Spotlight7573
@Spotlight7573@lemmy.world
- Comment on How Airbnb accidentally screwed the US housing market and made $100 billion 4 days ago:
It also doesn’t help housing prices that the landlords are colluding to raise prices:
ftc.gov/…/price-fixing-algorithm-still-price-fixi…
It isn’t just Airbnb’s fault, it’s landlords wanting to maximize their return, no matter the method (short-term rentals or price fixing collusion).
- Comment on Novel attack against virtually all VPN apps neuters their entire purpose 1 week ago:
The trust in the unknown systems of the VPN provider may still be better than the known practices of your local ISP/government though. You shouldn’t necessarily rely on it too heavily but it’s good to have the option.
- Comment on YouTube moves to AV1 by default to the dismay of some Android users 3 weeks ago:
Looks like it might be inferred by this:
www.videolan.org/projects/dav1d.html
About
dav1d is a new open-source AV1 decoder developed by the VideoLAN and FFmpeg communities and sponsored by the Alliance for Open Media.
aomedia.org/membership/members/
Founding Members:
- Amazon
- Apple
- Cisco
- [etc]
It is good that Google is acknowledging that a decoder made by someone else is better than their own by switching to it though.
- Comment on Messaging app Signal is currently experiencing server issues. 2 months ago:
Nope, you still need a phone number. You just don’t need to give the phone number out to contacts you want to talk with and can instead use the username.
- Comment on Google just took down IPAs (Apple equivalent of APKs) of popular YouTube tweaks 2 months ago:
I’m not saying NewPipe doesn’t use their bandwidth, just that taking YouTube’s app/UI code too just feels worse to me for some reason. It’s less about the logic of it and more about the feeling.
- Comment on Google just took down IPAs (Apple equivalent of APKs) of popular YouTube tweaks 2 months ago:
I think there’s a difference between a third-party app/frontend and a modded app like these. One is at least trying to provide their own value, and stuff like NewPipe for example can support multiple services in the same UI, a feature I wish was better supported in streaming as I dislike trying to navigate all the individual apps. Modifying a service’s app to remove the ads while still consuming their bandwidth and not putting in the effort to make your own app feels worse for me for some reason. At least pirates generally tend to use their own bandwidth and servers to distribute things instead of leeching directly off the original.
Hope that helps explain it for at least one person.
- Comment on Google just took down IPAs (Apple equivalent of APKs) of popular YouTube tweaks 2 months ago:
As for what these were, they are modified versions of the official YouTube app. What has been taken down is the full modified app files (.ipa) ready to install on an iPhone, not the source code to the tweaks that are in the repos.
These modifications do things like replicate the paid YouTube Premium features, from the uYou features list for example:
- Ad-Free Browsing: Bid farewell to interruptions and enjoy seamless video playback without annoying advertisements.
- Background Playback: Keep your favorite videos running in the background while you multitask or lock your device.
- Video and Audio Downloads: Download videos, shorts, and audio tracks in various formats, including MP4 and WebM, for offline viewing and listening pleasure.
- […]
You can see why Google would want to have them taken down. They aren’t even a re-implementation with their own code/UI like NewPipe.
- Comment on Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out? 2 months ago:
It’s part of the open source chromium engine.
Here’s how it implements some of the privacy sandbox stuff for example: chromium.googlesource.com/…/privacy_sandbox/
Theoretically they could still inject malicious code even if the stuff in the chromium source code looks fine. Given they got sued for their servers still tracking you while Chrome was in Incognito mode (even with the warning every time you open Incognito mode), I’d imagine any injection of code like that would result in another lawsuit (or several). At some point you either have to trust that Google is implementing things how they say they are in the code that they put out or just use a different browser.
- Comment on Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out? 2 months ago:
I’m not sure how moving stuff like topics of interest into the browser where it can be modified/turned off by the user in a single, local location isn’t an improvement over the current situation?
- Comment on Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out? 2 months ago:
I believe Mozilla said it best here:
blog.mozilla.org/…/improving-privacy-without-brea…
Firefox’s privacy protections must be usable on the web, or people will simply stop using Firefox altogether.
The web is not at the stage yet where third-party cookies can be disabled entirely. Chrome’s phase out of them this year should push all those sites still clinging to them to fix their sites. This should mean less problems when using Firefox’s privacy features. Firefox won’t necessarily need to remove the feature soon anyways since it already isolates them per site.
- Comment on Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out? 2 months ago:
Strictly speaking, it’s an improvement over the current situation where you are tracked across the web to come up with a profile of your interests which is then used to deliver targeted advertising. The interest-based advertising is the end goal, it’s where Google makes its money. Google doesn’t necessarily need your data or to track you across the web to do that. I think people are unhappy that it doesn’t go far enough and just want either no targeted advertising or no advertising at all. Removing the ability to target ads would result in more ads being needed to make up for lower quality placements, which I believe would lead to increased ad blocker usage and an advertising death spiral. News sites are already almost practically unusable on mobile without blocking ads for example. Having no advertising means getting revenue another way such as paywalls and subscriptions.
With the Topics API, your browser will keep track of your history and provide sites with a limited number of topics (1 per week). Instead of being an opaque system on an ad provider’s server, you can examine and modify the topics being used in your browser or even look at the source code of the feature itself. With the Protected Audience API, the ad bidding process can occur in the browser as well instead of on a remote server. These features can be turned off.
There is definitely some concern that they’re screwing over third-party advertisers which is why their pages come with stuff like:
subject to addressing any remaining competition concerns of the UK’s Competition and Markets Authority (CMA)
Regardless, Chrome ditching third-party cookies means that websites can no longer rely on them and must adapt their sites to function without them. This will mean that Firefox’s Total Cookie Protection should work better and they can remove third-party cookies in the future instead of having to create workarounds.
- Comment on Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out? 2 months ago:
Not sure how Chrome’s alternatives for providing relevant ads are harder to block when you can just turn them off (and examine the data it’s collected) in the settings. These systems are what Chrome is able to do at the moment to work towards blocking third party cookies. They do have an incentive to make something that they know works well for them though, I’ll give you that.
- Comment on Passkeys might really kill passwords 2 months ago:
Don’t need the premium version of Bitwarden to use passkeys. The free version works.
That said, $10 per year is not a big cost to support the company storing your vault and developing the apps.
- Comment on Passkeys might really kill passwords 2 months ago:
People also don’t have a backup device though.
And that’s a problem with most authentication factors and with how most systems don’t rely on just the password anymore. If you don’t have a backup device, you’re going to run into issues.
- Comment on Passkeys might really kill passwords 2 months ago:
KeePassXC is working on it but I haven’t seen anything about the original KeePass.
- Comment on Passkeys might really kill passwords 2 months ago:
Passkeys are protected by either your device’s password/passcode (something you know) or your device’s biometrics (something you are). That provides two factors when combined with the passkey itself (something you have).
The benefit of the password is only available if you know your password for your accounts or if you have a password manager. People can only remember a limited number of passwords without resorting to systems or patterns. Additionally, with many accounts now knowing the password is not enough to log in, you must either be logging in from an existing device or perform some kind of 2FA (TOTP, SMS, hardware security key, etc). So you already need to have a backup device to log in anyways. Same with a password manager: if you can have a copy of your vault with your password on another device then you can have a copy of your vault with your passkey on another device. Nothing gets rid of the requirement to have a backup device or copy of your passwords/passkeys if you want to avoid being locked out.
- Comment on Passkeys might really kill passwords 2 months ago:
Bitwarden can both generate and store them in the browser extension. It can also use them through the browser extension but it can’t yet use them through the mobile apps (they’re working on it).
- Comment on AI companies are violating a basic social contract of the web and and ignoring robots.txt 2 months ago:
While there are some extensions that do this, last I saw Google didn’t use Chrome for populating Search:
- Comment on Passkeys might really kill passwords 2 months ago:
Yeah, unfortunately passkey support on mobile outside of what the OS/browsers provide is kind of not there at the moment but it’s being worked on. Android 14 apparently has some kind of framework for integrating in third-party passkey providers. At this point, you should view passkeys as an additional, more convenient and secure way to log in on the platforms it’s supported on, not necessarily the only way to log into an account.
- Comment on Passkeys might really kill passwords 2 months ago:
Basically, but with a separate public/private key pair per login so they aren’t able to link your identity between sites or accounts with it and also synced or stored in a password manager so you don’t lose them.
- Comment on Passkeys might really kill passwords 2 months ago:
Currently Bitwarden’s passkey support is limited to the browser extensions not the apps but from my experience it works relatively well. When logging into a site you just select the passkey from the extension popup and it logs you in.
Example passkey registration:
- Click create a passkey button in the accounts settings page
- Bitwarden extension pops up with a list of matching accounts
- Select the account in your password manager that you want to associate the passkey with
- Click Save passkey button
- The account now has a new passkey associated with it that’s stored in your Bitwarden vault
Example login:
- Click sign in with passkey button on the login page
- Bitwarden extension pops up with a list of matching accounts from your vault
- Select the account you want to sign in with
- Click Confirm button
- You’re signed in
- Comment on Passkeys might really kill passwords 2 months ago:
Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).
With passkeys, the browser is the one checking that it’s talking to the right site before talking by making sure the domain name matches. Passkeys also don’t send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn’t need access to the private key that the user has to verify the message so there’s nothing sensitive for the site to leak.
In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying “this is me” and the site logs you in.
- Comment on Passkeys might really kill passwords 2 months ago:
I haven’t seen anything about the original KeePass supporting them but KeePassXC is working on it:
- Comment on Passkeys might really kill passwords 2 months ago:
Many apps now do the ‘app opens the browser for login’ process instead of having the login in their actual app. They don’t have to implement all the different ways to log in then, they can just use the same system that their normal account management stuff on their site uses.
You can get greater security with hardware-backed solutions like a TPM but the adoption rate was not great. I think the goal is to improve things over passwords, even if the credentials are then available on multiple devices via a sync or a password database file. Perfect being the enemy of good and all that. Hardware options still exist and you can still use them; they use the same WebAuthn standard that passkeys use.
- Comment on Passkeys might really kill passwords 2 months ago:
Exactly. You could have access to your password manager on your computer or a backup hardware security key instead. It doesn’t have to all be tied to just one phone, just like you don’t have to have just one house or car key.
- Comment on Passkeys might really kill passwords 2 months ago:
For many people it works well as a trade-off between security and convenience. It may not be for everyone though and that’s okay. Nothing stops you from using a password/passcode to secure your passkey instead.
- Comment on Passkeys might really kill passwords 2 months ago:
Banks are certainly behind the times and ‘bank-grade security’ is a joke in terms of what authentication methods they offer. I understand that they are slow to change anything though.
- Comment on Passkeys might really kill passwords 2 months ago:
It’s probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just ‘password and something else’. Something like A,B,C are on the account and you can use A+B or B+C to login. It’d be great for those who don’t necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.
That said, the way passkeys are typically used satisfy multiple factors at once:
Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database
Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone
- Comment on Passkeys might really kill passwords 2 months ago:
The person who broke their phone screen wasn’t mad about not being able to access the data on it in this case, but rather that they couldn’t receive a text message as the second factor to log in to their bank. Having a backup wouldn’t have mattered, they couldn’t receive the text. Like it or not, having two-factor authentication on accounts is a necessity with the phishing and malware problems out there. Having multiple (secure) factors attached to your account is the best protection against getting locked out.
The breaking of a phone and loss of the data on it can still be protected against by having backups in other locations or offline, like you have.
- Comment on Passkeys might really kill passwords 2 months ago:
If you already have a central point to lose everything in the form of a password manager, is it any worse? What’s the difference between a random password stored in your password manager that you don’t remember versus a private key stored in your password manager that you’re not expected to remember? You’ve always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That’s an improvement over the system we have now.
And for those that don’t have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.