Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youāll near-instantly regret.
Any awful.systems sub may be subsneered in this subthread, techtakes or no.
If your sneer seems higher quality than you thought, feel free to cutānāpaste it into its own post ā thereās no quota for posting and the bar really isnāt that high.
The post Xitter web has spawned soo many āesotericā right wing freaks, but thereās no appropriate sneer-space for them. Iām talking redscare-ish, reality challenged āculture criticsā who write about everything but understand nothing. Iām talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyāre inescapable at this point, yet I donāt see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldnāt be surgeons because they didnāt believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canāt escape them, I would love to sneer at them.
(Semi-obligatory thanks to @dgerard for starting this.)
Spent the last week playing with some security shit (thinking about a career change, since it looks like I will be mastering out of my PhD program) and fuck me everything about hardening your personal devices is exhausting. We are nowhere close to accessible privacy and security in our computers. The best solution right now may be ābuy a Macbook and learn MacOSā, which is so depressing.
Still deciding on a web browser. Used to be I could recommend Firefox because Righteous-Opposition-to-Google, but that doesnāt really track anymore with Mozillaās behavior. Now I guess I would recommend Chrome, but it feels so gross (and I am unsure about things like Ungoogled-Chromium, for security reasons).
the basic laptop hardening
As far as passwords, the only password I have to memorize is the one to my Bitwarden vault. Everything else is stored in Bitwarden. The passwords (except for my phone PIN) are 16 characters if I ever need to type them in manually (e.g. LUKS password), whereas passwords that will always be copy-pasted are 128 characters. I am looking into integrating a yubikey, but am leaning towards āfuck that shit, why would anyone actually want to use this?ā If anyone here has comments on this (am I missing an obvious pitfall? do yubikeys suck as much as it looks like they suck?) I would be happy to hear them.
Anyway tl;dr is I spent the last week hardening all my devices and it sucks. In some cases it was a complete waste of time (my Steam Deck does not appear to have a way to set a password in the BIOS). In other cases (e.g. my Framework), it was probably worth it but a deeply terrible experience.
Last time I tried it, ungoogled chromium had some issues with yubikeys (see https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-to-get-fido-u2f-security-keys-to-work-in-google-sign-in) which I donāt think have been fixed yet. That was enough to be a deal breaker for me.
Without knowing why you think they suck, itās hard to say. I like having unphishable uncopyable credentials, and it irritates me that they arenāt more widely supported. On my desktop or laptop, theyāre less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.
Whilst there isnāt really such a thing as ātoo secureā, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so thereās simply no space to squish all that extra entropy youāre providing into the outputā¦ it might not be any more secure than a password a quarter of its length (or less!).
128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.
Iāve come around a bit since posting yesterday (after looking into the various hardware key options, like OnlyKey). The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, itās the added complexity of āuse this physical deviceā and the concern I had about recovering accounts if I lost the Yubikey. Their page on spare devices does not inspire confidence.
Fair point! I chose 128 because itās the maximum allowed in Bitwarden (if itās going to be copy-pasted anyway, who cares). Assuming I didnāt fuck up basic math, the entropy of a passphrase of length
nselected uniformly at random from characters inAis given bynlog|A|, so to reach 128 bits of entropy with 70 chars (lower + upper + digits + special) requires a passphrase of length 21.The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but theyāre not as capable as a yubikey (the last time I checked I couldnāt use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so thereās little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.
But also, āadded complexityā is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site Iām trying to unlock, then waiting for the timer to reset because I canāt authenticate before the current code expires, etc.
Beats me! I just use off-the-shelf entropy calculators and hope theyāre right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing thatās hashing the password is using a modern algorithm (which often you canāt, sadly).
I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldnāt fancy doing that with 128 character passwords! You may of course never need to do those things, but Iāve needed to do both, at work and otherwise.
Depends on whether you include āmy personal data is sent to the manufacturer of the computer against my wishesā in your threat modelā¦ Apple does many good things for security, and I wish PC hardware makers would take security-related things even just nearly as seriously as them. But I canāt trust Apple anymore either.
(Explanation: the whole iCloud syncing stuff is such a buggy mess. I donāt want it, I donāt need it, so I want it off. But I guess Apple just doesnāt test enough how well it works when you turn it off, maybe they canāt imagine someone not wanting it. The problem is, iCloud sync settings donāt stay off. Settings randomly turn themselves back on, e.g. during OS updates, and upload data before you even notice it. Iām not claiming thatās intentional, I assume itās just bugs. But Iāve observed such bugs again and again in the past 9 years, and Iāve had enough. Still have a Macbook around, but I use it very rarely these days, only when I need some piece of software on MacOS that has no suitable Linux equivalent.)
While a PC+Linux setup can avoid the specific issue of ādonāt randomly upload my data somewhereā, the setup of it all can be a mess, as you say. And then security is still limited by buggy hardware and BIOS/firmware that is frequently full of security holes. The state of computers is depressing indeed (in so many ways, security just being one of them)ā¦
A note to the effect of:
is a good idea if I ever do recommend a Mac.
I donāt think I could ever recommend chromium-based browsers due to the MV3 switch. Does ungoogled-chromium do any patching to get around this? If not I think FF is the only sane option still.
I believe ungoogled-chromium does have MV2 support. Unfortunately, there are still real security concerns with Firefox. The good news is that Trivalent (a hardened version of Chromium developed by the Secureblue folks) has ad/content blocking built in. I am still mostly using Firefox, but the small amount that I have used Trivalent has been good.