The news sites can cover whatever they want. If their readers consume it, great - they’re writing to audience. Doesn’t mean we can’t criticize it when it gets posted here.
Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in....
So is TLS or the compromise of a major root certificate authority, and those have no bearing on whether an approach qualifies as using 2FA.
The question is “How vulnerable is your authentication approach to attack?” If an approach is especially vulnerable, like using SMS or push notifications (where you tap to confirm vs receiving a code that you enter in the app) for 2FA, then it should be discouraged. So the question becomes “Is storing your TOTP secrets in your password manager an especially vulnerable approach to authentication?” I don’t believe it is, and further, I don’t believe it’s any more vulnerable than using a separate app on your mobile device (which is the generally recommended alternative).
What happens if someone finds an exploit that bypasses the login process entirely?
Then they get a copy of your encrypted vault. If your vault password is weak, they’ll be able to crack it and get access to everything. This is a great argument for making sure you have a good vault password, but there are a lot of great arguments for that.
Or do you mean that they get access to your logged in vault by compromising your device? That’s the most likely worst case scenario, and in such a scenario:
all of your logged in accounts can be compromised by stealing your sessions
even if you use a different app for your 2FA, those TOTP secrets and passkeys can be stolen - they have to be on a different device
you’re also likely to be subject to a ransomware attack
In other words, your only accounts that are not vulnerable in this situation solely because their TOTP secret is on a different device are the ones you don’t use on that device in the first place. This is mostly relevant if your computer is compromised - if your phone is compromised, then it doesn’t matter that you use a separate password manager and authenticator app.
If you use an account on your computer, since it can be compromised without having the credentials on device, you might as well have the credentials on device. If you’re concerned about the device being compromised and want to protect an account that you don’t use on that device, then you can store the credentials in a different vault that isn’t stored on your device.
Even more common, though? MITM phishing attacks. If your password manager verifies the url, fills the password, and fills your TOTP, then that can help against those. Start using a different device and those protections fall away. If your vault has been compromised and your passwords are known to an attacker, but they don’t have your TOTP secrets, you’re at higher risk of erroneously entering them into a phishing site.
Either approach (same app vs different app) has trade-offs and both approaches are vulnerable to different sorts of attacks. It doesn’t make sense to say that one counts as 2FA but the other doesn’t. They’re differently resilient - that’s it. Consider your individual threat model and one may be a better option than the other.
That said, if you’re concerned about the resiliency of your 2FA approach, then look into using dedicated security keys. U2F / WebAuthn both give better phishing resistance than a browser extension filling a password or TOTP can, and having the private key inaccessible can help mitigate device compromise concerns.
Have you looked into configuring them directly from your NVR? Or third party options? I did a quick search and saw a list of several that as far as I can tell can display Reolink streams (though I haven’t confirmed any can configure the cameras):
The list of instances you shared was updated recently, but I tried the one url in it (the rest are onion links or i2p, and are older versions of libreddit to boot) and the page didn’t even load.
Libreddit has been discontinued for nearly a year due to not working thanks to Reddit’s API changes, though about a month ago they updated their repo to direct people to RedLib, which allegedly does work. That said, I tried the official instance and got an error. However, it’s being actively developed and looks easy to self-host. I don’t know if there’s a list of unofficial public instances.
Being a bit pedantic here, but I doubt this is because they trained their model on the entire internet. More likely they added Reddit and many other sites to an index that can be referenced by the LLM and they don’t have enough safeguards in place. Look up “RAG” (Retrieval-augmented generation) if you want to learn more.
Sure, and that’s roughly the same amount of entropy as a 13 character randomly generated mixed case alphanumeric password. I’ve run into more password validation prohibiting a 13 character password for being too long than for being too short, and for end-user passwords I can’t recall an instance where 77.5 bits of entropy was insufficient.
But if you disagree - when do you think 77.5 bits of entropy is insufficient for an end-user? And what process for password generation can you name that has higher entropy and is still easily memorized by users?
Ah, fair enough. I was just giving people interested in that method a resource to learn more about it.
The problem is that your method doesn’t consistently generate memorable passwords with anywhere near 77 bits of entropy.
First, the example you gave ended up being 11 characters long. For a completely random password using alphanumeric characters + punctuation, that’s 66.5 bits of entropy. Your lower bound was 8 characters, which is even worse (48 bits of entropy). And when you consider that the process will result in some letters being much more probable, particularly in certain positions, that results in a more vulnerable process. I’m not sure how much that reduces the entropy, but it would have an impact. And that’s without exploiting the fact that you’re using quoted as part of your process.
The quote selection part is the real problem. If someone knows your quote and your process, game over, as the number of remaining possibilities at that point is quite low - maybe a thousand? That’s worse than just adding a word with the dice method. So quote selection is key.
But how many quotes is a user likely to select from? My guess is that most users would be picking from a set of fewer than 7,776 quotes, but your set and my set would be different. Even so, I doubt that the set an attacker would need to discern from is higher than 470 billion quotes (the equivalent of three dice method words), and it’s certainly not 2.8 quintillion quotes (the equivalent of 5 dice method words).
If your method were used for a one-off, you could use a poorly known quote and maybe have it not be in that 470 billion quote set, but that won’t remain true at scale. It certainly wouldn’t be feasible to have a set of 2.8 quintillion quotes, which means that even a 20 character password has less than 77.5 bits of entropy.
Realistically, since the user is choosing a memorable quote, we could probably find a lot of them in a very short list - on the order of thousands at best. Even with 1 million quotes to choose from, that’s at best 30 bits of entropy. And again, user choice is a problem, as user choice doesn’t result in fully random selections.
If you’re randomly selecting from a 60 million quote database, then that’s still only 36 bits of entropy. When the database has 470 billion quotes, that’ll get you to 49 bits of entropy - but good luck ensuring that all 470 billion quotes are memorable.
There are also things you can do, at an individual level, to make dice method passwords stronger or more suitable to a purpose. You can modify the word lists, for one. You can use the other lists. When it comes to password length restrictions, you can use the EFF short list #2 and truncate words after the third character without losing entropy - meaning your 8 word password only needs to be 32 characters long, or 24 characters, if you omit word separators. You can randomly insert a symbol and a number and/or substitute them, sacrificing memorizability for a bit more entropy (mainly useful when there are short password length limits).
The dice method also has baked-in flexibility when it comes to the necessary level of entropy. If you need more than 82 bits of entropy, just add more words. If you’re okay with having less entropy, you can generate shorter passwords - 62 bits of entropy is achieved with a 6 short-word password (which can be reduced to 18 characters) and a 4 short-word password - minimum 12 characters - still has 41 bits of entropy.
With your method, you could choose longer quotes for applications you want to be more secure or shorter quotes for ones where that’s less important, but that reduces entropy overall by reducing the set of quotes you can choose from. What you’d want to do is to have a larger set of quotes for your more critical passwords. But as we already showed, unless you have an impossibly huge quote database, you can’t generate high entropy passwords with this method anyway. You could select multiple unrelated quotes, sure - two quotes selected from a list of 10 billion gives you 76.4 bits of entropy - but that’s the starting point for the much easier to memorize, much easier to generate, dice method password. You’ve also ended up with a password that’s just as long - up to 40 characters - and much harder to type.
This problem is even worse with the method that the EFF proposes, as it’ll output passphrases with an average of 42 characters, all of them alphabetic.
Yes, but as pass phrases become more common, sites restricting password length become less common. My point wasn’t that this was a problem but that many site operators felt that it was fine to cap their users’ passwords’ max entropy at lower than 77.5 bits, and few applications require more than that much entropy. (Those applications, for what it’s worth, generally use randomly generated keys rather than relying on user-generated ones.)
And, as I outlined above, you can use the truncated short words #2 list method to generate short but memorable passwords when limited in this way. My general recommendation in this situation is to use a password manager for those passwords and to generate a high entropy, completely random password for them, rather than trying to memorize them. But if you’re opposed to password managers for some reason, the dice method is still a great option.
Just sharing this link to another comment I made replying to you, since it addresses your calculations regarding entropy: ttrpg.network/comment/7142027
I have a large number of photos edited and ready to go and want to then them into an album. Does anyone have any recommendations for any FOSS software that I can use to arrange the images to pages, and add text?...
Are you familiar with LaTeX? You can use plugins that generate PDFs that follow the PDF/X1-a standard and send the resulting PDFs to professional printers.
TeXStudio is a FOSS LaTeX editor that looks well-suited for your use-case.
Since LaTeX documents are just text and your images are already sorted and so on, you could even write a script to construct the first draft of your doc with the pictures arranged consistently, based off the files in your file system, then edit it to tweak it to perfection. You could also/alternatively create or use some reusable LaTeX patterns.
I haven’t worked with Scribus but I’ve heard good things about it, so I don’t think you’d be making a wrong choice by going with it. For this use case, the main reasons I can think of for why LaTeX would be preferable would be:
if you preferred working with it, or with a particular LaTeX tool
if you want to learn one tool or the other
if being able to write a script to create the output is something you want to do and the equivalent is not possible in Scribus
Why on earth would it show me this in Music then proceed to open in the browser, ask me to sign in and then only allow you to add them to library one at a time....
Small correction - iCloud Photos are only end-to-end encrypted if you enable Advanced Data Protection, which was introduced in December 2022, and otherwise Apple has the keys. See support.apple.com/en-us/102651 for more details.
So the uploaded photos in question couldn’t have been e2ee. Even so, it’s reasonable for people to question the legitimacy of e2ee given instances where it’s been shown to be a lie or for the data to also have been transmitted without e2ee, like Anker’s Eufy cameras’ “e2ee” feeds clearly being accessible without keys from the user devices, or WhatsApp exposing tons of messaging metadata to Meta.
That said, I personally wasn’t using iCloud Photos prior to enabling Advanced Data Protection, and I had a few deleted photos show up from several years ago, so Apple’s explanation makes sense to me. And, like you’ve pointed out, most of the speculation was devoid of any critical thinking.
Because a good person would never need those. If you want to have shadowbans on your platform, you are not a good one.
This basically reads as “shadow bans are bad and have no redeeming factors,” but you haven’t explained why you think that.
If you’re a real user and you only have one account (or have multiple legitimate accounts) and you get shadow-banned, it’s a terrible experience. Shadow bans should never be used on “real” users even if they break the ToS, and IME, they generally aren’t. That’s because shadow bans solve a different problem.
In content moderation, if a user posts something that’s unacceptable on your platform, generally speaking, you want to remove it as soon as possible. Depending on how bad the content they posted was, or how frequently they post unacceptable content, you will want to take additional measures. For example, if someone posts child pornography, you will most likely ban them and then (as required by law) report all details you have on them and their problematic posts to the authorities.
Where this gets tricky, though, is with bots and multiple accounts.
If someone is making multiple accounts for your site - whether by hand or with bots - and using them to post unacceptable content, how do you stop that?
Your site has a lot of users, and bad actors aren’t limited to only having one account per real person. A single person - let’s call them a “Bot Overlord” - could run thousands of accounts - and it’s even easier for them to do this if those accounts can only be banned with manual intervention. You want to remove any content the Bot Overlord’s bots post and stop them from posting more as soon as you realize what they’re doing. Scaling up your human moderators isn’t reasonable, because the Bot Overlord can easily outscale you - you need an automated solution.
Suppose you build an algorithm that detects bots with incredible accuracy - 0% false positives and an estimated 1% false negatives. Great! Then, you set your system up to automatically ban detected bots.
A couple days later, your algorithm’s accuracy has dropped - from 1% false negatives to 10%. 10 times as many bots are making it past your algorithm. A few days after that, it gets even worse - first 20%, then 30%, then 50%, and eventually 90% of bots are bypassing your detection algorithm.
You can update your algorithm, but the same thing keeps happening. You’re stuck in an eternal game of cat and mouse - and you’re losing.
What gives? Well, you made a huge mistake when you set the system up to ban bots immediately. In your system, as soon as a bot gets banned, the bot creator knows. Since you’re banning every bot you detect as soon as you detect them, this gives the bot creator real-time data. They can basically reverse engineer your unpublished algorithm and then update their bots so as to avoid detection.
One solution to this is ban waves. Those work by detecting bots (or cheaters, in the context of online games) and then holding off on banning them until you can ban them all at once.
Great! Now the Bot Overlord will have much more trouble reverse-engineering your algorithm. They won’t know specifically when a bot was detected, just that it was detected within a certain window - between its creation and ban date.
But there’s still a problem. You need to minimize the damage the Bot Overlord’s accounts can do between when you detect them and when you ban them.
You could try shortening the time between ban waves. The problem with this approach is that the ban wave approach is more effective the longer that time period is. If you had an hourly ban wave, for example, the Bot Overlord could test a bunch of stuff out and get feedback every hour.
Shadow bans are one natural solution to this problem. That way, as soon as you detect it, you can prevent a bot from causing more damage. The Bot Overlord can’t quickly detect that their account was shadow-banned, so their bots will keep functioning, giving you more information about the Bot Overlord’s system and allowing you to refine your algorithm to be even more effective in the future, rather than the other way around.
I’m not aware of another way to effectively manage this issue. Do you have a counter-proposal?
Out of curiosity, do you have any experience working in content moderation for a major social media company? If so, how did that company balance respecting user privacy with effective content moderation without shadow bans, accounting for the factors I talked about above?
That’s a bit abstract, but saying what others “should” do is both stupid and rude.
Buddy, if anyone’s being stupid and rude in this exchange, it’s not me.
And any true statement is the same as all other true statements in an interconnected world.
It sounds like the interconnected world you’re referring to is entirely in your own head, with logic that you’re not able or willing to share with others.
Even if I accepted that you were right - and I don’t accept that, to be clear - your statements would still be nonsensical given that you’re making them without any effort to clarify why you think them. That makes me think you don’t understand why you think them - and if you don’t understand why you think something, how can you be so confident that you’re correct?
Most job responses I get is they’re not hiring anymore due to restructuring. Aka they just go for pure profit increase while overworking the understaffed employees. No more remote interviews either. Tons of requests to do one sided video interviews. And the pays appear lower than they were during the main pandemic, even though...
If you’re in the US, unpaid overtime is only permissible if you’re salaried exempt. To be salaried exempt:
you must make at least $684 every week ($35,568/year)
your primary job responsibility must be one of the following:
executive - managing the enterprise, or managing a customarily recognized department or subdivision; you must also regularly direct your work of at least two FTEs and be able to hire / fire people (or be able to provide recommendations that are strongly considered)
administrative - office or non-manual work directly related to the management or general business operations, or
learned professional - work which is predominantly intellectual in character and which includes work requiring the consistent exercise of discretion and judgment, in the field of science or learning
creative professional - work requiring invention, imagination, originality or talent in a recognized field of artistic or creative endeavor
IT related - computer systems analyst, computer programmer, software engineer or other similarly skilled worker in the computer field
sales
HCE (you must be making at least $107k per year)
your pay must not be reduced if your work quality is reduced or if you work fewer hours
for example, if you work 5 days a week, for an hour a day, you must get the same pay as if you worked 8 hours every day. There are some permissible deductions they can make - like if you miss a full day - and they can require you to use vacation time or sick time, if you have it - and of course they can fire you if you’re leaving without completing your tasks… but they still have to pay you.
It’s quite possible you’re eligible for back-paid overtime.
Note also that the minimum exempt wages are increasing in July.
Re your “cover my expenses just to exist” bit and the follow-up about employers catching on and pushing abusive shit… if this is related to a disability make sure to look into getting that on record and seeking an accommodation. If your primary job duty is X and they’re pushing you to do Y, but your disability makes Y infeasible, then it’s a pretty reasonable accommodation to ask to not have to do Y (assuming your HCP agrees, of course).
You can also get replacement Hall effect analog sticks from Gulikit and install them in your joycons yourself. They also made them for the Steam Deck. I installed a set in my old LCD Steam Deck and it was really straightforward, but I suspect the joycons take a bit more work.
It’s a shame they don’t make them for the PS5 - there are multiple third party controllers with Hall effect sensors that are compatible with pretty much everything else, but there’s only one Hall effect controller compatible with the PS5 (the Nacon Revolution 5 Pro), and it’s $200.
I have the 8bitdo SN30 Pro+ and almost got one of their Hall effect controllers for my most recent controller (but ended up going with the King Kong 3 Max instead).
I noticed they have a repair parts section on their shop, but frustratingly, it doesn’t have analog stick replacements - just the joystick caps.
There’s an iFixit guide to replacing them, but it doesn’t list where you can get the new part, either. I’m guessing they use a standard part - maybe even one you could get for a few bucks off AliExpress - assuming you’re up to the task of desoldering the old stick and resoldering the new one.
Google avoids jury trial by sending $2.3 million check to US government (arstechnica.com)
iPhone 16 Leaks: Apple Might Dethrone Samsung With The Thinnest Bezels Yet (www.ibtimes.co.uk)
Leaks suggest Apple’s iPhone 16 will have record-thin bezels, potentially dethroning Samsung.
How is everyone handling the 2FA requirement for GitHub? (docs.github.com)
Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in....
only as in free beer (lemmy.world)
Google's Controversial Plan to Disable Older Chrome Extensions Starts June 3 (me.pcmag.com)
Are 3rd party apps finally really dead?
Revanced & being a mod doesn’t seem to matter anymore....
17 cringe-worthy Google AI answers demonstrate the problem with training on the entire web (www.tomshardware.com)
These are 17 of the worst, most cringeworthy Google AI overview answers:...
Photo Album Software (request)
I have a large number of photos edited and ready to go and want to then them into an album. Does anyone have any recommendations for any FOSS software that I can use to arrange the images to pages, and add text?...
Any iOS users seen the top 100 albums of all time?
Why on earth would it show me this in Music then proceed to open in the browser, ask me to sign in and then only allow you to add them to library one at a time....
Apple elaborates on iOS 17.5 bug that resurfaced deleted photos - 9to5Mac (9to5mac.com)
Robert F. Kennedy Jr. sues Meta, citing chatbot’s reply as evidence of shadowban (arstechnica.com)
Billionaire hasn't heard of Streisand effect (www.betootaadvocate.com)
! betootaadvocate.com/…/gina-furiously-demands-nati…...
The current job market is beyond fucked.
Most job responses I get is they’re not hiring anymore due to restructuring. Aka they just go for pure profit increase while overworking the understaffed employees. No more remote interviews either. Tons of requests to do one sided video interviews. And the pays appear lower than they were during the main pandemic, even though...
Two Joy-Con drift lawsuits have been dismissed after five years (www.videogameschronicle.com)