Archive for the 'Uncategorized' Category

Changes

Published on December 28, 2023.

In the last few months, I’ve made some important and positive changes in my life. I’ve been letting people know when I catch up with them, but I’d like the changes to be in the open. Hence this post, which is a self-indulgent update on my life for people who either care about me or take an interest in me. I’m not writing this to make any kind of larger point or statement, and none of this is newsworthy. Please don’t ruin my day by linking to this post from a tech blog.

tl;dr:

For the first time since July of 2011, my primary residence is not in California. I’ve moved back to the East Coast of the United States and will be spending most of my time there.
For now, I’m living with my mom in upstate New York, somewhere between Poughkeepsie, NY and Danbury, CT. My mom has several health conditions, including chronic pain and memory impairment, that my sister and I have been helping her manage. My sister has been local, and until recently, I’ve been a painful ~3,000 miles (roughly 4,800 kilometers) away.
The impact I’ve been able to have in the time I’ve been here so far has been reassuring; I’m so happy to be nearby and able to help. And I love my mom and sister. It’s healing to be able to cook for and have dinner with them more than a week or two out of the year.
Eventually, I plan to live somewhere between Brooklyn, NY and Somerville, MA. I don’t know how long it’ll take me to move, but I’m not in a rush. I’m spending some much-needed quality time with my family while I figure things out.
I still work at Apple on passkeys, password management, ~~the best feature ever made~~, and more generally, app/website authentication technologies as a software engineer. I feel and have reason to believe that my best work is still ahead of me. :)
This means that I no longer manage the Authentication Experience team. The team is now managed by one of its founding engineers and is in excellent hands. I couldn’t be happier with the direction the team is going, and it’s so cool that I’m still working with the team I founded.
I’ll be visiting the San Francisco Bay Area regularly for work purposes.

I feel really, really good about these changes and I’m thankful I’ve been able to make them. I appreciate the support I’ve gotten from my friends, my colleagues, and especially my manager.

Imagined Questions and Actual Answers

When did this all happen?

My role at work changed in October and I moved in late November.

How did you figure out you wanted to move back to the East Coast?

It’s complicated. I’ve known for over half of my time in California that I’ve wanted to leave, but I felt like I would never do anything to make it happen — that I was stuck.

What finally changed is that the anxiety I felt from being isolated during the (ongoing) COVID pandemic all but broke me. To cope, I finally started regular talk therapy. Years of therapy and talking things out with close friends helped me realize that I could prioritize leaving California, and no matter what else happened, things would be OK. I would be OK. That I have the support and skills to disrupt things and land on my feet.

So you live in New York state now? Can we hang out?

Yes! If we’re friends, please reach out. I can easily take a train down to the city or drive further upstate, to Connecticut, or into Boston, especially if I can crash with you.

I’m outside of that area, but can you come and visit me?

Yes! If we’re friends, please reach out. I want to spend more time with people who I care about, so even if we’ve fallen a bit out of touch, I’d love to hear from you.

Also, if you or someone who you know lives in a metro area and would like your house and/or pets looked after while you travel, please get in touch. My lifestyle now supports some modest, low-effort travel that’s fun for me and potentially helpful to other people.

At one point, didn’t you try really hard to get far away from where you’re now living in upstate New York?

Absolutely. I am struck by how much has changed — how much I’ve changed. I’ve rearranged some important aspects of my life to work better with my priorities, but also, I have ways of mitigating the downsides of living in a rural area that I didn’t have when I was in high school, like having the familiarity and resources to get on an airplane.

Whether or not “everything” “works out”, right now, I am so relieved that I finally did something.

If you made it this far, thanks for caring. 💚

Twitter’s Decision to Limit SMS 2FA is Dangerous

Published on February 18, 2023.

Some background on me: I’m a software engineer working in what I call “usable security”. I’m passionate about this field because advancements can tangibly improve people’s lives, making their computing experiences easier and accounts more secure at the same time.

This post contains some of my personal thoughts. It does not represent anyone else or any organization other than me, including and especially my current employer. The purpose of this post is to educate people about the intersection of account security and usable software and to provide my perspective. I beg you not to link to or quote this post while saying that it represents any organization or company.

What’s happening?

Yesterday, Twitter announced that it is discontinuing text-message two-factor authentication for accounts that don’t subscribe to Twitter Blue. And indeed, Twitter is already communicating this change to its users:

A notice I received from Twitter for Mac

This is a huge deal for a few reasons.

First, despite the efforts of its new owner, Twitter is still a hugely important and influential service, with many notable and powerful users. We are all-too-familiar with the fact that a tweet can become a highly-impactful news story. A particular Twitter account becoming compromised can trigger real-world confusion and conflict.

And consider the years of Twitter DMs you may have and that other people have. By March 19, a month from now, up to approximately 75% of accounts using 2FA on Twitter will no longer be protected by 2FA¹. That’s big.

But perhaps even more interestingly, this decision from Twitter is a big deal because it has many people who don’t ordinarily consider their security posture thinking about two-factor authentication and account security. Many people are asking questions about what this announcement means for their Twitter account and for two-factor authentication in general. Some folks are feeling blackmailed into purchasing Twitter Blue or otherwise personally under attack.

These feelings are reasonable: People’s accounts matter a lot to them, the global economic conditions mean that not everyone has the money for another subscription, and recent developments at Twitter are extremely polarizing.

In this post, I’ll explain what two-factor authentication (“2FA” from hereon in) is, what it does and doesn’t do, the benefits of text-message two-factor authentication (“SMS 2FA” from hereon in), why Twitter made this decision, how Twitter can restore some of the benefit from SMS 2FA to its non-paying users, and why passkeys will ultimately be the solution for account security for services like Twitter.

Two-factor authentication

The Account Security report on transparency.twitter.com says:

Two-factor authentication (2FA) is one of our strongest protections against account compromise. Enabling 2FA ensures that even if your account password is compromised (perhaps due to the reuse of your Twitter password on other, less secure, websites), attackers will still be blocked from logging into your account without access to the additional authentication required.

This is a good explanation of 2FA because it focuses on the impact of using it, rather than some indirect appeal to the virtues of “factors” involved in authentication. The explanation is specific, directly addressing the main threat that Twitter’s 2FA is mitigating against: password reuse.

The page continues:

In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks. Authentication apps avoid the SIM-hijacking risk, but are still susceptible to phishing attacks.

This is also true, and communicated clearly. There are limitations to both SMS 2FA and “Authenticator apps” 2FA.

That said, we should not and cannot consider the effectiveness of a security mitigation without also considering its usability and its effectiveness. The “most secure” authentication scheme in the world will be limited in its impact by how accessible and user-friendly it is. The time and effort it takes for a person to set up what Twitter calls “Authentication apps” stymies their adoption. The fact that hardware security keys cost money naturally limits peoples’ interest in them.

SMS 2FA has documented and frequently-discussed limitations in terms of the security benefits it provides. It can also trip people up in terms of usability, like when people switch phones, or when they can’t receive texts at their phone number, like when they’re on an airplane, or sometimes when they’re traveling internationally.

Despite its limitations, I’ll argue that SMS 2FA is a huge success story in actually reducing the harm caused by weak and reused passwords.

The benefits of SMS 2FA

It’s pretty common to see technology enthusiasts say something like, “SMS 2FA is insecure and no one should be using it.”

I strongly disagree with statements like these because they don’t contain enough nuance, or even an acknowledgment that different people face different kinds of threats. The thinking here isn’t accurate, and inaccuracies in how people think about account security cause harm. I can’t help but read statements like these as, “Because I understand a flaw in a technology and am capable of using an alternative, no one should make use of that technology.”

A critical tool that the security community uses to think through problems is called threat modeling. Threat modeling helps with thinking through potential threats for a particular person, or group of people and ways of mitigating those threats, even if the mitigations aren’t absolute or foolproof. Threat modeling helps security teams tangibly help people without letting perfect be the enemy of progress.

People who don’t use password manager software — and that’s a lot of people — almost always reuse the same passwords across the services they use. For many of them, SMS 2FA provides value, despite its flaws. Making a person’s weak or reused password not sufficient to gain access to their accounts is genuinely good, even if a very motivated attacker could compromise the SMS channel or phish the one-time code.

Also, consider this: Your bank wouldn’t encourage or require SMS 2FA unless it mitigated real financial harm to them at scale. And scale is key. Twitter’s transparency website reports:

Over the most recent reporting period (July 2021 through December 2021):
2FA Usage
2.6% — Percentage of active Twitter accounts with at least one 2FA method enabled on average over the reporting period.
Types of 2FA
SMS: 74.4%
Auth App: 28.9%
Security Key: 0.5%

As you can see, SMS 2FA is the most prevalent form of 2FA used on Twitter. My theory for why this is is because SMS 2FA is relatively usable and accessible: lots of people understand what it means to give a service like Twitter their phone number and can figure out how to enter a code that’s texted to them.

The rub: It costs money to send text messages

Twitter’s new owner, Elon Musk, is trying to extract as much value from the service as he can as quickly as he can. This has meant finding ways to increase revenues, like pushing Twitter’s paid tier, and cutting costs, like firing large swaths of Twitter’s staff. Eliminating SMS 2FA for non-paid users is the company’s most recent cost-cutting measure. In a reply to @MKBHD, Musk writes: “Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages”

I will be the last person to defend how Twitter has gone about any of its recent decisions, but it’s true that the cost and fraud around SMS are real problems. During my time in the industry, I’ve worked with several organizations looking to reduce costs around sending text messages, and the costs they’ve cited have been significant. That said, none of them decided to charge for the privilege, especially after it had been a baseline feature of the service.

How could or should Twitter restore some of the benefits of SMS 2FA after having removed it?

Let’s pretend that we are account security engineers at Twitter who want to improve user security, but cannot bring back SMS 2FA to non-paying customers.

Send one-time codes via email

Emails are far cheaper to send than texts, and preserve most of the usability of SMS 2FA. A service can reasonably ask a user for their email address to use for authentication purposes and nothing else, if they don’t already have it. And then, the service can instruct a user to check their email for a code, similar to checking their texts.

In this way, one-time codes sent via email have similar usability characteristics as one-time codes sent via text.

Realize that “authenticator apps” isn’t the right framing for time-based code generators

Traditionally, to set up a time-based rotating code for 2FA, one would need to install special software like an “authenticator app”, and then follow instructions for adding a code generator.

This is no longer true, at least on one of the two dominant mobile computing platforms.

On iOS, time-based one-time code generation is built into the operating system. No “authenticator app” is required to install. Apps and websites can easily create buttons or hyperlinks to set up a new generator. (If you have a Twitter password saved to Apple’s built-in password manager, go ahead and try this link to see how easy setting up a verification code can be: Set Up on iPhone. Remember that this is a fake code.) After setup, AutoFill will take care of filling codes.

Although one of both of these approaches may be valuable in the short term, ultimately, they’re both stop-gaps.

Passkeys are the way forward

Throughout this post, I’ve been discussing ways of layering, or bolting on, additional security on top of password-based authentication. However, passwords themselves are the real problem. People need to take extraordinary care to use them in a secure way, ensuring that they’re using strong, unique passwords for every account, and that they never accidentally hand their password to the wrong entity. Not only is this bar impossibly high for casual users of technology, but even a technology enthusiast or “security expert” is vulnerable to phishing.

Passkeys are a password replacement. You can tell that from their name and the ‘pass-’ prefix. Passkeys are an industry collaboration, with advocates like Apple, Google, and Microsoft, and adopters like PayPal and Stripe. They solve the problem that Twitter is mitigating with 2FA: password reuse. In addition, critically, passkeys prevent phishing as it exists today. Rather than ask a human to decide where their account credential can be used, as is the case with passwords, passkeys are securely bound to the service they were created for.

If you’d like to see passkeys in action, please watch this four minute segment from Apple’s WWDC 2022 where I explain what passkeys are, how they work, and why they’re such a big deal.

If you’re reading this, you’re capable of and willing to set up an “authenticator app”; most people aren’t. You might be able to afford and may be willing to purchase a hardware security key; most people aren’t. Giving a service one’s phone number and occasionally entering a six-digit code is something lots of people can do and are willing to do. But ultimately, far more people can consent to save a passkey to their phone and consent to use it to sign in, and by doing so, they’ll be protected from password reuse and phishing.

Of course, no authentication technology is one-size-fits-all. For example, passkeys rely on having access to a personally-owned device and not all people who use online services with accounts own such a device, like a smartphone. But for the vast majority of Twitter’s users, passkeys are the answer.

If the topics of account security and usable software are interesting to you, it’s a lot of what I talk about over on my Mastodon account. Thanks for reading!

My math: the 74.4% number that Twitter has published. That’s a maximum, because a non-zero number of those accounts are subscribed to Twitter Blue. Kudos to Twitter for publishing this data. The transparency benefits the whole industry. ↩

AMA on Mastodon today

Published on December 18, 2022.

I’m doing an AMA (ask me anything) on Mastodon today.

Mastodon and the “Fediverse”

Published on November 27, 2022.

Update: I’m doing an AMA (ask me anything) on Mastodon today, December 18.

Over the last week, my opinion of the Mastodon project and software, as well as the “Fediverse”, has completely changed. I was pretty skeptical of it, but after giving it a chance, I’m participating and having fun.

Let’s rewind back to the skepticism. It started with the name: Mastodon. It doesn’t sound very inviting. Some people might even reach for Masta instead of Masto when spelling it. And decentralized social networking? Like a “web3” thing, with hexagons.eth/NFTs/glowing-eyes involved? Fortunately, no, but I think I was right to be concerned.

I love Twitter, full stop. But after everything that’s happened in the last few weeks, I wanted to start hedging against Twitter falling out of favor with the people I enjoy following and joking around with. Interacting with people on Twitter has facilitated some of the best moments of my life and I’m afraid of losing that.

Here’s what happened: I signed into my neglected account at mastodon.social¹. I used a web app called Fedifinder to start following people who I follow on Twitter. Then, I started reading my timeline and found it to be relatively relaxing, warm, and fun! The energy and atmosphere feels a lot more positive than what’s happening on Twitter, at least right now.

If you haven’t tried a Twitter alternative² yet, I think you should give it a shot. A change of place can yield a pleasant chance of pace, and the web is at its best when people are trying things.

Not convinced? Try out a Twitter alternative just to spite³ Elon Musk. Musk is an tireless sycophant and petty tyrant who purchased one of the world’s most entrenched networks. It’s 100% worth trying to stick it to this man.

If you make it over to a platform that implements ActivityPub, the federation protocol that Mastodon uses, you can follow me at rmondello@hachyderm.io. Please say hi; I’m always looking to make a new friend. :)

To finish this post, here are my answers to some of the questions that I see and hear people asking about Twitter and Mastodon right now.

Is decentralized social networking harder to use than One True Website/App?
For most people, absolutely 100% yes.

If the “Fediverse” is to grow, isn’t it a problem that it’s harder to get started on than centralized social networks?
Yes.

Is Mastodon a Twitter replacement?
For most people who use Twitter, no, not today. It might not be for a long time, if not ever.

Will there be growing pains as more people try it out?
Of course.

Do I need to be there? Am I missing out?
No, you aren’t; relax.

Will decentralized social networking “win”?
I don’t know what it would mean to “win”. I’m not sure I find that framing helpful.

Are you hoping for decentralized social networking to “win”?
No—I’m just vibing. Something doesn’t need to succeed by traditional metrics or last forever for it to be good or enjoyable or worth doing.

I have since moved to a different instance. Something that’s really cool about the protocol that Mastodon operates on is you can migrate your followers to a different Mastodon instance. I think that’s really cool! ↩
Besides Mastodon, Cohost seems like a great solution for posting and interacting with people. ↩
I’m being cheeky here. It’s not at all clear what, if anything, harms a billionaire incapable of shame. ↩

Dover High School Paints over Black Lives Matter Mural

Published on June 3, 2020.

I grew up in a small town in upstate New York, Dover. On July 12, 2008, on this blog, I documented a part of the lead-up to me graduating high school:

There’s a little tradition at Dover High School – graduating seniors can elect to paint a mural on the high school’s driveway. It’s a great way to leave a mark until it’s paved over sometime in the next year. With the help of a few friends, I painted what I consider to be an awesome driveway mural.

A few days ago, on her personal website, Ariana Lasher described something that happened recently in Dover:

On May 27th, Jody Grant, a Dover High School senior, painted a mural of the “resistance fist”, a symbol used in the Black Lives Matter movement, on her school’s driveway. Within 24 hours, before she could even finish her artwork, the school’s administration made the decision to paint over the memorial. With yet another black individual killed, and riots breaking out among the nation in the fight for justice, Grant wanted to raise awareness in her own way. Now, she is left outraged.

It’s worth reading the whole writeup, if you haven’t already.

Mike Tierney, superintendent of the Dover Union Free School District, initiated the removal. I recently emailed Tierney and some other Dover administrators the following note, asking them to reconsider what they’ve done here:

Hello Mike Tierney,

I recently learned of the decision to paint over Jody Grant’s driveway mural, a memorial to Black lives ended by systemic, ingrained racism and the unaccountable institution of police in America. I wanted to drop you a quick note to explain why I’m disappointed by this decision, but also why I think it’s possible to make things right here.

Painting over a memorial to Black lives lacks empathy, and is itself an act of violence when considered in the context of life for Black people in the United States of America. And claiming to personally support the mural’s message is an empty gesture that lacks principles. In your job as an administrator of a public school, with authority over the direction of young people’s lives, I think it’s really important that you understand why your decision has caused real harm.

In an email, you said:

I decided to take down the mural because (although I agree with her message and proud of her want for change) it was not the appropriate time/place of manner for her message.

When is it inappropriate to mourn? I can think of driveway paintings that would be considered inappropriate by most people, but Jody’s mural does not fit into any of those molds. It’s not obscene. It doesn’t directly cause harm or incite anyone to cause harm. Instead, it’s relevant to living a curious life in pursuit of kindness, and reflects on something that’s personally important to its creator.

I suspect you would permit, or maybe celebrate, a driveway memorial to a specific student who was killed in a drug overdose, or was a victim of drunk driving. The same for a memorial to the country-wide collection of young people lost to the widely-acknowledged drug overdose epidemic. I suspect you would permit a driveway memorial by a student about someone who isn’t a student if it was a memorial to someone who was killed by circumstances almost everyone could agree were regrettable — if it wasn’t challenging or uncomfortable. And here again, I think you would permit a memorial to a collection of people lost in similar circumstances.

Assuming my characterization to how you would react to these other, hypothetical memorials is correct, what’s the difference in appropriateness of those circumstances and that of life and death for Black Americans? I think it’s worth taking a moment to consider and sit with that.

Jody Grant is grieving, like so many people in our country are, and you told her that her grief isn’t appropriate. Whether you meant to or not, you asserted that a tradition revolving around personal expression should not, and given your authority, cannot, touch on institutional racism. You said that this place of learning is not a place where it’s safe to discuss the epidemic of police violence in the United States that disproportionally affects Black people. In painting over this mural, Dover High School and Dover itself became less tolerant — less safe — and I hope you can appreciate why I call this a form of violence.

In an email to an alumnae, you wrote:

The general guidance has been as you know is [sic] to celebrate student accomplishments, celebrate next steps in their life, show gratitude to family and friends, and school spirit.

I fear that your framing here is retroactive, but I’ll dabble in accomplishments, celebrations, and gratitude briefly. It is an accomplishment that Jody’s eyes are open to pain. It is worth celebrating that there are young people who feel that their next steps in life are to combat extrajudicial killings of Black people. (This is more than worthy of celebration; we should join and support them.) Mourning the loss of life is a form showing gratitude; the act of mourning says that these lives were and are worth something. And transcending school spirit, Jody’s mural, conviction, and clarity are a form of the human spirt shining bright.

Mike, you have an incredible opportunity to do one of the most important things a leader can do: admit you made a mistake. You could bring some good, and some healing, into this world by telling folks that you’ve listened to their perspectives, really learned from them, and changed your mind. I know that this could make some people in Dover uncomfortable, but given our nation’s history and the moment we’re in right now, some discomfort is warranted.

Please rethink your decision here and let Jody paint her mural.

Sincerely,
Ricky Mondello
Class of 2008

I encourage anyone who feels they have standing to reach out and share their feelings with Mike Tierney and the rest of the Dover Schools administration.

WWDC 2019 Talk: What’s New in Authentication

Published on July 6, 2019.

I presented a session at WWDC this year. You can find the video on developer.apple.com, or in the WWDC app. If you’re interested in how apps and websites authenticate users, or you’d like to know how I’ve been spending some of my time at Apple, it’s worth checking out.

An aside: This was the fourth talk I’ve prepared and delivered at WWDC. (That’s four in seven years!) I’ve learned a lot every time I’ve done public speaking, but this time I picked up a specific, tactical lesson: empty your back pockets before getting on stage.

About fifteen minutes before showtime, I took a hairbrush to the bathroom to fix up my hair, stashed the brush in my back pocket, and then immediately forgot about it. I might have been too nervous to remember it.

As I was walking up the staircase to get onto the stage, a loud ~ THWACK ~ surprised me from behind. Oh no! My audio gear fell off the back of my jeans. It’s all over; I’m about to fail. The time I spent preparing and practicing doesn’t matter — the demo gods have enacted their revenge for my talk not actually including a demo.

Or not. When I turned around, I could see that the forgotten hairbrush was to blame, and that it hit the metal stairs on its descent, making the loud sound.

I got lucky. If the brush had held on for just a moment or two, it could have leapt out of my back pocket mid-sentence, as I was being filmed. I’m not sure how I would have recovered from that. Would I bend or kneel down to pick it up? Casually kick it to the side or off the front of the stage? Pretend nothing happened? While ignoring it, trip on it?

My brief terror turned into an overwhelming sense of relief and thankfulness. I haven’t failed. This could have been so much worse. Let’s go do the thing!

This whole episode, playing out over just a few seconds, neutralized a lot of the nervous energy I normally have at the start of a talk, and I think for the better. For me, a lot of what goes into public speaking is managing my emotions; I’m trying to be calm enough to be clear, but enthusiastic enough to keep the audience’s attention. The next time I’m in front of a crowd, I’d like to summon this feeling of gratitude — I’m so lucky; let’s do this! — and incorporate it into that emotional balance. I’ll just have to find a way to do that without first having a moment of all-consuming panic! 🙃