hedgehog @ hedgehog @ttrpg.network

Posts

1

Comments

869

Joined

2 yr. ago

Inb4 a Supreme Court ruling including “MLMs are like hard-core pornography - ‘I know it when I see it.’”

What additional capabilities does that give the app beyond using Firefox or Chrome to install it as a PWA?

When I meet a dog whose name I don’t know, I often address him or her as “Dog.” Similarly, if I meet a cat whose name I don’t know, I often address him or her as “Cat.” It’s only polite. It’s a generic but polite form of address, like “Ma’am” or “Sir.”

The same goes with a moon. I call it “Moon” because we aren’t yet on a first name basis.

Tell me, OP - what makes you think that you should be on a first name basis with the moon?

Per the Wired article, the Palestinian employee who was fired, Madly Espinoza, asked for and received permission to wear her keffiyeh, which was rescinded a few weeks later. She followed the new instructions and asked for and received approval to wear pro-Palestinian jewelry. She was then fired. Her termination documents did not state a reason.

Getting physical access to users’ devices is more difficult than compromising their passwords, so in that sense, transitioning that one factor is a net improvement in terms of reducing the number of compromises for a given service.

Except for e2ee accounts, which I suspect Passkeys don’t support in the first place (at least, not without caching the password on your device), law enforcement can access your account’s data without ever needing your password. If you’re concerned about law enforcement breaking into your device and you’re not using a unique 16+ character passcode with it set to wipe the device after a certain number of attempts, that’s on you.

I’m not sure about the state of affairs on Android, but the most popular and powerful tool used by law enforcement to extract data from iOS devices only recently gained support for iOS 17 and it doesn’t have the ability to bypass passwords on a device that isn’t accepting FaceID; it just has the ability to brute force them. A password with sufficient entropy mitigates this attack. (It’s unclear if it’s able to bypass auth when FaceID is enabled, but I could see it going either way.)

You said a couple of things that I specifically want to address:

But it doesn't solve anything that existing TOTP over text messages didn't solve, other than some complexity, and it eliminated the password (something you know) factor at the server.

and

outside of MitM attacks that TOTP mitigates

Text-message based TOTP - or SMA 2FA - is incredibly vulnerable. In many cases, it can be compromised without the user even realizing. A user with a 4 digit PIN (even if that PIN is 1234) and a Passkey on their device is much less vulnerable than a user using SMS 2FA with a password used across multiple services.

If a user cares deeply about security, they likely already have a set of security keys (like the YubiKey 5C) that support U2F / WebAuthn, and they’ll add passkeys for their most sensitive services to those devices, protected by unique, high entropy PINs. This approach is more secure than using an equally high entropy password and U2F / WebAuthn if the latter isn’t secured with a PIN, since these devices are extremely secure and wipe their contents after 8 failed PIN attempts, but the password is transmitted to the server, which receives it in plaintext and stores it hashed, generally outside of a secure enclave, making the password vulnerable, e.g., if grabbed from server memory, or to a brute force attack on the hash if the server (which could be undetected and only involve read access to the db server), meaning a simple theft of the security key would be all that was needed to compromise the account (vs needing the PIN that is never transmitted anywhere).

And app-based TOTP doesn’t mitigate MITM at all. The only thing it does is add a timing component requirement, which current MITM phishing attacks have incorporated. To mitigate such an attack you need Passkeys, Webauthn, or U2F as an authentication factor. To bypass this the attackers need to compromise the service itself or a certificate authority, which is a much taller task.

The other thing is that we know most users reuse passwords and we know that sites will be compromised, so:

• best case scenario, salted password hashes will be leaked
• likely scenario, password hashes will be leaked,
• and worst case scenario, plain text passwords will be leaked

and as a result, that user’s credentials for a different site will be exposed. For those users, Passkeys are a vast improvement over 1FA, because that vulnerability doesn’t exist.

Another factor is the increased visibility of Passkeys is resulting in more sites supporting them - U2F / Webauthn didn’t have great adoption. And getting these into the hands of more users, without requiring them to buy dedicated security keys, is a huge boost.

For the vast majority of users, passkeys are an improvement in security. For the few for whom they aren’t, those users likely know that, and they still benefit from increased adoption of a MITM immune authentication method, which they can choose on a site-by-site basis. And even they can benefit from increased security by storing passkeys on a security key.

For logging in, Bitwarden supports TOTP, email, and FIDO2 WebAuthn on the free plan. It only adds Yubikey OTP and Duo support at the paid tier, and WebAuthn is superior to both of those methods. This is an improvement that they made fairly recently - back in September 2023.

The other features that the free plan lacks are:

• the 1 GB of integrated, encrypted file storage. This is a convenience that is nice to have, but not essential to a password manager.
• the integrated TOTP generator. This is a convenience that many argue is actually a security downgrade (under the “putting all your eggs in one basket” argument).
• Upgraded vault health reports - free users get username data breach reports but not weak / reused password reports. This is the main area where your criticism is valid, but as far as I know free competitors don’t offer this feature, either. I looked at KeepassXC and didn’t see this mentioned.
• Emergency access (basically a trusted contact who can access your vault under some circumstances). This isn’t essential, either, and the mechanisms they add to ensure security of it cost money to provide.
• Priority support - free users get 24/7 support by email, which should be good enough

I believe that the pop-up was also bugged and that it was only supposed to show up once.

None of what you’re saying has anything to do with whether an authentication flow is effectively implementing two-factor authentication.

The server doesn’t need to know details about which two factors you used. If you auth with a passkey and it knows that passkeys themselves require an additional factor to be used, then it knows that you’re using 2FA.

If they use a 4 digit pin or, worse, the 4 point pattern unlock, it's easy enough to brute force on most devices.

This is true, but that doesn’t mean it doesn’t qualify as an authentication factor. Nobody should use a 4-6 digit PIN for their phone, but this is a matter of individual security preferences and risk tolerance. In a corporate setting, the corporation can set the minimum standard here in accordance with their own risk tolerance.

My password could be “password123” and it would still be one factor.

Thanks for clarifying. Phrased / thought of as “a situation wherein X happens is immoral,” it makes sense.

My confusion came from not doing that, even after reading the “Remember:” text in the comment, thanks to my conflating my personal belief that the individuals who are part of corporations that purchase houses in mass and rent them out are behaving immorally (vs being actors in an immoral situation) being adjacent with a statement about an individual renting out a room.

That concept of morality feels more similar to what I think of as “fairness” (though not an exact match) than to individual morality.

I feel like there must be a different word used to convey the moral judgment of someone who isn’t doing the best they can within the framework - i.e., someone who is choosing to exploit laborers for profit in excess of anything they could use for themselves.

Oh! So your statement was basically “a situation where someone has to rent a room from someone, even if that person is just renting a room out of their family house, is immoral?” That clears things up - thanks for explaining.

Right…

What’s the moral alternative for an individual without the power to make that change, who you said would be behaving immorally if they rented out a room from their family home?

What’s the moral alternative?

You are not creating Value by allowing someone to use a room for a fee.

You created value when you made the room suitable for someone else’s use rather than your own. The room was not available and now it is. Value is an output, and the room didn’t intrinsically have value.

This is just using the already created Value to rent-seek.

Your understanding of rent-seeking is not one I’ve seen literally anywhere else. What’s the basis for that?

Using a room to rent out becomes Private Property, not Personal Property.

How so?

Rent-seeking behavior is when you seek economic rent (more compensation than is required for a resource to be employed) without creating value. If you repurpose a room to make it available to someone to rent, you’re creating value. Likely part of how you’re creating that value is via your own labor.

The home you live in is generally considered to be personal property, not private property, so ownership of capital isn’t happening in this scenario. “Doing X is immoral because it leads to you doing Y, which is immoral” (that it would lead to the exploitation of labor) is a slippery slope argument without any basis (and with plenty of anecdotal counterpoints).

Renting out a single room out of your family house is immoral

Why? It seems to me that if you’re accommodating having someone in your home, being compensated for that inconvenience wouldn’t be immoral. Certainly not any more immoral than having that room go unused would be.

For an authentication flow to qualify as two factor authentication, a user must verify at least two factors - and each must be from the following list:

• something they know, like a password
• something they have, like a phone or security key
• something they are - fingerprints, facial recognition (like FaceID), iris scans, etc..

Passkeys require you to verify a password or authenticate with biometrics. That’s one factor. The second factor is having the passkey itself, as well as the device it’s on.

If you login to your password manager on your phone and use your fingerprint to auth, that’s two factors right there.

For anyone who didn’t click into the original post and whose client didn’t include its text, here are the instructions for opting out:

Opt-out. You can decline this agreement to arbitrate by emailing an opt-out notice to arbitration-opt-out@discord.com within 30 days of April 15, 2024 or when you first register your Discord account, whichever is later; otherwise, you shall be bound to arbitrate disputes in accordance with the terms of these paragraphs. If you opt out of these arbitration provisions, Discord also will not be bound by them.

Note that the forced arbitration clause applies only to Discord users in the US. The class action waiver appears to apply regardless.

This is also not a new addition to their TOS, but it does appear to require opting out again even if you already did, and to grant an additional opt out opportunity if you didn’t.

They do, but they’re a bit more expensive. They have a list at https://www.brother-usa.com/color-laser-all-in-ones (that includes printers without scanners but you can add a filter).

Ah, in that case I probably could have gotten even more life out of the starter toner - I ordered a replacement as soon as I got the warning about it being low but my prints weren’t washed out at all by the time I replaced it.

I have the Brother HL-L3270CDW, which prints in color. Ran me about $300 (it’s $270 directly from Brother now) plus the cost of the high yield toner cartridges I bought with it, but you can probably get away with the included toner for a while - with my B&W Brother the included toner lasted me over a year. It says the starters are supposed to last 1000 pages and the high yield 2300, but I’m pretty sure those numbers are very low based on my own usage estimates. I definitely went through more than two 500 page packs of paper in that first year.

It doesn’t have a built-in scanner but it does have:

• wireless and ethernet connectivity, plus support for AirPrint, cloud printing, etc
• direct USB connectivity (though I’ve never used it)
• duplex printing (not for A4 apparently)
• a 150 or so sheet capacity tray (advertised 250) that can handle letter, legal, A4, and anything smaller all the way down to 3” x 4.57”

It says it doesn’t support printing card stock but I’ve printed small amounts (30 or so sheets) at a time, largely without issues. That said, the only times I’ve had the printer jam, I was printing card stock, so maybe there’s some truth to that recommendation.

I haven’t used third party toner but my understanding is that as long as it’s good quality the printer will work fine. It doesn’t force you to only use first party toner.

The color quality has been good enough for my purposes - substantially better than the consumer inkjet printers I used like 20 years ago, but worse than current inkjets. That said, if photo quality color is the main thing your parents print and they print regularly, my recommendation - based on research, not personal experience - is an Epson EcoTank. From their site the entry-level model (the ET-2800) is $200 and comes with about 3k pages worth of ink (and replacement ink bottles have even more capacity). Other commenters have covered it in depth.