Well, I have no arguments with what you’ve said. I think security keys/FIDO tokens should be more prevalent too. Otherwise this is 100% correct and I feel the exact same way.
Some IT guy, IDK.
- 0 Posts
- 168 Comments
Joined 1 year ago
Cake day: June 5th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Your story reminds me of something that my bank started doing. I got a robocall about something to do with my credit card, and the voice said to verify using x and y using my keypad, I think it was day/month/year of birth or something and I immediately noped out of the call. I hit all the wrong buttons until it got me to a person and I ripped them apart, and their supervisor for basically training their userbase to answer security questions given by an automatic voice on the other end of the line with no way to verify who is calling.
You can spoof your caller ID, you can get a text to speech robocall bot with DTMF recognition and just spam call a whole area where the bank operates and gather a bunch of personal information because it sounds just like the bank and there’s no way to prove who called.
What a crock of shit. It’s a security nightmare.
I did call my bank after at a known valid number, verified them as they verified me, and there was something going on, so the call was legit, and totally unacceptable.
These clowns want us to trust them completely, and give us no reason to do so, but they want us to bend over backwards to validate ourselves. Fuck that.
4·14 days agoI agree with the idea of bodily autonomy. Above all, someone should have the right to do, or not do, whatever they want with their own person.
Whether that is to listen to doctors advice, buy pharmaceuticals and self-administer as prescribed, or even end your own life, and everything in between.
Quick disclaimer, suicide should still be evaluated by a psychiatric professional, and simply being suicidal shouldn’t necessarily mean that nobody can, or should stop you from committing that act. I’m mostly referring to medically assisted self termination, after the appropriate safeguards, checks, and balances have been cleared. Simply wanting to off yourself without being cleared as having sound mind should be something we, as a society, should address carefully, with the assistance of mental health professionals.
With all that being said: I probably would DIY some pharmaceuticals. Anything that’s an opiate or other restricted substance, definitely not. But if I can buy the ingredients without needing a special permit or license, I definitely would.
Something I’ve noticed with institutional education is that they’re not looking for the factually correct answer, they’re looking for the answer that matches whatever you were told in class. Those two things should not be different, but in my experience, they’re not always the same thing.
I have no idea if this is a factor here, but it’s something I’ve noticed. I have actually answered questions with a factually wrong answer, because that’s what was taught, just to get the marks.
The closest thing to a thin and light that I own is my framework.
I felt like anything less than what framework offers for repairability wouldn’t be sufficient for me.
There’s actually an argument that makes the point of driving prices down with soldered RAM.
The individual memory chips and constituent components are cheaper than they would be for the same in a DIMM. We’re talking about a very small difference, and bluntly, OEMs are going to mark it up significantly enough that the end consumer won’t see a reduction for this (but OEMs will see additional profits).
So by making it into unupgradable ewaste, they make an extra buck or two per unit, with the added benefit of our being unupgradable ewaste, so you throw it out and buy a whole new system sooner.
This harkens back to my rant on thin and light phones, where the main point is that they’re racing to the bottom. Same thing here. For thin and light mobile systems, soldered RAM still saves precious space and weight, allowing for it to be thinner and lighter (again, by a very small margin)… That’s the only market segment I kind of understand the practice. For everything else, DIMMs (or the upcoming LPCAMM2)… IMO, I’d rather sacrifice any speed benefit to have the ability to upgrade the RAM.
The one that ticks me off is the underpowered thin/lights that are basically unusable ewaste because they have the equivalent of a Celeron, and barely enough RAM to run the OS they’re designed for. Everything is soldered, and they’re cheap, so people on a tight budget are screwed into buying them. This is actually a big reason why I’m hoping that the windows-on-ARM thing takes off a bit, because those systems would be far more useful than the budget x86 chips we’ve seen, and far less expensive than anything from Intel or AMD that’s designed for mobile use. People on a tight budget can get a cheap system that’s actually not ewaste.
There’s reasons behind this. LPDDR IIRC works most efficiently when it’s closer to the CPU than what dimms would allow for.
Boosts speed and lowers the power requirements.
It also incentivizes people to buy larger SKUs than they originally wanted, which, bluntly, is probably the main driver for going that direction… I’m just saying that there’s technical reasons too
I’d say to try chromium, but you basically need to compile it yourself to get support for all the video codecs.
Yep. I work in IT support, almost entirely Windows but similar concepts apply.
I see people pushing 6G+ with the OS and remote desktop applications open sometimes. My current shop does almost everything by VDI/remote desktop… So that’s literally the only thing they need to load, it’s just not good.
On the remote desktop side, we recently shifted from a balanced remote desktop server, over to a “memory optimised” VM, basically has more RAM but the same or similar CPU, because we kept running out of RAM for users, even though there was plenty of CPU available… It caused problems.
Memory is continually getting more important.
When I do the math on the bandwidth requirements to run everything, the next limit I think we’re likely to hit is RAM access speed and bandwidth. We’re just dealing with so much RAM at this point that the available bandwidth from the CPU to the RAM is less than the total memory allocation for the virtual system. Eg: 256G for the VM, and the CPU runs at, say, 288GB/s…
Luckily DDR 4/5 brings improvements here, though a lot of that stuff has yet to filter into datacenters
This is less than interesting.
ISPs don’t want to cut off their income here. I’m certain they have a very good idea of how many of their customers, especially those paying for higher tier plans, are either getting constant DMCA requests, or have a persistent connection to a VPN service. They have a good idea of how much money they’re making from people pirating content, so this position for them is hardly surprising.
At the same time, I’d rather they fight with the copyright trolls than me. Regardless of the reason for why they’re doing it, it’s a good thing to fight for.
IMO, they shouldn’t be responsible for this because they’re not tasked with enforcing laws. They must abide by them, and they have a legal, or at least, moral obligation to report any felonies/crimes that they’re aware of (with varying degrees of obligation depending on the severity of the crime. Eg, I’m less bothered if they don’t report, say, piracy, than I would be if they don’t report CP/murder/violent crimes, etc).
If the LEO’s want a service cut off for a good reason, then let them get a court order for it. They should not be obligated by law to enforce such laws. Any enforcement should be handled by an independent organization, and be filtered through the court system as a check/balance for the whole cabal. They shouldn’t be forced to both find and enforce infractions. Reporting suspected infractions, maybe. Forwarding legal requests to customers, sure (like DMCA notices). Oblige disconnect requests from law enforcement by request (when confirmed necessary by courts in the presence of reasonable evidence), absolutely.
But having the ISPs do all that themselves with little oversight, is both a danger to their clients, to their liability, and to the public at large, mainly in the context of free speech. The ISP is just the middle man, the messenger. They don’t host the content, nor should they police it, or the access you can get to it. I’m all for collaboration in the interest of enforcing the law, but putting the entire obligation on the ISP seems foolish to me.
Cyber crimes is one area of law enforcement that I don’t think should be defunded. It may be that ACAB, but those doing the investigative work, away from public interaction (and possible abuse), are not the root of the problem there.
I dunno, just my opinion man.
This has been happening for a lot longer than just Windows 11.
Several people I’ve spoken to, who have purchased OEM computers from the likes of Dell, HP, Lenovo and others, did not know that bitlocker FDE was enabled, and they were not aware that they needed to back up their recovery key.
On at least one occasion, this caused someone to lose the contents of their laptop when Windows failed to finish booting into the OS. The drive was fine as far as I could tell, but the content on the drive would not complete the boot up sequence and would bsod/boot loop the system, so data retrieval was not possible without the recovery key, which they did not have. That was a Windows 10 Dell system from 2020 or so.
My opinion is that FDE is a good thing.
My advice is if you have FDE enabled, backup your recovery keys. It’s easy, but it won’t directly save to a file on the filesystem that’s locked by the key to which the recovery key applies. The easiest workaround is to “print” it, then use the built in Microsoft print to PDF, then dump it wherever you want. Afterwards, put it somewhere safe. Doesn’t matter where, but anywhere that isn’t the encrypted drive. Maybe Google drive, maybe a USB flash drive, maybe email it to yourself. I dunno, just somewhere you can retrieve if that system isn’t working.
When you’re done doing that, go check the same on your parents computers, friends, brothers and sisters… If they’re someone you care about, and they have a windows computer, check. Get those recovery keys backed up somewhere.
Foxes are like that though.
They look cute and cuddly… The trustworthy kind, then they bite your hand off and laugh at you.
It’s lady gaga.
If you’ve followed her at all, even indirectly, this is NOT the weirdest thing she’s done, and bluntly, the weirder stuff wasn’t justified (to the public at least).
I’m not trying to throw shade at Gaga at all. Lady, let your freak flag fly all day long. You don’t need my permission to do it, but if you want it, you got it. Weird isn’t bad, it’s just weird.
IMO, at this point, gaga doesn’t need a reason to be weird.
2·3 months agoI’m generally more of a Debian user, when I use Linux at least, so anything red hat based doesn’t even occur to me to recommend. I generally don’t get involved in distro discussions though.
My main interaction with Linux is Ubuntu server, and that’s where my knowledge generally is. I can’t really fix issues in redhat, so if someone is using it, I’m mostly lost on how to fix it.
There’s enough difference in how redhat works compared to Debian distributions that I would need to do a lot of work to understand what’s happening and fix any problems.
I dunno if I’d say any distro of Linux is really beginner friendly.
It takes quite a bit of learning the ins and outs of operating systems before Linux makes sense in any capacity.
If you’re just looking to run a few basic apps like discord/slack/teams/zoom, and run a browser, then sure, just about every distro can do that without trouble, and can be configured to be as “friendly” as Windows, with a few exceptions.
But anybody who wants to do intermediate/advanced stuff with little to no prior Linux knowledge? I’m not sure any distro is much easier than others. Again, with a few exceptions.
The exceptions are distros that are almost intentionally difficult to use, or that require a high level of competency with Linux before you can attempt to use it.
There’s always a learning curve, that learning curve is pretty much always pretty steep.
I’ve been using Linux for dedicated servers for a while and I don’t use Linux as a desktop environment, in no small part because despite having a fairly high level of competency with Linux, I don’t feel like I know enough to make Linux work for me instead of the other way around.
2·3 months agoThe banks are borderline criminally negligent because they exclusively use SMS for 2FA.
Simply, it is insufficient.
I get that they want the SMS information on file, and that’s understandable, but give people another option at least, Holy hell. It gives my inner IT secops brain an aneurysm.
It’s improvement.
But you can also polish a turd, and that’s also improvement. It’s still a turd. Taking 1990’s tech and overlaying rich text services onto it, is just polish for the same 90’s tech that should have been left behind.
IMO, it’s still worlds away from what you can get with a purely digital instant messaging system.
Also, it seems idiotic to me that nearly all of your communications can go up in smoke by accidentally dropping your phone into a wood chipper, and you’ll be SOL until you replace it because everything is hairpinned through your cellphones SMS capability. Battery dead? Out of your providers service area? Ha ha, get fucked.
Just dumb.
All I’m going to say to this is…
You people still use SMS?
I’ve explicitly told people not to send me text messages. The protocols are old and shit compared to other instant messengers. I’m on Google chat, telegram, signal, discord, slack, teams… Find another app to talk to me with. I generally don’t care which one, but I actively refuse to sign up for or into any Facebook/meta/Zuckerberg properties. If you use something I don’t that isn’t owned by the zuck, I’ll probably sign up so we can keep touch, but for the love of God, not SMS.
Look, SMS was great when phones didn’t have internet on them. It was a quick and easy way to send updates and chat while away from your cable/DSL/dialup (whatever you had at the time). Now that data is the primary use for a mobile phone plan, just use a more robust IM app.
I also have about six or seven phone numbers, which I give out to different groups of people for different reasons, plus a phone number on my mobile which nearly nobody knows. All my other lines (all VoIP lines) ring my cellphone number. Texting from my VoIP line is not fun, but it does work. Multimedia messages generally get lost and RCS is just encouraging the use of something that should have been killed off.
I’m partial to Telegram and signal since they mainly operate by phone numbers, but I can make “voice” and video calls over data rather than having to use my cellphone directly; which allows me to call from my computer, laptop, phone, tablet… Literally any device that can run the program. So if my phone is lost/damaged/stolen/whatever (unavailable for any reason), I can still send messages to you and call if needed.
If everything is tied to your cellphone number, and that number becomes unavailable for any reason, well… Get fucked I guess. Your SIM stops working, your phone dies/breaks/gets stolen, your provider decides to fuck your account up or charge you a fortune for no good reason and cuts you off, your provider has a major malfunction and stops servicing clients in your area… Literally anything goes wrong with the one system you use and all your SMS bullshit goes away. Stop. Using. SMS.
I prefer security keys. At work I use a yubikey, and I have Google’s security keys for my personal stuff. I tend to use totp as a backup.
For everything not banking, it’s great, I agree. I still prefer my security keys to everything. It’s hard to duplicate a digital key when it only exists on protected storage on a physical device, where that key never exists outside of that physical device.
In case anyone doesn’t know: FIDO works using a pair of asymmetric digital keys, the public key is sent to the remote site, and only the private key can decrypt anything encrypted by the public key. So a challenge (usually some mathematical calculation, not sure), is encrypted by the site/service that is handling the login, it sends over the encrypted request, which is passed, in it’s entirety to the fob. The fob requires a physical activation to process the challenge (usually a touch, but some require a fingerprint). The challenge is then decrypted, processed, the response is encrypted, and sent to the site for login, which decrypts the response with the public key, and compares the result to the result of the challenge that was sent.
There’s no part of this that can really be compromised. An eavesdropper can obtain the encrypted challenge (unable to be decrypted in any reasonable manner), and the response/public key… The public key isn’t useful, and the response is only valid for that specific login because there are aspects of the challenge that are unique per login.
All information in flight is unreadable nonsense. The only unique information to the key that is sent anywhere is the public key, which is supposed to be public.
Totp has the vulnerability of needing to relay the seed, usually by QR code. The only vulnerability there is when you set it up and the seed is shared to you, it can be intercepted. If that seed is stored anywhere that becomes compromised, then it becomes meaningless. It can be mined from an authenticator, or captured in flight.
Both of these are better than alternatives. Email/sms codes can be intercepted, either by an administrator or by an internet relay, or by sim duplication, etc. You know that already.
I don’t hate totp, I just recognize the faults in it.
There’s problems with physical security keys too, mainly in the fact that, if you lose the fob, you’re screwed. So it’s recommended to have a backup. Either in the form of a second fob, which is setup for all the same accounts which is stored securely, or in the form of another authentication method like totp.
Personally, I use a backup FIDO key for my accounts whenever possible. I also have a password manager that can store my totp so everything is in a single vault. If the vault is compromised then I’m screwed though… 90% of my accounts use a password reset email which is not stored in my vault. Only two things are not in my manager: that recovery email login (secured by my Fido key) and my bank (obviously also the vault login).
At work, I use the yubikey for everything that supports it, with totp as backup in my work’s duo authenticator account (duo is also setup to use my yubikey). So it’s all Fido/totp.
The only service I really want to use my security keys with that doesn’t support it, is my bank account… I suppose, also my government stuff, but almost all of that is informational. I can’t really make changes to my government stuff from their webpages. It’s generally just the government telling me things about my tax returns and whatnot (all SMS secured).
I hate the trend of companies requiring an app for 2FA… Something that’s not totp, but similar. You have a specific authenticator app for a single service on your phone only and it’s not great… Obvious examples include steam and Blizzard. Fuck that. I hate it. Go away. Give me normal MFA options… Dick.
I’ve ranted enough. Back to work for me.