Even FIDO2 MFA doesn’t protect you from attacks that involve malware running on your machine. If there was a keylogger on their machine then that machine is likely compromised in other ways, and any credentials entered or stored on it should be considered compromised and should be reset.

Per Yubico’s specs on the Yubikey 4, it does not support FIDO 2 resident credentials, meaning it does not support Passkeys.

Compare to the specs of the Yubikey 5C NFC or Yubico Security Key C NFC, which both have this section:

FIDO2

The FIDO2 application allows for secure single and multi-factor authentication, and can store up to 25 resident credentials. These credentials, which are protected by a PIN, enable passwordless login, where the YubiKey, unlocked by a PIN and authorized by touch, can log you in to your accounts without entering a username or password. The FIDO2 application is FIDO certified.

See also Yubico blog post with an FAQ about passkeys:

How are passkeys different from YubiKeys?

They’re the same, and they’re different.

They’re the same because YubiKeys have had the ability to create these passwordless enabled FIDO2 credentials (passkeys) since the YubiKey 5 Series became available in mid-2018. Currently, YubiKeys can store a maximum of 25 passkeys. We are evaluating increasing this in the future because of the likely increase in fully passwordless experiences across the web that require them.

They’re different because Platform created passkeys will be copyable by default using the credentials for the underlying cloud account (plus maybe an additional password manager sync passphrase), whereas passkeys in YubiKeys are bound to the YubiKey’s physical hardware where they can’t be copied.

I wouldn’t run out right now and buy a Yubikey to store Passkeys given the 25 key limit and the likelihood that Yubico releases a new key that supports storing far more of them, but if you do, the $25 Security Key series is the cheapest option.

Passkeys can be phished, it’s just much more difficult than with passwords, TOTP MFA, SMS MFA, other OTPs, or push notification-based MFA (e.g., Duo or the way Microsoft, Apple, and Google push a notification to their app and you confirm and/or enter the key).

Passkey is extremely phishing resistant in the same as Webauthn MFA and U2F MFA are, in that origin checks by the browser prevent attackers from initiating the auth process. But it can still be attacked in these ways:

1. XSS bug in the target website
2. Browser vulnerability
3. Malicious browser (not a concern on iOS but a concern everywhere else)
4. Compromise of any cert in the chain between you and the target website
5. Convincing the user to install (or using malware to install) a root certificate, or compromising one you already installed (e.g., for work)
6. Bookmarklet/clipboard/devtools attacks

From memory, passkeys, webauthn, and u2f should prevent over 99% of phishing attacks that are successful without them in place.

There’s also the risk of the passkey itself being compromised, though that level of risk is dependent on your device / how you’re storing your passkeys and isn’t a “phishing” risk.

The site likely didn’t support passkeys. But passkeys are basically webauthn passwordless login, and per the yubikey docs they support that.

See https://www.yubico.com/authentication-standards/fido2/ and https://fidoalliance.org/passkeys/#faq for more info. See also https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios specifically the bit about adding a passkey to a physical key.

Keys are stored in the equivalent of iOS’s Secure Enclave (actual name is implementation specific: ARM’s TrustZone, Samsung’s KNOX, Pixel’s Titan M, etc): https://www.howtogeek.com/387934/your-smartphone-has-a-special-security-chip.-heres-how-it-works/

“Keychain” is often used colloquially to refer to a piece of software that holds passwords and other secrets, which can include passkeys depending on the implementation.

• Apple iCloud Keychain
• Linux keyring/keychain

I thought Craig was just being weird, but the Fizzy Water bundle includes Vinegar and Baking Soda, a companion app that makes a similar change to (allegedly all) other sites that have custom video players.

EDIT: I’m now realizing Craig said that, like, four times. What the fuck, Craig.

Given that it gets rid of captchas, it neatly evades that issue.

Their goal wasn’t to improve bot blocking, though, but to deter real people less and bots just as much, and it seems they’ve achieved that.

Strange, I’ve only noticed one issue - videos don’t play. Sadly it’s a fairly critical issue.

100%

The homestead exemption protects people from being forced to sell their home to satisfy a debt (in many states it also exempts a portion of the home’s value from property taxes), but if an LLC owns it and they don’t, those same protections don’t apply. If, instead of Trump putting his home in his own name, he assigned it to an LLC, he did so to get some sort of a benefit. Potentially losing his home is the cost he of that decision.

Caveat: if the LLC was renting the property to Trump and they had an explicit lease with a definite term, then some protections might apply.

Sources:

• https://www.lexology.com/library/detail.aspx?g=82685a9b-4392-4374-85a0-4f8fa6e72169
• https://www.forbes.com/sites/jayadkisson/2017/08/09/debtor-cannot-assert-homestead-exemption-for-residence-owned-by-llc-in-white/?sh=248db37b1b6f
• https://www.investopedia.com/terms/h/homestead-exemption.asp

I suspect the objection had to do with some misinformation regarding the Duckduckgo browser. I remember reading about the issue and thinking it was about search, too.

The DDG CEO wrote up a response on Reddit and it explains it very well. Here’s a link to the comment on the Wayback machine.

Make it a percentage of disposable income, calculated as income plus 4% of net worth minus average living expenses for your city.

To avoid letting low-income people commit certain crimes without any penalty, maybe have a minimum fine but allow anyone who would be eligible to pay less than the minimum to make up the difference with community service (i.e., if the minimum fine is $200 and the calculated percentage of their disposable income would only be $100, they can pay $100 and then work 10 hours of community service).

Would those environmental protections have allowed the wall to simply not be built, or would they have just delayed it, costing even more money for environmental reviews, changed plans, etc., when a government shutdown is imminent?

That’s a real question, to be clear, and not one the article answered one way or the other.

The standard system in macOS is based on a Uniform Type Indicator, or UTI, like public.plain-text for a plain text file, and public.jpeg for a JPEG image.

To determine the file type, macOS uses MIME types when downloading from the Internet, can still use old Classic Mac OS four-character type codes, and ultimately relies on UTIs.

To get the UTI of a given file, use the mdls (meta data list, part of Spotlight) command in the Terminal.

Check out https://en.m.wikipedia.org/wiki/Uniform_Type_Identifier for more info.

PDFs have a MIME type of application/pdf per the spec, but you might still encounter some with MIME types like application/x-pdf. MacOS reads the MIME type of a file, then assigns the com.adobe.pdf UTI (if it wasn’t already assigned by another Mac application).

Oh cool! I’ll check those out.

Having looked at it a bit more, even if it doesn’t end up replacing Standard Notes for me, it still looks promising, particularly given the ease of self hosting it. Self hosted it looks like it could be useful for shared notes, too, even though that doesn’t seem to be its intended use case.

A big part of the appeal for me is that Standard Notes already had a bunch of editors and that it was easy to create my own - they provide a starter app and you can just use React and/or any web libraries of your choice. I’ve looked through the Trilium docs and while they’re not as good, they’re probably good enough.

Another big difference is that Standard Notes also sandboxes its editors, such that they only have access to the current note. It looks like Trilium’s executable JS code notes lack a similar feature. Then again, that also has a positive side effect of meaning plugin devs have a lot more power and flexibility in terms of what they build.

If you want to disable it on your iPhone, it’s at the very bottom of Settings -> Notifications (under all the apps). You can disable:

• AMBER Alerts
• Emergency Alerts
• Emergency Alerts - Always Play Sound
• Public Safety Alerts
• Test Alerts

Did you have Emergency Alerts enabled but have “Emergency Alerts - Always Play Sound” disabled? If not, I’m curious if anyone who did can report about whether or not it was effective.

I only run Linux on my server, but even so I feel like I can run almost everything I ever use on Windows, or an equivalent on it. MacOS exclusive apps are actually a bigger problem for me.

For image editing, GIMP was commonly recommended like a decade+ ago, and it’s still a decent option if it’s what you’re looking for. But now there are several alternative, mature tools that are Linux native, like Krita, Inkscape, Darktable, etc.. The Affinity suite is usable on Linux via Bottles, as are some versions of Adobe suite, like Photoshop.

Good point. I’m not sure if IzzyOnDroid considers the CC license to be “free as in freedom” but even if they do, they allegedly have a 30 MB limit per application, and the most recent SN apk is just under 100 MB.

Signal’s approach is useful if the goal is to avoid being tracked by Google without losing out on the convenience of auto-upgrades, but it’s still bad in that they could theoretically introduce a client-side vulnerability that nobody external would have a chance to audit.

You can also use Standard Notes via the web app, which can be installed as a PWA. And even though it’s not FOSS anymore, the source is at least kept up to date.

Trilium looks pretty interesting but not like a great direct replacement. One major feature gap is the lack of custom editor plugins, which is essential for me.

Another app I’ve seen recommended as an alternative is Joplin. I don’t use it myself, but it does have custom plugins, including for custom editors. So for anyone who finds the lack of a mobile app or custom editors to be a deal-breaker, Joplin’s likely worth checking out.

Even if it were true (it is not: there are techniques like static analysis, intercepting client-server communication, etc., that can confirm application behavior), how is having “zero expectations of privacy with closed source apps as you cannot independently verify what they [sic] app is doing” relevant when the source is available?

Why do you say their actions were illegal? In every repository of theirs that I looked through (just app (formerly web), server, self-hosted, mobile, and desktop), the contributors on every single PR that had been merged was from someone in the org. Unless there are some other contributions that I’m unaware of, their license change was completely legal.

There are tons of community created plugins, e.g., for editors (heck, I created and maintain one) but the licenses on those haven’t been changed and aren’t impacted. For any plugin that’s bundled with SN, an AGPL license can be a problem, and I didn’t check the contributions on their plugins, so maybe there’s an issue there and that’s what you’re saying is illegal? If those are still licensed as AGPL my understanding is that’s still legally allowed when they’re doing it, so long as there are no community contributors.

Personally I don’t understand how moving away from AGPL could accomplish their goals - AGPL already prevents another company from forking their server, changing the code, and not distributing those changes to their users… is the concern that some major companies are doing that and charging for it or using it internally? But regardless, being source available instead of FOSS doesn’t impact privacy expectations.

In fact, the way SN handles this is much better than the way Signal does, even though Signal uses a FOSS license. With Signal, development takes place in a private repository and it is later (sometimes as much as a year later) merged to the public one. My point is, the license isn’t the only thing that matters.

In terms of impact on contributions from the community - well, given that there haven’t been any, there won’t be an impact to the server or app repos. But I could see this impacting the willingness of the community to continue to build and maintain plugins.