dedime's recent activity

  1. Comment on A future without passwords in ~tech

    dedime
    (edited )
    Link
    I can't really trust Google, despite all of their claims that keeping you safe online is their top priority. Get ready for a Stallman-esque rant, because true safety starts with open source and...

    I can't really trust Google, despite all of their claims that keeping you safe online is their top priority. Get ready for a Stallman-esque rant, because true safety starts with open source and trusting the code you're running.

    Take everything I'm about to say about Google's capabilities with a grain of salt - to the best of our knowledge, this is what Google is capable of doing. This is not to say they are doing it, or are even capable of doing it, but the possibility is there and we have no way to determine otherwise.

    For one, Google can log into your account. They can also provide others access to your account. Anything you have stored in your account - photos, videos, emails, passwords, search history, messages, location history, browser history, contacts, apps installed - Google can access this at any time without barriers. Crucially, this means your passwords are not secret as they are (mathematically / encryption wise, not necessarily in practice) accessible by others. If Google cared, you could encrypt all of this information with a secret key only accessible to you. In fact, AFAIK the only Google product you can do this with is Chrome's Sync Passphrase, which you can use to encrypt all your Chrome data (browser history, passwords, form data, etc.). This is commendable, except for the fact that Google Chrome is closed source with no way to reproduce their builds, so you really can't even trust that they're doing this properly / at all, unless you're down to decompile the source code and verify yourself (every release).

    Two, Google is A-OK with making your account less secure without your consent. This is not a good model for security. As an example, I had a strong password to my Google account and TOTP as my second factor. TOTP is fantastic, as it relies on a shared secret with easily provable security parameters. It can be phished, but so can other second factors. Google took it upon themselves to add an additional second factor, their device based prompts. They also made it the default. This actually decreased my security posture, as now I have more second factor methods of authenticating my Google account. I also can't disable this feature. The only way to disable it would be to switch my phone from Google's Android to iOS or another OS. Why can't I disable this??? It's maddening.

    Third, perfect secrecy has been solved since the invention of the one-time-pad, everything else has been icing on the cake. I'd be perfectly happy if they could use information-theoretic secure encryption. Do it right, do it in the open, let the privacy-interested people take back their privacy and security into their own hands, and offer less-secure shortcuts for people who want it to be easy. If keeping you safe online was their top priority, they would have implemented this already. Instead, "keeping you safe online is our number one priority" is a bold faced lie. They should say "Keeping your personal data minable for our own purposes is our top priority. Keeping your personal data private would be nice too, we'll try our best but please recognize we won't encrypt your data unless we can get ahold of a copy of the key."

    Google doing personal data encryption right will never happen, but I still think about this a lot. There's no good (read: in my interest) reason to insecurely handle my data as they do, they just want to mine my data for money. You can provide all of the products that Google provides without violating peoples persons privacy, yet here we are. I accept of these imperfections because Google's services really are quite valuable, and I know they can't provide them for free, but it bugs me nonetheless.

    TL;DR: Google says trust us, ignoring the fact that their whole business is based on you using their closed source software which by definition you cannot trust.

    11 votes
  2. Comment on What programming/technical projects have you been working on? in ~comp

    dedime
    Link
    I've made a tiny program in Go to help move a file to the right location. It's a intended to be a helper program for using Tiddlywiki. When using Tiddlywiki on Windows 10 Chrome, the default save...

    I've made a tiny program in Go to help move a file to the right location. It's a intended to be a helper program for using Tiddlywiki.

    When using Tiddlywiki on Windows 10 Chrome, the default save location is %USERPROFILE%/Downloads/<wiki-name>.html. This makes sense, because you're downloading an HTML page and the default save location is in a user's download folder. However, I save my Tiddlywiki in %USERPROFILE%/Tiddlywiki. It is then synced from there to my other devices so I can access it anywhere. With my syncing program, I can't select individual files from a folder to sync - I have to sync the whole folder. This is where this program comes in: It runs in the background, waiting for the watched file path to be present, e.g. %USERPROFILE%/Downloads/<wiki-name>.html. When it see writes to this file, it waits a user-configurable amount of time for the writes to finish (e.g. 2 seconds), then it moves the file to the desired location, e.g. %USERPROFILE%/Tiddlywiki/<wiki-name>.html

    I've even included a notification icon so you can quit the app when desired, and it won't take up an active window. It will just run in the background.

    It's being developed on Windows, but it should technically be cross-platform - all of the libraries I've used are cross platform AFAIK. The hardest part I've had to deal with is detecting when the file is done being written to - using fsnotify, you'll see the html file being written 2-4 times before it actually stops. I set a timer in the background that resets with each write, and after the timer expires it moves the file. It works well now, but I had some serious troubles getting the one timer to be shared (required 2 goroutines + chans, which are newish territory for me)

    3 votes
  3. Comment on Paul Graham's "How to Disagree" in ~humanities

    dedime
    Link
    A graphical version of Graham's idea: https://upload.wikimedia.org/wikipedia/commons/thumb/7/7c/Graham%27s_Hierarchy_of_Disagreement.svg/707px-Graham%27s_Hierarchy_of_Disagreement.svg.png I find...

    A graphical version of Graham's idea: https://upload.wikimedia.org/wikipedia/commons/thumb/7/7c/Graham%27s_Hierarchy_of_Disagreement.svg/707px-Graham%27s_Hierarchy_of_Disagreement.svg.png

    I find myself thinking of this image when judging the soundness of arguments, particularly online. I can use it to determine whether someone is arguing something in good faith, or is simply trying to squirm their way out of their position. However, sometimes, on sites I generally trust - like this one - I find highly voted responses to controversial topics that fall into the bottom 3 of this pyramid. Clearly a lot of people are perfectly happy to accept these arguments.

    What do you think of this way of framing arguments? Is it a good way of judging arguments? Does it have problems?

    4 votes
  4. Comment on Beyond Calibri: Finding Microsoft’s next default font in ~design

    dedime
    Link
    I actually quite like Grandview. Spacing between letters (kerning?) is bang on, unlike Tenorite and Seaford. The 'i' with a square for the dit is pleasing. Skeena's italic font is ugly, almost...

    I actually quite like Grandview. Spacing between letters (kerning?) is bang on, unlike Tenorite and Seaford. The 'i' with a square for the dit is pleasing. Skeena's italic font is ugly, almost like it's a computer font trying to be calligraphy. The only part I see as questionable is the ''' apostrophe, but to be honest I like it more than all of the alternatives. And there's something about it that's distinctly "Microsoft", even if I can't put my finger on it. Letter width is tight, which is pleasing to my eye.

    Bierstadt is a close second, with Tenorite being my third favorite. Seaford and Skeena are right out.

    10 votes
  5. Comment on Self hosting email at home? in ~comp

    dedime
    Link
    I'll give the standard warning you'll see in response to a lot of people who want to self host email: I've been told it's very difficult, time consuming, and fraught with errors, especially in...

    I'll give the standard warning you'll see in response to a lot of people who want to self host email: I've been told it's very difficult, time consuming, and fraught with errors, especially in regards to spam / spam filters. If you're looking for a reliable mail solution, you should not be self hosting your own email.

    That being said, for learning purposes it's an excellent exercise.

    If you're looking to "own" your own email, I recommend going with a free provider of an email service. For instance, I use Zoho - they allow me to bring my own domain, and allow you to configure SPF / DMARC however you please using DNS. It's set it and forget it, I haven't had to do any admin work on it since I've set it up.

    Side note - does anyone know of alternative free BYOD(omain) email providers other than Zoho? I'm pretty happy with them, but just curious.

    10 votes
  6. Comment on MathBox^2: PowerPoint Must Die in ~tech

    dedime
    Link
    I'm going to go throw rocks at my website now

    I'm going to go throw rocks at my website now

    4 votes
  7. Comment on What have you been eating, drinking, and cooking? in ~food

    dedime
    Link
    I made another excellent focaccia loaf. This time, I added some chopped kalamata olives and rosemary on top for taste and garnish. I cooked it in a stainless 1/2th pan, I made the mistake of...

    I made another excellent focaccia loaf. This time, I added some chopped kalamata olives and rosemary on top for taste and garnish. I cooked it in a stainless 1/2th pan, I made the mistake of forgetting to put parchment paper down so it stuck quite a bit to the bottom of the pan. Once I got it out though, it tasted wonderful. If I just want a quick snack, I serve it with olive oil and balsamic vinegar. If I'm feeling fancy, I can get some nice Italian deli meats, make a tapenade, and go crazy with some other ingredients to make a sandwich.

    I used the same recipe and portions as I did last time, the biggest difference was the pan - I used a half sheet tray last time, which came out a little too thin for my liking. I wanted this one to be suitable to be cut in half for sandwiches, so I went with a slightly smaller pan (and a slightly longer cooking time). It worked out well, and it's a good thickness for sandwiches.

    I also made some cinnamon buns with cream cheese icing that came out exceedingly well.

    Getting a stand mixer has been a blessing! It's much easier to decide to bake things now that I don't have to worry as much about the effort of kneading or mixing manually.

    3 votes
  8. What does analog have that digital doesn't?

    I saw another Tildes thread that was discussing radio stations, and it threw me back to when I was very young and not totally digitized - the tactile feel of the dial as you click-click-click your...

    I saw another Tildes thread that was discussing radio stations, and it threw me back to when I was very young and not totally digitized - the tactile feel of the dial as you click-click-click your way to your desired radio station, or the kind-of-subconcious-but-not-really memory you have of which buttons to press to jump to a saved frequency.

    What do you miss about analog controls and devices? What do you think we're missing out on in the digital age? If we're missing out, did we still make a leap forward into the digital age?

    25 votes
  9. Comment on Starting March 16, LastPass users on the free plan will only be able to use it on one "device type" (either PC or mobile) in ~tech

    dedime
    (edited )
    Link Parent
    Syncthing is great, and would be a perfect fit for KeePass! In my case, it doesn't add any additional security as I copy my keyfile around via USB and never transmit it over the internet.

    Syncthing is great, and would be a perfect fit for KeePass! In my case, it doesn't add any additional security as I copy my keyfile around via USB and never transmit it over the internet.

    3 votes
  10. Comment on Starting March 16, LastPass users on the free plan will only be able to use it on one "device type" (either PC or mobile) in ~tech

    dedime
    Link Parent
    It's been a while since I've set it up, but it still works beautifully. In KeePassXC, the method for setting it up is the same as setting up any other TOTP but you select the toggle for "Steam...

    It's been a while since I've set it up, but it still works beautifully. In KeePassXC, the method for setting it up is the same as setting up any other TOTP but you select the toggle for "Steam token settings".

    The tough part is obtaining your secret key. Steam does not expose this to you in any obvious ways, however if you're technically inclined you'll be able to follow the following instructions to retrieve this secret key: https://github.com/SteamTimeIdler/stidler/wiki/Getting-your-%27shared_secret%27-code-for-use-with-Auto-Restarter-on-Mobile-Authentication#getting-shared-secret-from-steam-desktop-authenticator-windows

    6 votes
  11. Comment on Starting March 16, LastPass users on the free plan will only be able to use it on one "device type" (either PC or mobile) in ~tech

    dedime
    (edited )
    Link Parent
    I've made a lot of password manager recommendations in the past, and I still stand behind KeePass! I've been using this set up for almost 7 years. Specifically: KeePassXC - for the desktop app....
    • Exemplary

    I've made a lot of password manager recommendations in the past, and I still stand behind KeePass! I've been using this set up for almost 7 years. Specifically:

    • KeePassXC - for the desktop app. Available at https://keepassxc.org (Free, open source software)
    • KeePassXC-Browser - An extension for autofill in your browser of choice, on the chrome / firefox extension stores (Free, open source software)
    • Keepass2Android - An android app for opening KeePass databases, on the play store (Free, open source software)
    • Google Drive Sync (Or any file syncing program of your choice, it doesn't affect the security) - For syncing the encrypted password database file to all of your devices. This is secure, because the database file is encrypted. (Gratis, but closed source software)

    This complete solution provides you the following crucial features, ones that I use and appreciate daily:

    • Password syncing to all of your devices
    • Strong, verifiably secure encryption of your passwords
    • TOTP, both the standard version and Steam version
    • Autofill for usernames / password in your browser

    And it also boasts other useful features:

    • Support for hardware keys and key files, in addition to a password, for your password database (I use a key file that I physically copy, offline, to my devices)
    • CLI support
    • SSH-agent integration - Automatically add your SSH keys to SSH-agent when you unlock your password database. This is a godsend.
    • Dark mode (KeePassXC)
    • Completely free, open source software - Nobody is going to pull the rug out from under you, and insist you pay them to continue using the software. KeePassXC, Keepass2Android, and the KeePassXC-browser extensions are completely free, will always be free, and are here to stay.
    • No need to host your own servers - suitable for the tech-inexperienced

    This set up has been so useful for me I use it for things outside of just passwords. For example, I store my credit cards, clothing size measurements, SIN, driver's license information, and other useful information in my password database.

    20 votes
  12. Comment on What programming/technical projects have you been working on? in ~comp

    dedime
    Link Parent
    RE acme clients, not sure if it'll work for your use case. But check out Caddy (v2)

    RE acme clients, not sure if it'll work for your use case. But check out Caddy (v2)

    1 vote
  13. Comment on The Matrix Holiday Special (2020 Edition) in ~comp

    dedime
    Link Parent
    I was speaking specifically to ease-of-use, interface wise I'd say Element is much closer to Discord than any other major platform. Maybe a pointless exercise, but if I had to rank major chat...

    I was speaking specifically to ease-of-use, interface wise I'd say Element is much closer to Discord than any other major platform. Maybe a pointless exercise, but if I had to rank major chat platform's UX on ease-of-use and polish it'd be this:

    Ease-of-use:

    1. Discord
    2. Slack
    3. Element
    4. Teams (I use it for work, I hate it, my coworkers hate it.)

    Polish:

    1. Slack / Discord
    2. Teams
    3. Element

    I'm pretty harsh on my beloved Element, but it's made such giant strides lately I can't help but imagine it'll be in the #1/2 spots in my mind this coming year. Besides, the world could use more optimism :)

    3 votes
  14. Comment on The Matrix Holiday Special (2020 Edition) in ~comp

    dedime
    Link Parent
    Hmm, I think there's definitely a lot of room for improvement on the ease-of-use side but even still, it's pretty much comparable (in my eyes) to Slack. I wonder what the missing "elements" are...

    Hmm, I think there's definitely a lot of room for improvement on the ease-of-use side but even still, it's pretty much comparable (in my eyes) to Slack. I wonder what the missing "elements" are from Element to make it awesome to use for non-technical users.

    4 votes
  15. Comment on The Matrix Holiday Special (2020 Edition) in ~comp

    dedime
    Link
    Truly an incredible update. I've been following matrix for years now, and since the beginning the technology (and company behind it) has never ceased to amaze me. In my opinion, Matrix is going to...

    Truly an incredible update. I've been following matrix for years now, and since the beginning the technology (and company behind it) has never ceased to amaze me.

    In my opinion, Matrix is going to be reaching a turning point soon. They may already be in the middle of it, with major deployments in Europe. They've already nailed down the most crucial components of a major chat platform:

    • Default E2EE
    • FOSS
    • Federated
    • Self-hostable
    • A gorgeous client that's a pleasure to use
    • A user base

    and in the pipe there's even more crucial features coming soon

    • Social logins
    • Battle-tested massive scalability
    • An easy to deploy, low resource server (Dendrite / docker)

    As such, I predict in 2021 more and more businesses will switch from using expensive, bloated, or proprietary solutions like MS teams and Slack, and switch to Matrix. Especially as the element client continues to improve, which, all else considered, is probably the single most important aspect to nail. The train has left the station, and I really have no idea how competitors like Slack and Teams will convince people to stay on their platform when their competitor steamrolls them on freedom, features, privacy, UX, price, and data sovereignty.

    IMO, their biggest challenge, and one that major competitors like Slack and Teams have failed on or simply don't target, will be increasing personal usage. Matrix has a moderate amount of success with technical communities, but I would really love to see non-technical communities and users pop up more. Discord has really nailed this market, but I think with the right combination of features (social / anonymous login, screen sharing, user activity sharing, communities / spaces) they could also take over this market. The good news: The spec is ready for all of this and more.

    9 votes
  16. Comment on Why is Minecraft speedrunning so popular? - Speedrun Explained in ~games

    dedime
    Link
    Why is Minecraft speedrunning so popular? It's the most popular game in the world. Informative video, but the answer to the title seems a bit obvious.

    Why is Minecraft speedrunning so popular? It's the most popular game in the world. Informative video, but the answer to the title seems a bit obvious.

    1 vote
  17. Comment on Your computer isn't yours in ~tech

    dedime
    Link Parent
    There's absolutely no reason Apple or anybody else should ever be able to know what apps I'm using, without my explicit, prior, and optional consent. If I'm "Less Protected" from malware, so be...

    There's absolutely no reason Apple or anybody else should ever be able to know what apps I'm using, without my explicit, prior, and optional consent. If I'm "Less Protected" from malware, so be it. Just make it optional, and preferably open source, and I'll be happy.

    4 votes
  18. Comment on Chrome will soon have its own dedicated certificate root store in ~comp

    dedime
    Link
    I'm not totally against this, but we need to be aware of the trust were placing in Google, like the trust we placed in our OEM before. Google now has DOH available for Google Chrome. This is...

    I'm not totally against this, but we need to be aware of the trust were placing in Google, like the trust we placed in our OEM before.

    Google now has DOH available for Google Chrome. This is frequently set to use Google's servers. This, combined with a Google controlled root certificate store, means Google could theoretically MITM any HTTPS connection they desired. If Google really wanted, they could target your computer so that requests to e.g. https://yourbank.com resolve to their own (malicious) IP, HTTPS encrypted with their own falsely issued certificate that resides in their root certificate store. Unless the software you use is completely open source, from silicon to application level code, you can't really be sure they aren't already doing this.

    I'm sure there's caveats and other possibilities at play here, but to me the bottom line is we need to continue to aggressively support FOSS software, and especially FOSS software that deals with security, anonymity, and privacy. WireGuard and Matrix are two projects I follow in this space.

    6 votes
  19. Comment on Element to acquire Gitter and to switch it to use Matrix for communication in ~comp

    dedime
    Link
    This is very exciting news! I've been following matrix for a long time now, and I truly hope the best for them. My two biggest gripes with it right now: Their naming of products / brands is...

    This is very exciting news! I've been following matrix for a long time now, and I truly hope the best for them.

    My two biggest gripes with it right now:

    1. Their naming of products / brands is atrocious. "Gitter"? Great! Nothing will conflict with that. Easy to Google. "Matrix"? The movie? A mathmatical array? Huh. How about "element"? Like, an element off the periodic table? The element of surprise? Fire, earth, wind, water? The skateboard brand? Huh? Their previous "riot" app wasn't any better either. When they announced they were switching to "element" I facepalmed.
    2. They need a faster server implementation - Python just doesn't cut it when it comes to speed nowadays, particularly for such "base" software. Dendrite, their go implementation, seems to be getting close to beta though. That being said, I'm glad they have both - Python is easier to hack around in.
    10 votes