Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
@mysk that’s nasty. I use Microsoft Authenticator here and I wonder if they encrypt their data when syncing and backing up across devices; otherwise I’m turning it off there as well.
Was using Google Authenticator for a few accounts but migrated all of them to Microsoft Authenticator; if Microsoft screws this up as well I might need to migrate again to something else entirely.
Dear YouTube, I might block your ads less if you don't shove them down my throat all over the place, or if the ads weren't as annoying as they are.
Ads with AI voiceovers? Unskippable ads that are more than 5 seconds long? Ads suddenly in the middle of videos? Ads that promote scams and hate speech? Really?
And let's not forget the time when you showed me an ad that's full of morbidly obese men masturbating to themselves.
Like, really? You guys get all worked up about swearing and the tiniest amount of violence and porn but allow ads like these? Why? Oh right, it's the money, isn't it?
Windows: getting Microsoft’s shit shoved down your throat
macOS: locked behind Apple’s walled garden
Linux: there’s like over 9000 different distros and subsystems and apps and everything and they all might not work nice with each other
“Montana transgender lawmaker silenced again, backers protest”
“North Dakota governor signs law banning nearly all abortions”
“9 teenagers injured in shooting at prom after-party in Texas”
“Frequent shootings put US mass killings on a record pace”
“Twitter changes stoke Russian, Chinese propaganda surge”
“1 killed, 10 wounded as Russian forces hit Ukrainian museum”
“1 dead in Oklahoma college shooting, suspect in custody”
Dear Swedish people, if you don’t want your metro system to be run by incompetent idiots who will drive your metro system into the sewers and make you rage uncontrollably just thinking about riding it, and serviced by ignorant morons who don’t care about anything other than their meagre pay checks, then don’t let SMRT come anywhere within a light year of your metro system.
Sincerely,
A long-suffering victim of SMRT Corporation.
Every time I see someone say that more choice is good, I get reminded of Linux distros.
Sure, you have more to choose! But what good is that if the distro of your choice, becomes bloated by non native apis like custom desktop window managers.
Not to mention, the usual answer you’ll get is the “just compile it yourself with that gui”. Unfortunately for them, I don’t think they get it. The entire problem lies on what a developer needs to use to support most distros, if you have too many choices… then what does a developer do? They start to use their own solutions, and eventually get further fragmentation.
This just defeats the entire purpose of choice, its almost like an illusion oddly enough. You can have a focused xfce distro, but what good will that do if half of the supported software is made with gnome in mind? Or worse, you install those apis and then your DWM breaks because an application got too carried away with its usage.
This system doesn’t work and the fact that most of the Linux community remains oblivious to these facts drives me nuts.
I know that some Linux applications are designed to adapt to your interface of choice, but that depends on the developer most of the time. If they’ve dropped support for the window manager that you like, then you’re shit out of luck!
And lets not even talk about FlatPack, Snap, and Synaptic. This is why you see most just use the terminal, and even then you have weird solutions like APT-GET to APT now and that packman thing that I can never remember its name.
Sure, they all work differently… but why can’t we try to condense stuff instead of spreading out so much? Why not just work together on simpler solutions and deprecate older technologies?
Like what’s stopping anyone fro-Oh no… this is a workflow dependancy issue isn’t it? Or worse, legacy software that expects these things still…
My latest: a look inside TikTok’s VA data centers. Sources say they’ve seen unescorted visitors, unmarked flash drives, and other lax security. Also, TT is using servers made by Inspur, a company that the Pentagon has said is controlled by the PLA.