irotsoma

@irotsoma@piefed.blahaj.zone

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Google AI Overviews cite YouTube more than any medical site for health queries, study suggests⁩ ⁨⁨10⁩ ⁨hours⁩ ago⁩:
When healthcare can ruin you financially for even small issues, of course you’re going to look for help from any free source you can.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Exactly, so it does that job because it requires an entirely different and complex skill-set to intercept sms messages and you have to do both things now if sms 2FA is in place. With the issue in the article you dont even need to intercept sms meant for a particular user to get access to random users’ accounts, thus totally different issue.

I asked, what is better for a second factor than SMS?
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
I was talking about sms. All types of cryptographic code generation uses one or more keys. The sms type just uses one that only the sender holds, it’s never shared with anyone which can cause it to be more easily lost.

The sim cards and their cryptographic keys are just built into the phones, and the codes are swapped when you sign up, same concept as renovable sim cards.

And again, it doesn’t matter of a sms code is intercepted as much as the entire login method. If you dont have the username and password, what good does an sms code do for anything? The issue in the article is that there’s nothing else to know, just the current format of the set of codes being generated by the system. Then you can randomly guess a similar code and get access to a random person’s account. Much, much different from the use MFA which is worthless without ALL of the factors, not just a single one.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:

I don’t understand what you mean by “keys” here. Nothing in encrypted. You generate codes by initiating the login process.

The way TOTP works is there is a key (usually in the form of a QR code) for TOTP apps. That key is stored in your TOTP app locally, but also often stored I’m the cloud of you use Google’s app. Codes are generated using that key and the current timestamp. Otherwise a valid code can’t be generated.

There is no encryption in SMS…

The messages aren’t encrypted at rest but, the connections are. You need a key in the physical sim card to intercept anything. You can’t just intercept and duplicate a sim card’s identifier like with 2G. No casual hacker is going to hack LTE or newer technologies, only professionals like governments and government backed spy agencies. Not saying it’s as secure as OT should be, but the effort and cost is not worth it most of the time.

And sim swap only works if you also have the person’s username and password for 2fa. For the issue mentioned in the article it does work because you dont need any knowledge or other factor other than the message itself to login. Single factor logins with not even needing to have a username, much less a password, are obviously going to be an issue, which is why I’m emphasizing, I’m interested in 2FA like a bank might use, not the issue mentioned in the article which is totally different.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
That’s the thing though, with SMS 2FA you don’t have the keys at all, so you can’t generate codes, you only get the code you intercept. Same with email based, but with sms, the message has to be intercepted in a timely manner, which is much more difficult for SMS than if they already have your password that’s used for your email account. Plus the issues with SMS not being encrypted only really exists on 2G services which they really need to get rid of, or at least disable at the account level so 2G only works for emergency calls. 4G and up are significantly more secure (not perfect but requires much more complex hardware and knowledge of secrets from the cell company) and generally require the hacker to be masquerading as the user on the cellular network. Otherwise, hack the cell provider which is how a lot of the archived messages they mentioned are retrieved, because, yeah, they usually aren’t stored encrypted. But if the TTL of the TOTP code is 10-60minutes and single use as well as invalidated once a new code is sent like a bank or really any decent system should, archived message caches aren’t useful.

The issue mentioned in the article is totally separate. These are links that you can log in without needing to even know a username, much less a password, associated with that code. Guessing a random code generated for a specific account is much more difficult, not to mention needing the password. The article is more hypothetical in the actual security of the SMS messages going to a particular phone for a particular account and more about how bad the links being generated are since if you get one link from any insecure sms message you can access many random accounts as well as the one you intercepted and no other factor, even user id, is needed to use the links. So you can send one code just to your own account and then use that to hack others without even having to intercept anything nefariously.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
SMS 2FA is TOTP, just the code is sent via SMS and the key is never shared with the user. But the issue with those apps seems to be even more problematic than SMS from the issues mentioned, e.g. changing phone numbers is not as common as changing phones or other catastrophic events that might cause the keys to get lost. And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password to the thing storing the keys. SMS based TOTP leaves the keys only with the site you’re logging into and only the time sensitive TOTP codes are ever sent out. And although the lifetime period for sms TOTP has to be longer, they are additionally expired on single use (assuming it’s implemented properly).
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
Problem is finding something that is universal that is a “something you have” is difficult to find that almost everyone has. Almost everyone has a cell phone these days, so it’s a good option to use as that kind of factor. Email is a second “something you know” factor (I.e. via the password to your email account) and could be the same something if you use the same password. And getting someone to carry yet another device even if it’s simple like a Yubikey or something like that can be difficult. And unless biometric devices become universal on computers as well as phones, the “something you are” factor is hard to accomplish universally as well.

So, what options do you think are better that can be a “something you have” for use as a second factor to a password or other type of “something you know” factor?
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
How so?

It’s a second factor. It’s “something you know”, “something you have”, and/or “something you are”. The username and password is the “something you know” and the sms message is “something you have” (I.e. the phone). There’s no need for the second factor to be secret as long as it is single use and time sensitive and is only used as a second factor, not the only factor.

This article was about single factor messages that are the entirety of the login flow, so not about 2FA, but I’m still interested in the concerns for second factor. It is still adding security over a password alone which is the only goal in the 2FA subject.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
2FA isn’t the issue. The issue is single factor logins with only text messages, no password and often no username. Those messages allow anyone who intercepts them to login, no username or password is involved at all.

2FA via SMS is a perfectly fine solution, though there are more secure options like yubikeys or TOTP generation apps.
⁨Comment⁩ on ⁨Spotify’s 3rd price hike in 2.5 years hints at potential new normal⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
I have around 3500 liked songs on Spotify alone just from the last 5 years or so and just stuff that Spotify chooses to plat for me. I have about 9,000 tracks in my primary collection from old ripped CDs and purchased MP3s/FLACs. This is without stuff that I dont really like that much anymore or stuff that I would only listen to in specific circumstances, like Mozart or something. It’s over 100GB. There is definitely some overlap there, but definitely less than 1/3 of the Spotify likes I also own. So probably I’d end up somewhere in the 125-150GB range. If phones still had SD card slots I could do it, but that’s not that common anymore since they want you to buy streaming and backup services.

I could probably pare it down even more without missing out too much, but it would take a lot of time and it would be removing stuff I like to listen to. And I wouldn’t have room to add new stuff.

I listen to a pretty wide variety of genres and I listen on my phone often, pretty much anytime I’m driving or on a bus/train, and I dont like hearing the same songs repeated too much unless I’m just getting to know the song. I’ve thought about writing a script that automatically randomly replaces files when I’m on my home network to take a smaller set with me, but that’s a lot of work. The other alternative is creating playlists of a few hundred songs each and switching them out when I’m home, but again, lots of work.

Streaming just covers it well for my use case, if it was reasonably priced and did it’s job well to help discover new music, but seems that’s not what they’re selling anymore. I also don’t have a data cap anymore, or at least it’s a soft cap and not ridiculously low, but not sure how long that will be the case either.
⁨Comment⁩ on ⁨Spotify’s 3rd price hike in 2.5 years hints at potential new normal⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Radio only plays a few dozen songs or only “classic” stuff, so I never get to hear new stuff. Having streaming audio was always my way to find new music. That said, Spotify has started doing the same, just playing the sponsored songs and the themes they have generally only play stuff I’ve heard a million times. Rarely “b-sides” or new stuff based on my actual interests.

I miss the days of the original Pandora service with its database of music elements, and it would go across genres to find things with similar elements and didn’t have any influence from the recording industry sponsoring songs because they were actively destroying their own industry fighting to kill off streaming, instead. I found a bunch of new stuff I never would have heard otherwise. It totally changed my listening habits.

So with the streaming services consolidating and raising prices as a result, I likely won’t stick with it anymore. My music library is too large to store locally on my phone and I like variety rather than making playlists. I’m thinking of setting up my own streaming server, but music discovery is still an issue I need to solve.
⁨Comment⁩ on ⁨Many Top MAGA Trolls Aren’t Even in the U.S - Elon Musk’s new X feature has been very revealing.⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Um…Koch Industries donated tons of money to politician to not retaliate against Russia when they invaded Ukraine, and they refused to pull out of Russia when lots of other companies were. And that’s just one small, recent example of their connections to Russia. Google can find lots of others. I mean go back far enough and their family had close connections to Stalin as well.
⁨Comment⁩ on ⁨Americans are holding onto devices longer than ever and it's costing the economy⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
There’s lots of things that could be innovated without faster processors. I mean if we’re just talking cell phones, adding a camera was an innovation, adding a touch screen and eventually touch keyboards that actually worked. These things were aided by faster processors, but not directly dependent on them. But these could be totally unrelated devices to phones or even computing at all. Innovation across the board including med-tech, business models, city planning, and tons of other industries have suffered from privatization, deregulation, and leading then to consolidation and thus little need to compete and thus little need to innovate.
⁨Comment⁩ on ⁨Booking.com cancelled woman's $4K hotel reservation, then offered her same rooms for $17K⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
It used to be useful when there was competition to actually provide good service and actually negotiate prices. Consolidation to basically one parent company ruined the whole thing like most late capitalism consolidation tends to do…
⁨Comment⁩ on ⁨Americans are holding onto devices longer than ever and it's costing the economy⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
“Companies aren’t innovating anymore and it’s costing the economy” is what it should say. When late stage capitalism leads to consolidation and cost cutting, stock buybacks, and other short term profit when competition is no longer necessary, that’s what kills the economy. That’s why monopolies and anticompetitive behaviors are bad.
⁨Comment⁩ on ⁨Many Top MAGA Trolls Aren’t Even in the U.S - Elon Musk’s new X feature has been very revealing.⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
A lot of that was sexism and racism forcing less fascist loving conservatives over to Trump combined with a general sense of betrayal. The Democrats made a huge mistake forcing Biden down everyone’s throat by forcing other candidates not to run (which they do most years bit it was really obvious this time with the disapproval of how far right the party moved to even select Biden) and an even bigger mistake switching to Harris against the will of the (admittedly sham) vote.
⁨Comment⁩ on ⁨Press a button and this SSD will self-destruct with all your data⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
But charge the capacitor with what? That’s the point. If it doesn’t kill the data immediately upon pushing the button, even when unplugged, it’s useless unless some bumbling idiot thief/cop/agent plugs it in before just disarming the button.

And as for fully physical, do tests with what? Another computer? Its a memory storage device with only an I/O driver and basic firmware. There’s no CPU to separately run software to detect if the components are destroyed. And if there were, that would have to be physically/electrically separated from the short that is going to kill the device and then physically reconnected, which would mean some kind of mechanical device most likely. Now were getting into a huge device, not a flash drive. The device already has capabilities to read and write data. Very easy to add a chip to give that random data to write over the existing data and a lot less power than a processor and motorized components.

And again, it doesn’t solve the redundancy problem. Single point of failure is always going to go wrong at least one in some number of cases. Even top of the line components and the best quality control available can’t beat redundancy and it’s way, way cheaper.
⁨Comment⁩ on ⁨Press a button and this SSD will self-destruct with all your data⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Yeah, but again, that requires precise destruction in a cheap chip while making sure both not to do it accidentally and making sure it’s successful afterwards. With redundancy, if one thing fails, there’s something else to do the job. Most corporations have abandoned this idea in exchange for short term profit and planned obsolescence. But it’s actually super important in real security.
⁨Comment⁩ on ⁨Pornhub is urging tech giants to enact device-based age verification⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Exactly, so give parents the tools to filter and make it their responsibility to police their children. Don’t make everyone give up their privacy and sometimes, security, and safety to shitty corporations who will eventually leak all of their data. Which is exactly what both I and pornhub are saying.
⁨Comment⁩ on ⁨Press a button and this SSD will self-destruct with all your data⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
What if the destruction fails, or isn’t thorough. Much harder to retrieve information from a partial block of memory if it has also been overwritten with garbage to erase it. Redundancy is essential to security.

A device like that isn’t putting enough voltage into it to “melt” it. It you want it that well destroyed you’re going to need a high temperature incinerator with a good filter since it’s not safe to breath the smoke it will create. Or at the very least a heating element inside it, but then you need layers of heat protection so it doesn’t catch everything around it on fire or burn the person pushing the button.

This isn’t that. This is meant to destroy the data at a moment’s notice with the push of a button. Problem is that it has to be plugged in to do it, which in my mind is defeating the purpose.
⁨Comment⁩ on ⁨Press a button and this SSD will self-destruct with all your data⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Capacitor wouldn’t allow long enough to wipe the data first. It’s a two pass system. Wipe data then destroy. Also capacitors lose charge over time much, much more quickly than a battery. You still would need to have plugged it in very recently. And yes to build enough voltage to destroy electronics physically and quickly with a battery, it would actually probably need both battery and capacitors anyway which would also increase size. I’m guessing it was a tradeoff of size vs functionality, but having it not work until it’s plugged in after pressing the button which is bright red when pressed, seems like a very simple way to bypass the destruction by simply disassembling it before plugging it in. Only good if the thief/agent doesn’t know why there’s a big red spot on it before plugging it in, which is a bad assumption for security especially if you deploy these widely so everyone knows what they are.
⁨Comment⁩ on ⁨Many Top MAGA Trolls Aren’t Even in the U.S - Elon Musk’s new X feature has been very revealing.⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
It’s always been obvious that Putin was behind the Tea Party which evolved into MAGA, and even more obviously, Trump. Problem is the whole system is designed to only allow wealthy land owners to hold power, thus the two party system enforced by the electoral college, and the districting systems that are easily manipulated to give power to land area, above population. The whole system at the federal level is broken on purpose. All we can do is try to get more people to vote so population has more power over land area, but the conservative controlled states cut funding for voting and people have to work do can’t wait in line for many, many hours in large cities on election days. Only progressive states have mail-in voting and early voting and even there we’re stick voting for “lesser evil” candidates due to the two party system both controlled by the wealthy. There’s the far right fascist Republican party and the moderate right Corporate friendly Democratic party. No party gir the people.
⁨Comment⁩ on ⁨Pornhub is urging tech giants to enact device-based age verification⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Have devices do the blocking for kids by having sites required to identify themselves as adult oriented in a standard way. The bad sites aren’t going to enact the requirements for people to identify themselves any more than they would enact the requirements for sites to identify themselves to devices but it eliminates the tracking of adults and blocking of legitimate content to children with parental permission like sexual education sites.
⁨Comment⁩ on ⁨Press a button and this SSD will self-destruct with all your data⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Fatal flaw is it has to be connected to a computer to start the process. If someone truly wants the data they could just disassemble the device before it gets connected if the button has been pressed. They should have found a way to do it with a small onboard battery reserved only for that purpose.
⁨Comment⁩ on ⁨In 1982, a physics joke gone wrong sparked the invention of the emoticon - Ars Technica⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I wouldn’t say invention of the emoticon since it already existed since typewriter days in the same exact form and in print and writing for at least hundreds of years. Maybe the first recorded attempt to create a specific purpose for it on a computer system. But that seems pretty flimsy as an “invention”. But given the state of the patent system, just about everything I’m technology is an invention these days despite how long it has existed or how obvious it was.
⁨Comment⁩ on ⁨The ‘Great Meme Reset’ Is Coming: From Jack Dorsey to Gen Alpha, everyone seemingly wants to go back to the internet of a decade ago. But is it possible to reverse AI slop and brain rot?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Yep. Government/taxpayer funded access to the internet including funding fiber to the home just like we did with phone lines many decades ago, and putting back laws to enforce net neutrality. That way it’s cheap to run a server again. Right now most residential access has poor upload speeds so you have to pay for expensive, business priced plans to run a local server to compete with big corporations.
⁨Comment⁩ on ⁨Vodafone, EE, O2, Three hit with £3B overcharging lawsuit⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Ah, yeah, in the US they just hide that you’re paying for it by the credits I mentioned. Sneakier I guess, but it is what it is and they all do it.
⁨Comment⁩ on ⁨Vodafone, EE, O2, Three hit with £3B overcharging lawsuit⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I don’t really get it and details are scarce in the article. Is the model different in than in the US? It says “you’re no longer paying for the handset, but pay the same price”. Do they bundle the cost of handsets with the monthly fee and just allow you to upgrade every some number of months? But if you forget to upgrade, or don’t want to, you still pay the same?

In the US generally they charge for the handsets split up into like 48 payments and then have some promotions for popular phones where you get 48 monthly credits to cover some or all of the cost. If you cancel service, the balance usually comes due or if you change to a lower cost plan sometimes they let you keep the payment plan, but you lose the credits. It’s done different ways, but this is an example.
⁨Comment⁩ on ⁨Wi-Fi Extender, Long-Range, Suggestions?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Could you mount the antennas, or even just one of them, externally? That may improve performance. A small parabolic antenna a few inches wide or a purpose made building to building bridging kit only needs a small mounting surface with a few screws, and as for the wire you might not need to drill a hole, though properly patched that’s not a big deal either, but instead use an existing hole by removing old, unused phone or cable wire.

Alternatively, is there a window facing in the correct direction? Signals penetrate glass way better than all of the siding, insulation, drywall, etc in an external wall. Remember there’s way more material than an internal wall to penetrate. And if you have aluminum siding or certain kinds of insulation, it may not work at all. The tree branches may or may not be an issue depending on how thick they are, if they are branches with lots of leaves, the types of leaves, the density of the wood, etc. But the exterior wall penetration means it’s literally not line of site (you can’t visually see from one antenna to the other), so the rated ranges are moot and may or may not work reliably.
⁨Comment⁩ on ⁨Wi-Fi Extender, Long-Range, Suggestions?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Is there lime of site between the main building and the target building or is the middle building blocking line of site? If there is line of site then directional antennas are your best bet. Problem with most access points and range extenders is they’re designed to broadcast and receive in all directions. With a directional antenna you concentrate the power and reduce the likelihood of interference.