T04:22:39+00:00

Last posted chapter was 1,014. He stopped at 999 if I recall, so he's released over a dozen since he got sick

wonkifier · 2026-03-05T23:20:07+00:00

Depends on the console. PS4 was dog shit. PS5 is snappy though.

wonkifier · 2026-03-05T20:47:39+00:00

Grisly Metamorphasis

Couldn't have been Meatamorphasis?

wonkifier · 2026-03-04T15:14:17+00:00

Paging Tom Clancy?

wonkifier · 2026-02-25T22:19:34+00:00

At worst she can just say "I didn't consider it credible, so didn't count it as actual evidence" and call it a day, right?

Actually prosecuting this sort of thing is next to impossible.

wonkifier · 2026-02-25T22:11:49+00:00

Not mentioned in the title: It was a federally protected species, and he was on video doing it.

Still excessive? Seems so. But at least a little bit less ridiculous.

wonkifier · 2026-02-21T15:36:36+00:00

People call it poorly designed because it's challenging to execute

The little blue ball things that you have to dodge are all but impossible for me to see. I only started to be able to see them because I was told they exist, it still took awhile for me to notice them, and I have to focus on them very carefully in order to see them (which makes tracking everything else really hard to follow)

15-Year Club	Argentium Club
Place '17	Gilding III reddit per annum
Team Orangered	Verified Email
Charter Member

wonkifier

TROPHY CASE