Alt account of @Badabinski

Just a sweaty nerd interested in software, home automation, emotional issues, and polite discourse about all of the above.

  • 0 Posts
  • 123 Comments
Joined 5 months ago
cake
Cake day: June 9th, 2024

help-circle

  • I used to have this problem all the time, I think it’s pretty normal. I did many years of therapy, and part of what I got out of that was an understanding of how people deal with pain and anger. The best way to change someone’s mind is to try to empathize with their position and show your understanding. Once you share context with them, you can gently explain why you feel the way you do. Sometimes, you do this and find that the other person’s point of view is a more accurate reflection of your values and you change your mind instead.

    Don’t do this with bad faith actors though. just block them.


  • I used to have this problem all the time, I think it’s pretty normal. I did many years of therapy, and part of what I got out of that was an understanding of how people deal with pain and anger. The best way to change someone’s mind is to try to empathize with their position and show your understanding. Once you share context with them, you can gently explain why you feel the way you do. Sometimes, you do this and find that the other person’s point of view is a more accurate reflection of your values and you change your mind instead.

    Don’t do this with bad faith actors though. just block them.








  • Based off of your comment history, it seeeeems like you live in the US, although I could deffo be wrong. That’s where I live, so I may have good news. It’s illegal to sell tritium products in the US, but it’s not illegal to buy it as an individual. There’s a Taiwanese company that sells all kinds of cool little tritium widgets: https://www.mixglo.com/

    that’s where I got my vial from. It wasn’t cheap for what it is, but I think it’s cool.

    edit: looks like they also ship to Canada if you live there. I’ve no idea what the laws are up there, but I’m assuming it’s legal if they’re willing to ship.





  • Right, but I can’t require a second factor on a different device that operates outside of my primary device’s trust store. I’m sure there is some way to make my desktop hit my phone up directly and ask for fingerprint auth before unlocking the local keystore, but that still depends on the security of my device and my trust store. I don’t want the second factor to be totally locked to the device I’m running on. I want the server to say, “oh, cool, here’s this passkey. It looks good, but we also need a TOTP from you before you can log in,” or “loving the passkey, but I also need you to respond to the push notification we just sent to a different device and prove your identity biometrically over there.” I don’t want my second factor to be on the same device as my primary factor. I don’t know why a passkey (potentially protected by local biometric auth) + a separate server-required second factor (TOTP or push notification to a different device or something) isn’t an option.

    EDIT: I could make it so a fingerprint would decrypt my SSH key rather than what I have now (i.e. a password). That would effectively be the same number of factors as you’re describing for a passkey, and it would not be good enough for my organization’s security model, nor would it be good enough for me.


  • I just don’t get why I can’t use something like TOTP from my phone or a key fob when logging in with a passkey from my desktop. Why does my second factor have to be an on-device biometrically protected keystore? The sites I’m thinking of currently support TOTP when using passwords, so why can’t they support the same thing when using passkeys? I don’t want to place all my trust in the security of my keystore. I like that I have to unlock my phone to get a TOTP. Someone would have to compromise my local keystore and my phone, which makes it a better second factor in my opinion.

    EDIT: like, at work, I ssh to servers all over the damn place using an ssh key. I have to get to those servers through a jump box that requires me to unlock my phone and provide a biometric second factor before it will allow me through. That’s asymmetric cryptography + a second factor of authentication that’s still effective even if someone has compromised my machine and has direct access to my private key. That’s what I want from passkeys.



  • This is a bad take. Several cities in my state banded together to create a municipal fiber network called UTOPIA. The fiber is owned by the cities that bought in and is used by several different ISPs. The ISPs pay UTOPIA for access, and then they have to compete with each other for subscribers based on performance, features, and cost. Like, there’s genuine market competition for internet! If the state owns the infrastructure and then forces the playing field to be level, then everyone benefits. People in the cities with UTOPIA got fast fiber internet waaay faster than anyone else, they have a plethora of choices (want a static IP and a business plan in your residence? There’s an ISP that sells that!) at great prices, ISPs get access to subscribers without having to maintain fiber, and the cities who bought in get to make money from this and attract residents and businesses who benefit from the service.

    My city didn’t buy in. Google Fiber eventually came to town so I was able to kick Comcast out, but I am uneasy about what’ll happen if Google decides to drop their ISP business. If I was in a city with UTOPIA, it would just be one ISP folding and I’d be able to pick a new one and switch over right away.

    EDIT: cool, Cory Doctorow wrote a blag post about it: https://doctorow.medium.com/https-pluralistic-net-2024-05-16-symmetrical-10gb-for-119-utopia-347e64869977
    UTOPIA users have access to 18 different ISPs. I feel like that speaks for itself right there. This is the future we all should have had.




  • I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I’d love to use passkeys + biometrics otherwise, since I’ve often felt that the auth problem would be best solved with asymmetric cryptography.

    EDIT: I meant to say “would still allow passkeys+MFA.” hooray for sleep deprivation lol.