The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it’s the added complexity of “use this physical device” and the concern I had about recovering accounts if I lost the Yubikey.
The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but they're not as capable as a yubikey (the last time I checked I couldn't use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so there's little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.
But also, "added complexity" is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site I'm trying to unlock, then waiting for the timer to reset because I can't authenticate before the current code expires, etc.
Assuming I didn’t fuck up basic math,
Beats me! I just use off-the-shelf entropy calculators and hope they're right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing that's hashing the password is using a modern algorithm (which often you can't, sadly).
I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldn't fancy doing that with 128 character passwords! You may of course never need to do those things, but I've needed to do both, at work and otherwise.
Last time I tried it, ungoogled chromium had some issues with yubikeys (see https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-to-get-fido-u2f-security-keys-to-work-in-google-sign-in) which I don’t think have been fixed yet. That was enough to be a deal breaker for me.
do yubikeys suck as much as it looks like they suck?
Without knowing why you think they suck, it’s hard to say. I like having unphishable uncopyable credentials, and it irritates me that they aren’t more widely supported. On my desktop or laptop, they’re less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.
whereas passwords that will always be copy-pasted are 128 characters
Whilst there isn’t really such a thing as “too secure”, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so there’s simply no space to squish all that extra entropy you’re providing into the output… it might not be any more secure than a password a quarter of its length (or less!).
128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.
The whole thing is just weirdly incompetent. Maybe they just had everything configured wrong and accidentally deployed sone throwaway tests to production? I could almost see it as a way to poison scrapers, given that there are some odd visibility settings on the slop posts, though the owner’s shiftiness and dubious explanations suggest it wasn’t anything so worthy.
And on a less downbeat and significantly more puerile note, Dan Fixes Coin Ops makes a nice analogy for companies integrating ai into their product.
Hey, did you know of you own an old forum full of interesting posts from back in the day when humans wrote stuff, you can just attach ai bots to dead accounts and have them post backdated slop for, uh, reasons?
Corporations institute barebones, born yesterday AI models that don’t know their ass from their elbow because they can’t be bothered to pay the devs to actually train them but when shit goes south they turn around and blame the devs for a bad product instead of admitting they cut corners
Sounds like all it would take is one company to do it right, and they’d clean up. Except somehow, with all of the billions being poured into it, every product with ai sprinkled on it is worse than the non-ai-sprinkled alternatives.
Now, maybe this is finally the sign that everyone will accept that The Market is completely fucking stupid and useless, and that literally every company involved in ai is holding it wrong.
Or, and I know it’s a bit of a stretch here, but consider the possibility that ai just isn’t very useful except for fooling humans and maybe you can fool people into paying for it but it’s a lot harder to fool them into thinking it makes stuff better.
Maybe I’m missing something, but has anyone actually justified this sort of “reasoning” by LLMs? Like, is there actually anything meaningfully different going on? Because it doesn’t seem to be distinguishable from asking a regular LLM to generate 20 paragraphs of ai fanfic pretending to reason about the original question, and the final result seems about as useful.
Possibly I’m the last to hear about this one, but seeing as proton mail has come up here a few times before: the founder and ceo Andy Yen is apparently a Trump fan.
Great pick by @realDonaldTrump. 10 years ago, Republicans were the party of big business and Dems stood for the little guys, but today the tables have completely turned. People forget that the current antitrust actions against Big Tech were started under the first Trump admin.
(from the beginning of december, on the nomination of trump staffer Gail Slater to antitrust post at the doj)
Apparently, the OpenMandriva folk (the inheritors of the venerable mandrake/mandriva Linux distro) are now best buddies with Bryan Lunduke (right wing tech grifter and q-anon fan) are decrying the left wing bias of Linux projects with a hilarious “wokeOS shell”
Archive of openmandriva forum post: https://archive.is/2025.01.11-001057/https://forum.openmandriva.org/t/came-here-from-lunduke/5516/1
Lovely juxtaposition of “let’s stick it to the gay fags” and “we’re accepting of everyone and there’s no hate here”. Seems like a classy community all round. It’s a little sad to see how mandrake ended up, but there you go.
WokeOS here: https://web.archive.org/web/20250110234818/https://lindev.ch/wokeos.cpp
It’s pretty tedious and unimaginative. No idea who lindev are.
(eta: wasn’t me who originally found this, but I’m never quite sure whether it’s ok to include sources for this sort of thing given the subject. on the other hand, the op has it as public post that’s been boosted a bunch of times, so here it is: https://tech.lgbt/@GeopJr/113807022917800887)
A real ceo does everything. Delegation is for losers who can’t cope. Can’t move fast enough and break enough things if you’re constantly waiting for your lackeys to catch up.
If those numbers people were cleverer than the ceo, they’d be the ones in charge, and they aren’t. Checkmate. Do you even read Ayn Rand, bro?
Remember that actual physicists can fall into the same trap, and believe themselves to be very smart too. Plenty suffer an irresistible urge to fix every other field that’s doing it wrong.
As an alternative to the various xkcds on the subject, have an smbc instead.
If it were merely a search engine, it risks not being ai enough. We already have search engines, and no one is gonna invest in that old garbage. So instead, it finds something that you might want that’s been predigested for ease of ai consumption (Retrieval), dumps it into the context window alongside your original question (Augmentation) and then bullshits about it (Generation).
Think of it as exactly the same stuff that the LLM folk have already tried to sell you, trying to work around limitations of training and data availability by providing “cut and paste as a service” to generate ever more complex prompts for you, in the hopes that this time you’ll pay more for it than it costs to run.
And, whilst I’m here, a post from someone who tried using copilot to help with software dev for a year.
I think my favourite bit was
Don’t use LLMs for autocomplete, use them for dialogues about the code.
Tried that. It’s worse than a rubber duck, which at least knows to stay silent when it doesn’t know what it’s talking about.
https://infosec.exchange/@david_chisnall/113690087142854474
(and also https://en.m.wikipedia.org/wiki/Rubber_duck_debugging for those who haven’t come across it)
Interesting article about netflix. I hadn’t really thought about the scale of their shitty forgettable movie generation, but there are apparently hundreds and hundreds of these things with big names attached and no-one watches them and no-one has heard of them and apparently Netflix doesn’t care about this because they can pitch magic numbers to their shareholders and everyone is happy.
“What are these movies?” the Hollywood producer asked me. “Are they successful movies? Are they not? They have famous people in them. They get put out by major studios. And yet because we don’t have any reliable numbers from the streamers, we actually don’t know how many people have watched them. So what are they? If no one knows about them, if no one saw them, are they just something that people who are in them can talk about in meetings to get other jobs? Are we all just trying to keep the ball rolling so we’re just getting paid and having jobs, but no one’s really watching any of this stuff? When does the bubble burst? No one has any fucking clue.”
What a colossal waste of money, brains, time and talent. I can see who the market for stuff like sora is, now.
For VPNs, at least, I can offer some suggestions. If you wanted to securely access a specific box or network of yours, tailscale is pretty great and very painless to use. If you wanted to do stuff without various folk noticing then that’s a bit trickier but I’ve been happy using mullvad… they’re not the cheapest, though they have some splendid anonymous payment mechanisms (you can literally mail them a wad of banknotes with a magic code on a bit of paper… you don’t even need to muck about with bitcoin).
In further bluesky news, the team have a bit of an elon moment and forget how public they made everything.
https://bsky.app/profile/miriambo.bsky.social/post/3ldq2c7lu6c25 (only readable if you are logged in to bluesky)
Bluesky’s approach to using domain names to mean identity is now showing cracks that everyone can see: https://tedium.co/2024/12/17/bluesky-impersonation-risks/
(it was always shaky, but mostly only shown by infosec folks who signed up as amazon s3, etc)
TL;DR: scammer buys .com domain for journalist’s name, registers it on bluesky, demands money to hand it over or face reputational damage, uses other fake accounts with plausible names and backgrounds to encourage the mark to pay up. Fun stuff. The best bit is when the sockpuppets got one of the real people they were pretending to be banned from bluesky.
Nvidia doing their part to help consumers associate AI with unwanted useless bloatware that’s foisted upon them.
I will find someone who I consider better than me in relevant ways,
Lemme guess, rich, white, asshole? (now I write this, I realise it could be about the author of the blog post too, and not just the bull he’s seeking).
These people continue to be so utterly delusional about the nature of success. The desperate need to believe that genetics is destiny, and that the ultra-wealthy got that way because they are also ultra-competent instead of merely being ultra-lucky and/or ultra-rapacious.
I guess the future is a race to see what comes first… the ultra-wealthy habsburging themselves into oblivion, the oceans boiling, or a resurgence in the construction of hand-built artisanal tumbrels.
Funny how right-wing types reaaaaaly love unborn kids. They’re the best focus group for almost any policy!
