Spotlight7573

@Spotlight7573@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Founder and CEO of Telegram messaging service arrested in France⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Isn’t the main problem that most people don’t use the E2E encrypted chat feature on Telegram, so most of what’s going on is not actually private and Telegram does have the ability to moderate but refuses to (and also refuses to cooperate)?

Something like Signal gets around this by not having the technical ability to moderate (or any substantial data to hand over).
⁨Comment⁩ on ⁨2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Before people can be persuaded to use them, we have to persuade or force the companies and sites to support them.
⁨Comment⁩ on ⁨Ad industry initiative abruptly shuts down after lawsuit filed by Elon Musk’s X⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
A multi-billion dollar social media company sued an ad industry group that was trying to have help companies have some kind of brand safety standards to prevent a company’s ads from appearing next to objectionable content. They reportedly had two full-time staff members. This isn’t some big win, it’s bullying itself.
⁨Comment⁩ on ⁨2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Basically with passkeys you have a public/private key pair that is generated for each account/each site and stored somewhere on your end somehow (on a hardware device, in a password manager, etc). When setting it up with the site you give your public key to the site so that they can recognize you in the future. When you want to prove that it’s you, the website sends you a unique challenge message and asks you to sign it (a unique message to prevent replay attacks). There’s some extra stuff in the spec regarding how the keys are stored or how the user is verified on the client side (such as having both access to the key and some kind of presence test or knowledge/biometric factor) but for the most part it’s like certificates but easier.
⁨Comment⁩ on ⁨2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
With a breach of this size, I think we’re officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.
⁨Comment⁩ on ⁨Google cancels plans to kill off cookies for advertisers⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
The plan was only to kill off third-party cookies, not first-party so being able to log into stuff (and stay logged in) was not going to be affected. Most other browsers have already blocked or limited third-party cookies but most other browsers aren’t owned by a company that runs a dominant ad-tech business, so they can just make those changes without consulting anyone.

Also, it looks like there might be some kind of standard for federated login being worked on but I haven’t really investigated it: developer.mozilla.org/en-US/docs/Web/…/FedCM_API
⁨Comment⁩ on ⁨Google cancels plans to kill off cookies for advertisers⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
They definitely knew it would impact their ad business but I think what did it was the competition authorities saying they couldn’t do it to their competitors either, even if they were willing to take the hit on their own services.

Impact on their business (bold added): support.google.com/admanager/answer/15189422
- Programmatic revenue impact without Privacy Sandbox: By comparing the control 2 arm to the control 1 arm, we observed that removing third-party cookies without enabling Privacy Sandbox led to -34% programmatic revenue for publishers on Google Ad Manager and -21% programmatic revenue for publishers on Google AdSense.
- Programmatic revenue impact with Privacy Sandbox: By comparing the treatment arm to control 1 arm, we observed that removing third-party cookies while enabling the Privacy Sandbox APIs led to -20% and -18% programmatic revenue for Google Ad Manager and Google AdSense publishers, respectively.
⁨Comment⁩ on ⁨Big Tech to EU: "Drop Dead"⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
That’s a sentiment that quite a few others online feel too:

techdirt.com/…/do-people-want-better-facebook-dea…

I do get the argument though that if no improvement will ever be good enough for some people, then what incentive do they have to change if it won’t make a difference to those people either way?
⁨Comment⁩ on ⁨How Airbnb accidentally screwed the US housing market and made $100 billion⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
It also doesn’t help housing prices that the landlords are colluding to raise prices:

ftc.gov/…/price-fixing-algorithm-still-price-fixi…

It isn’t just Airbnb’s fault, it’s landlords wanting to maximize their return, no matter the method (short-term rentals or price fixing collusion).
⁨Comment⁩ on ⁨Novel attack against virtually all VPN apps neuters their entire purpose⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
The trust in the unknown systems of the VPN provider may still be better than the known practices of your local ISP/government though. You shouldn’t necessarily rely on it too heavily but it’s good to have the option.
⁨Comment⁩ on ⁨YouTube moves to AV1 by default to the dismay of some Android users⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
Looks like it might be inferred by this:

www.videolan.org/projects/dav1d.html

About

dav1d is a new open-source AV1 decoder developed by the VideoLAN and FFmpeg communities and sponsored by the Alliance for Open Media.

aomedia.org/membership/members/

Founding Members:
- Amazon
- Apple
- Cisco
- Google
- [etc]
It is good that Google is acknowledging that a decoder made by someone else is better than their own by switching to it though.
⁨Comment⁩ on ⁨Messaging app Signal is currently experiencing server issues.⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
Nope, you still need a phone number. You just don’t need to give the phone number out to contacts you want to talk with and can instead use the username.
⁨Comment⁩ on ⁨Google just took down IPAs (Apple equivalent of APKs) of popular YouTube tweaks⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
I’m not saying NewPipe doesn’t use their bandwidth, just that taking YouTube’s app/UI code too just feels worse to me for some reason. It’s less about the logic of it and more about the feeling.
⁨Comment⁩ on ⁨Google just took down IPAs (Apple equivalent of APKs) of popular YouTube tweaks⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
I think there’s a difference between a third-party app/frontend and a modded app like these. One is at least trying to provide their own value, and stuff like NewPipe for example can support multiple services in the same UI, a feature I wish was better supported in streaming as I dislike trying to navigate all the individual apps. Modifying a service’s app to remove the ads while still consuming their bandwidth and not putting in the effort to make your own app feels worse for me for some reason. At least pirates generally tend to use their own bandwidth and servers to distribute things instead of leeching directly off the original.

Hope that helps explain it for at least one person.
⁨Comment⁩ on ⁨Google just took down IPAs (Apple equivalent of APKs) of popular YouTube tweaks⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
As for what these were, they are modified versions of the official YouTube app. What has been taken down is the full modified app files (.ipa) ready to install on an iPhone, not the source code to the tweaks that are in the repos.

These modifications do things like replicate the paid YouTube Premium features, from the uYou features list for example:
- Ad-Free Browsing: Bid farewell to interruptions and enjoy seamless video playback without annoying advertisements.
- Background Playback: Keep your favorite videos running in the background while you multitask or lock your device.
- Video and Audio Downloads: Download videos, shorts, and audio tracks in various formats, including MP4 and WebM, for offline viewing and listening pleasure.
- […]
You can see why Google would want to have them taken down. They aren’t even a re-implementation with their own code/UI like NewPipe.
⁨Comment⁩ on ⁨Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out?⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
It’s part of the open source chromium engine.

Here’s how it implements some of the privacy sandbox stuff for example: chromium.googlesource.com/…/privacy_sandbox/

Theoretically they could still inject malicious code even if the stuff in the chromium source code looks fine. Given they got sued for their servers still tracking you while Chrome was in Incognito mode (even with the warning every time you open Incognito mode), I’d imagine any injection of code like that would result in another lawsuit (or several). At some point you either have to trust that Google is implementing things how they say they are in the code that they put out or just use a different browser.
⁨Comment⁩ on ⁨Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out?⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
I’m not sure how moving stuff like topics of interest into the browser where it can be modified/turned off by the user in a single, local location isn’t an improvement over the current situation?
⁨Comment⁩ on ⁨Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out?⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
I believe Mozilla said it best here:

blog.mozilla.org/…/improving-privacy-without-brea…

Firefox’s privacy protections must be usable on the web, or people will simply stop using Firefox altogether.

The web is not at the stage yet where third-party cookies can be disabled entirely. Chrome’s phase out of them this year should push all those sites still clinging to them to fix their sites. This should mean less problems when using Firefox’s privacy features. Firefox won’t necessarily need to remove the feature soon anyways since it already isolates them per site.
⁨Comment⁩ on ⁨Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out?⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
Strictly speaking, it’s an improvement over the current situation where you are tracked across the web to come up with a profile of your interests which is then used to deliver targeted advertising. The interest-based advertising is the end goal, it’s where Google makes its money. Google doesn’t necessarily need your data or to track you across the web to do that. I think people are unhappy that it doesn’t go far enough and just want either no targeted advertising or no advertising at all. Removing the ability to target ads would result in more ads being needed to make up for lower quality placements, which I believe would lead to increased ad blocker usage and an advertising death spiral. News sites are already almost practically unusable on mobile without blocking ads for example. Having no advertising means getting revenue another way such as paywalls and subscriptions.

With the Topics API, your browser will keep track of your history and provide sites with a limited number of topics (1 per week). Instead of being an opaque system on an ad provider’s server, you can examine and modify the topics being used in your browser or even look at the source code of the feature itself. With the Protected Audience API, the ad bidding process can occur in the browser as well instead of on a remote server. These features can be turned off.

There is definitely some concern that they’re screwing over third-party advertisers which is why their pages come with stuff like:

subject to addressing any remaining competition concerns of the UK’s Competition and Markets Authority (CMA)

Regardless, Chrome ditching third-party cookies means that websites can no longer rely on them and must adapt their sites to function without them. This will mean that Firefox’s Total Cookie Protection should work better and they can remove third-party cookies in the future instead of having to create workarounds.
⁨Comment⁩ on ⁨Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out?⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
Not sure how Chrome’s alternatives for providing relevant ads are harder to block when you can just turn them off (and examine the data it’s collected) in the settings. These systems are what Chrome is able to do at the moment to work towards blocking third party cookies. They do have an incentive to make something that they know works well for them though, I’ll give you that.
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
Don’t need the premium version of Bitwarden to use passkeys. The free version works.

That said, $10 per year is not a big cost to support the company storing your vault and developing the apps.
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:

People also don’t have a backup device though.

And that’s a problem with most authentication factors and with how most systems don’t rely on just the password anymore. If you don’t have a backup device, you’re going to run into issues.
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
KeePassXC is working on it but I haven’t seen anything about the original KeePass.
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Passkeys are protected by either your device’s password/passcode (something you know) or your device’s biometrics (something you are). That provides two factors when combined with the passkey itself (something you have).

The benefit of the password is only available if you know your password for your accounts or if you have a password manager. People can only remember a limited number of passwords without resorting to systems or patterns. Additionally, with many accounts now knowing the password is not enough to log in, you must either be logging in from an existing device or perform some kind of 2FA (TOTP, SMS, hardware security key, etc). So you already need to have a backup device to log in anyways. Same with a password manager: if you can have a copy of your vault with your password on another device then you can have a copy of your vault with your passkey on another device. Nothing gets rid of the requirement to have a backup device or copy of your passwords/passkeys if you want to avoid being locked out.
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Bitwarden can both generate and store them in the browser extension. It can also use them through the browser extension but it can’t yet use them through the mobile apps (they’re working on it).
⁨Comment⁩ on ⁨AI companies are violating a basic social contract of the web and and ignoring robots.txt⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
While there are some extensions that do this, last I saw Google didn’t use Chrome for populating Search:

…perficient.com/…/does-google-use-chrome-to-disco…
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Yeah, unfortunately passkey support on mobile outside of what the OS/browsers provide is kind of not there at the moment but it’s being worked on. Android 14 apparently has some kind of framework for integrating in third-party passkey providers. At this point, you should view passkeys as an additional, more convenient and secure way to log in on the platforms it’s supported on, not necessarily the only way to log into an account.
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Basically, but with a separate public/private key pair per login so they aren’t able to link your identity between sites or accounts with it and also synced or stored in a password manager so you don’t lose them.
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Currently Bitwarden’s passkey support is limited to the browser extensions not the apps but from my experience it works relatively well. When logging into a site you just select the passkey from the extension popup and it logs you in.

Example passkey registration:
- Click create a passkey button in the accounts settings page
- Bitwarden extension pops up with a list of matching accounts
- Select the account in your password manager that you want to associate the passkey with
- Click Save passkey button
- The account now has a new passkey associated with it that’s stored in your Bitwarden vault
Example login:
- Click sign in with passkey button on the login page
- Bitwarden extension pops up with a list of matching accounts from your vault
- Select the account you want to sign in with
- Click Confirm button
- You’re signed in
⁨Comment⁩ on ⁨Passkeys might really kill passwords⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).

With passkeys, the browser is the one checking that it’s talking to the right site before talking by making sure the domain name matches. Passkeys also don’t send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn’t need access to the private key that the user has to verify the message so there’s nothing sensitive for the site to leak.

In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying “this is me” and the site logs you in.