Aren’t they inherently less secure than a TOTP code?

They can be, depending on the types of threats you expect to face. If physical theft is an expected threat, then a hardware token runs the risk of being stolen and abused. For example, your attackers might just buy off cops to rob you and take your stuff. Having the physical device locked with a PIN/Passcode can mitigate this threat somewhat. But, that just becomes another password the attackers need to figure out.

On the other side of the coin, TOTP applications have started offering Cloud Backup options for accounts. What this demonstrates is that it’s possible to move those accounts between devices remotely. A hacked device means those codes may be exfiltrated to an attackers device and you will be none the wiser. Good security hygiene and device hardening can help mitigate these issues. But, it also means you need to a lot of trust in a lot of third parties. Also, you need to be unimportant enough for an attacker to not burn a 0-day on.

Ultimately, security is all about trade-offs. If you worry about physical security and don’t expect to face a threat which might compromise your phone, then a TOTP app might be a better option. If you are more worried about a hacked device being used to leak credentials, then a physical token may be a better choice. Each way you go has some ability to mitigate the risks. PIN for a physical token and device hardening for TOTP. But, neither is a silver bullet.

And, if your threat model includes someone willing and able to engage in rubber hose cryptanalysis, then you’re probably fucked anyway.

I’ve heard that in the US, the 5th amendment protects you from being forced to divulge a password, but they can physically place your finger on the finger print scanner.

Ya, it’s a weird space that you cannot be legally forced to divulge a password, except in cases where the content of the drive is a “foregone conclusion” (as defined by the US Supreme Court). But, they can absolutely collect biometric markers (including forcing a fingerprint scan).

I’m glad to see them trying and I really do want to see competition in the digital game storefront space. However, I have zero trust in EA to not try and fuck me as a customer at some point. So ya, no matter how good of a fee structure they offer devs, they will continue to lack the one thing devs actually care about: customers.

Also, as a Linux gamer, it’s really tough to consider a store front which doesn’t offer a Linux client. Sure, I might be able to get their app running in Wine. But, at that point, maybe I should just go support the company which is supporting me.

What Im observing though is more and more indies filling the void with smaller and cheaper games due to easy access to digital distribution. Not exactly a new take as its been hapening for over 15 years now. Interestingly, Epic seems to not take the same stance as Steam does in this space. Where steam gives pretty much any shovelware the same chances, Epic wants to be super picky about these low budget titles. Where is Epic’s Balatro?

This reminds me a lot of the days of the original PlayStation (PS). Nintendo was the large, dominant company. But, they were also really, really picky with the games they let on their platform (still are). Along comes Sony with a better physical format and a willingness to let just about anything on their system. And there were a lot of terrible titles on the PS; but, there were also some real gems from smaller devs and lots more choice for people to find what they wanted to play. That openness and plethora of options drew people to the system. Sure, Nintendo is still around and still a juggernaut, but they gave up a lot of market space to Sony.

Sweeney and many of the big studios seem dead set on trying to replicate lightning. They keep churning out Fortnight clones, live service games and lootbox infested grind fests. None of this is because they want to make a game for players, it’s all a bald-faced money grab. And it comes across so clearly in their games. Yes, big budget games cost a lot of money and I don’t begrudge studios trying to make money. I’m more than happy to throw money at devs who make a great game (I just pledged ~$250 at the Valheim Board Game project, based mostly on the fact that I fucking love Valheim). I’ve also bought into way too many Early Access games, because they looked like they had the bones of good games. But, the big budget games seem to get lost trying to pump every last dollar out of your wallet and just quickly become a turn off.

I remember one particular instance in Dragon Age, where an NPC had a “Quest Available” marker floating above his head. When you talked to him, you quickly discovered that you could buy his quest and the game was happy to kick you over to the EA store so that you could buy his quest right there. Fuck that noise. I’m not against DLC, but that sort of “in your face” advertising pisses me right off. Hell, I’m one of those weirdos who likes the Far Cry series. I put tons of hours into Far Cry 5 (seriously, the wing suit was just good fun). Far Cry 6 was ok and I did finish it, though the micro-transaction spam grated on me hard. After that experience, I’m not sure I want a Far Cry 7.

And I think that points to the elephant in the room. Big publishers, like EA are so focused on making profits, they have lost sight of making a good game. Give me a solid, complete experience. Give me good controls, enough story to hold the action together and just a general sense of fun. Once that is in place, then maybe throw hats for sale on top of that. But, when lootboxes and micro-transactions are core to the gameplay and the game is balanced to force you in the direction of buying that crap, fuck your game. If the core gameplay is designed to suck so much that I want to buy cheats to bypass that core gameplay, I’ll save myself a bunch of money and just skip the game entirely. There are way too many options available out there, which don’t suck, for me to waste my time and money shoveling your shit.

According to T-Mobile’s 2023 Annual Report they had $8.3 Billion in Net Income in 2023. A $31.5 Million dollar settlement isn’t even a rounding error. Unless and until these fines start actually cutting into profits, in a significant way, businesses aren’t going to care about cybersecurity.

We really need to take a page from the EU’s GDPR and start assessing these fines as a percentage of global annual revenue. Quit dicking around and make the fines high enough that companies make the secure choice, rather than the cheap choice, because the ROI for the cheap choice includes a high risk of “fuck you” level fines.

Some employees have accused Dell of trying to shrink its workforce with this policy

There’s the real goal. Cut headcount without directly cutting headcount. Of course, the headcount which bails first will be the highest performers with the greatest ability to find other employment. But, that won’t show up on the bottom line for a few years.

Necessity is the mother of invention. Laziness is the father.

Although thinking about it I could clip the PEI to the glass giving it a flat bed…

Having had a similar issue, actual bed more warped than a TV preacher, and a dead, impossible to replace leveling sensor. I moved to a glass bed. But, now that you mention it, this seems like a great way to get then PEI adhesion and have the bed actually level. Just ordered some larger clips and I’m gonna try this out.

I suspect every security baseline is going to include guidance for removing recall. There’s just no reason for this sort of malware on a system.

Reality often takes a backseat to narrative in books/movies/games/etc. If you want to “well akshuly” your way though a book, you’re likely to find a lot of details the author got wrong. At the same time, those failed details may provide useful ways for the author to move the story or scene along. “Moonrise” is one of those areas where, if you polled most people, the majority would probably get it wrong. But it’s a useful trope in stories where clocks and precise timekeeping aren’t a thing and where lunar accuracy is also not important. A character saying “it’s well past moonrise” will convey to many readers the idea that it’s pretty late in the night. Could it be done another way? Sure, but the trope gets the job done and not one really cares about the inaccuracy.

While it was kinda lame for Mozilla to add it with it already opted-in the way they did

That’s really the rub here. Reading the technical explainer on the project, it’s a pretty good idea. The problem is that they came down on the side of “more data” versus respecting their users:

Having this enabled for more people ensures that there are more people contributing to aggregates, which in turn improves utility. Having this on by default both demands stronger privacy protections — primarily smaller epsilon values and more noise — but it also enables those stronger protections, because there are more people participating. In effect, people are hiding in a larger crowd.

In short, they pulled a “trust us, bro” and turned an experimental tracking system on by default. They fully deserve to be taken to task over this.

As with most things, it gets easier with practice. After enough practice, you’ll find many of the actions and reactions of driving will become habits you do automatically. Which is one of the reasons it’s a good idea to practice good habits now, as practice makes permanent. Take your time, and try to be predictable to other drivers (use your signals, don’t make radical maneuvers). And don’t let the assholes who think the horn is an “I’m annoyed at you” button get to you. Fuck them and the camel that came on them. Take your time and make sure you are driving your car in a way you can control.

As for learning on a manual, yes that increases the difficulty. Depending on the specific vehicle, it can make it easier or harder. Some clutches will let you get away with murder, others will murder you for being less than perfect. Many years ago, my brother owned a car with a clutch that was just brutal. It would go from “not engaging” to “fully engaged” within the slightest movement. My truck, on the other hand, the clutch was so forgiving, you damn near couldn’t stall it. Thankfully, I learned to drive a stick on my truck and when I tried my brother’s car, it took a lot less time to get used to it. As above, take your time and it will come to you with practice.

Are there seriously no lemmy users on a Mac?

Artist are probably still on Reddit to access the larger user base.

Widespread IPv6 adoption is right there with the year of the Linux desktop. It’s a good idea, it’s always Coming Soon™ and it’s probably never going to actually happen. People are stubborn and thanks to things like NAT and CGNAT, the main reason to switch is gone. Sure, address exhaustion may still happen. And not having to fiddle with things like NAT (and fuck CGNAT) would be nice. But, until the cost of keeping IPv4 far outweighs the cost of everything running IPv6 (despite nearly everything doing it now), IPv4 will just keep shambling on, like a zombie in a bad horror flick.

While the broader cybersecurity field has seen rapid advancements, such as AI-driven endpoint security

Ya, about that “AI-driven endpoint security”, it does a fantastic job of generating false positives and low value alerts. I swear, I’m to the point where vendors start talking about the “AI driven security” in their products and I mentally check out. It’s almost universally crap. I’m sure it will be useful someday, but goddamn I’m tired of running down alerts which come with almost zero supporting evidence, pointing to “something happened, maybe.” AI for helping write queries in security tools? Ya, good stuff. But, until models do a better job explaining themselves and not going off on flights of fancy, they’ll do more to increase alert fatigue than security.

One idea to always go back to is:

Extraordinary claims require extraordinary evidence

• Carl Sagan

This can be tough to evaluate sometimes, but it’s a good general idea.

Does the claim sit outside the natural world as currently understood by scientific theory?
If yes, then there’s going to need to be a lot of evidence. If not, the level of evidence is lower.

Does the claim involve a low probability event?
If yes, then more evidence is needed of that event.

Does the claimant have a stake in the claim?
For example, does the person get money, fame or other stuff by getting people to believe the claim? If so, more evidence should be required.

What type of evidence would you expect to see, if the claim were correct?
When things exist, they tend to leave evidence of their existence. Bones, ruins, written records, etc. If someone says something exists, or used to exist, but they should have archeological/anthropological evidence to back it up.

Sure, it’s always going to be a bit subjective as to what requires proof. And for a lot of low stakes things, there’s no point in going after it. If someone claims to be from Pitcairn, then what’s the point of questioning it? Just say, “huh, cool” and move on. If someone is trying to convince you that an historical figure existed, and that should effect how you see the world, maybe ask for as bit more evidence.

While I hate the idea of people losing their jobs, stepping back for a moment and looking at what they are claiming, its not terribly surprising:

Spencer said the roles affect mostly corporate and support functions

When companies merge, this is kinda needed. You don’t need two fully functional HR departments. While the HR staff from the buying company will likely need to expand, it won’t be by the same amount as the HR department of the company being bought. As network functions are merged, you probably don’t need all of the IT staff which came with the merger. A lot of management functions likely end up merged, meaning redundancies. And this sort of thing is going to move through a lot of the non-project work functions of the company.

Yes it sucks. But, it’s to be expected in a merger. Now, whether or not we want this level of consolidation, that’s a different ball of wax entirely. The last thing we need is more studios falling under the sway of these massive companies. That’s the thing which should be drawing our ire.

The fact that the OS is replaceable sealed the deal for me.

And the default OS isn’t locked down and doesn’t try to prevent you from doing other stuff with it. What you want to do isn’t in the Steam interface? Switch over to desktop mode and you have full access to the underlying OS.

My only complaint with the Steamdeck is that I find using the touchpad on the right side for long gaming sessions hurts my hands. I 3d printed some grips which help; but, I think my hands just don’t like the orientation. Still love my deck though.

Not really. IP addresses are really easy to change. And doubtless the threat actors will see that their IPs have been identified and will roll them over soon. The solution is to go after the tactics the attackers are using:

The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.

1. Install your updates. If you have a server open to the internet and you haven’t patched known exploited vulnerabilities, you deserve to have your network ransomed.
2. Many products have either vendor provided or useful third party security configuration guides. While there are situations where business processes prevent some configuration changes, these guides should be followed when possible. And weak passwords should not be on that list.

EDIT: for Oracle Web Logic, you do a lot worse that going through the DoD STIG for it.

I was always terrible with knots growing up. My father spent far too much time trying to teach me a basic trucker’s hitch and sadly never got to see me really “get it”. Then, when my own son was in Cub Scouts and supposed to learn some basic knots, something just clicked in my mind and I took an interest. The bowline was the gateway knot for me and learning that led me to finally apply myself to the trucker’s hitch. Just such a useful pair for tying up a load. I can understand why my father really wanted me to learn it.

Now, I keep a length of paracord on my desk and will fiddle with it, practicing knots whenever I’m doing something that leaves my hands free. And ya, having a basic set of knots down is just damned handy.

I would assume they have some basic stuff running 24x7. I can’t imagine a network which doesn’t have Endpoint Detection and Response (EDR) running 24x7 these days. There’s also things like firewall logs, which are almost certainly being captured (or at least netflow). Stuff like screen recording and mouse monitoring is probably saved for extreme cases. That said, my own experience has been pretty close to:

We’re not going to look over your shoulder while you watch YouTube videos but if we notice you’re watching a lot of or you start visiting porn sites, we’re going to start monitoring you.

Quite frankly, no one’s got time for that shit. I work at an organization with a bit north of 25,000 employees, and we have less than a dozen security analysts. While I could run a search against our firewall logs and see evidence of folks dicking around. I have much better things to do, like running down abnormal processes and writing up reports on users who got their systems infected while dicking around. And that’s really the way it comes to our attention, most of the time. Someone is out trying to download movies or software on their work laptop (you’d think people would know better…) and they pickup malware. We get an alert and start investigating. While trying to determine the source, we pull browser history and see the user out on “SketchyMovieSite[.]xyz”. And then their dicking around becomes our problem, mostly because the site had a malicious redirect, which is where the infection came from.

So ya, they may not be looking, but I’d always bet they are recording. Logging isn’t useful if it isn’t recording at the time of the compromise.