found while giving my feed a moment of scroll while making coffee after too many 3am worknights, I saw this response to the substack guy giving themselves a pat on the back again for helping the nazis
this post was submitted on 27 Jan 2025
28 points (100.0% liked)
TechTakes
1609 readers
138 users here now
Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.
This is not debate club. Unless it’s amusing debate.
For actually-good tech, you want our NotAwfulTech community
founded 2 years ago
MODERATORS
ed zitron weighs in on deepseek https://www.wheresyoured.at/deep-impact/
load more comments
(5 replies)
Ed Zitron radicalizes NPR host Brooke Gladstone in real time on the midweek episode of "On the Media"
load more comments
(1 replies)
Spent the last week playing with some security shit (thinking about a career change, since it looks like I will be mastering out of my PhD program) and fuck me everything about hardening your personal devices is exhausting. We are nowhere close to accessible privacy and security in our computers. The best solution right now may be "buy a Macbook and learn MacOS", which is so depressing.
Still deciding on a web browser. Used to be I could recommend Firefox because Righteous-Opposition-to-Google, but that doesn't really track anymore with Mozilla's behavior. Now I guess I would recommend Chrome, but it feels so gross (and I am unsure about things like Ungoogled-Chromium, for security reasons).
the basic laptop hardening
- Install Fedora Silverblue
- Be sure to set a good LUKS password
- Set a BIOS password and disable USB booting
- Rebase to secureblue
- Follow the Post Install Readme
- I personally couldn't figure out how to set the GRUB password. I will probably get around to it eventually.
As far as passwords, the only password I have to memorize is the one to my Bitwarden vault. Everything else is stored in Bitwarden. The passwords (except for my phone PIN) are 16 characters if I ever need to type them in manually (e.g. LUKS password), whereas passwords that will always be copy-pasted are 128 characters. I am looking into integrating a yubikey, but am leaning towards "fuck that shit, why would anyone actually want to use this?" If anyone here has comments on this (am I missing an obvious pitfall? do yubikeys suck as much as it looks like they suck?) I would be happy to hear them.
- I personally couldn't figure out how to set the GRUB password. I will probably get around to it eventually.
Anyway tl;dr is I spent the last week hardening all my devices and it sucks. In some cases it was a complete waste of time (my Steam Deck does not appear to have a way to set a password in the BIOS). In other cases (e.g. my Framework), it was probably worth it but a deeply terrible experience.
I don't think I could ever recommend chromium-based browsers due to the MV3 switch. Does ungoogled-chromium do any patching to get around this? If not I think FF is the only sane option still.
I believe ungoogled-chromium does have MV2 support. Unfortunately, there are still real security concerns with Firefox. The good news is that Trivalent (a hardened version of Chromium developed by the Secureblue folks) has ad/content blocking built in. I am still mostly using Firefox, but the small amount that I have used Trivalent has been good.
Last time I tried it, ungoogled chromium had some issues with yubikeys (see https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-to-get-fido-u2f-security-keys-to-work-in-google-sign-in) which I don’t think have been fixed yet. That was enough to be a deal breaker for me.
do yubikeys suck as much as it looks like they suck?
Without knowing why you think they suck, it’s hard to say. I like having unphishable uncopyable credentials, and it irritates me that they aren’t more widely supported. On my desktop or laptop, they’re less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.
whereas passwords that will always be copy-pasted are 128 characters
Whilst there isn’t really such a thing as “too secure”, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so there’s simply no space to squish all that extra entropy you’re providing into the output… it might not be any more secure than a password a quarter of its length (or less!).
128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.
Without knowing why you think they suck, it’s hard to say. I like having unphishable uncopyable credentials, and it irritates me that they aren’t more widely supported. On my desktop or laptop, they’re less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.
I've come around a bit since posting yesterday (after looking into the various hardware key options, like OnlyKey). The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it's the added complexity of "use this physical device" and the concern I had about recovering accounts if I lost the Yubikey. Their page on spare devices does not inspire confidence.
Whilst there isn’t really such a thing as “too secure”, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so there’s simply no space to squish all that extra entropy you’re providing into the output… it might not be any more secure than a password a quarter of its length (or less!).
128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.
Fair point! I chose 128 because it's the maximum allowed in Bitwarden (if it's going to be copy-pasted anyway, who cares). Assuming I didn't fuck up basic math, the entropy of a passphrase of length n selected uniformly at random from characters in A is given by nlog|A|, so to reach 128 bits of entropy with 70 chars (lower + upper + digits + special) requires a passphrase of length 21.
The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it’s the added complexity of “use this physical device” and the concern I had about recovering accounts if I lost the Yubikey.
The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but they're not as capable as a yubikey (the last time I checked I couldn't use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so there's little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.
But also, "added complexity" is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site I'm trying to unlock, then waiting for the timer to reset because I can't authenticate before the current code expires, etc.
Assuming I didn’t fuck up basic math,
Beats me! I just use off-the-shelf entropy calculators and hope they're right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing that's hashing the password is using a modern algorithm (which often you can't, sadly).
I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldn't fancy doing that with 128 character passwords! You may of course never need to do those things, but I've needed to do both, at work and otherwise.
load more comments
(2 replies)