fushuan

But... PAKE is used as a method for ongoing exchange of messages, you wouldnt avoid using a password when authenticating, which is the whole point of this debacle.

In really don't see it that complex, in my last job IT installed a passkey in my laptop, which then Microsoft used to login and thorough its SSO, I just stopped using passwords altogether after logging into my PC itself. This is way more secure for the average Joe than having 5 postists with passwords pasted in the sides of the monitors. Yes this is way more common then you think, there's a reason passwords need to be rotated all the freaking time.

Once rolled out, workers didn't have to do anything to authenticate, as long as they were using the work laptop the company assumed that the used was the one using it, since the laptop was registered to the user, and it was way more comfortable.

It's not really that hard to explain to people. Sending passwords is insecure because if an attacker gets the password, you lost. With passkeys, once you set it up, google/microsoft/pepapig.com will send a request to authenticate to your phone, where you will just say "yes" and they will talk with each other to give you access. If an attacker gets hold of that message, it doesn't get anything of value because each time pepwpig.com and your phone talk with each other, they say different stuff and the attacker would just have yesterday's responses, so they lose.

Old people won't adopt it unless forced, just like they adopted special passwords by adding 1 and * to whatever stupid word they use and writing it next to their work monitor, in the office. They just won't. Either IT automates everything for them or anything we develop will get completely bypassed.

It's like the initial authentication, where server and clientnexchange a symmetrical key with their asymmetrical keys. The difference is that in that exchange the server and the client meet for the first time whereas the point of pass keys is that once when you were already authenticated, you validated the device or whatever will hold the private key as a valid source, so then when the authentication code gets exchanged, both ends can verify that the other end is who they tell is, and both can verify the other end as valid, and thus that exchange authenticates you because you, in the past, while authenticated, trusted that device as valid.

Technically, yeah, it's an asymmetrical key exchange. Iirc the server sends you a signed certificate and you need to unencrypt itnwithbtheir public key and sign it with your private key, so they can the getnit back and ensure that it was you who signed it, using your public key to check the validity of whatever was sent.

I don't know enough to be 100% corrextbon the details, but the idea is that it's an interaction between asymmetrical keys.

Soporta like how we use keysbto authenticate through github through SSL, but with an extra level of security where the server validates a key in a single endpoint, not wherever that private key would be held (like with SSL)

I'm going to get technical. A registered passkey is basically your phone or whatever holding a private key and the server holding the public one. When you want to log in, you enter the username on the service, which contacts wherever you registered it, and asks for a verification. Then, the device creates a nonce, which is a random number to be used once (NumberONCE), and a copy of that number encrypted with the private key. Then, the service can unencrypt the piece and check that the value is the same as the unencrypted value. This process is called a digital signature, it's a way for online processes to verify the sender of whatever.

This way, the server knows that whoever is trying to authenticate is doing it from the authorised device. The difference between sending a signed nonce and a password, is that is someone steals the signed nonce they get nothing, since usually that number gets registered somewhere so it's not valid again or something, it's not exactly as explained but the point is that whatever is sent can't be sent again. Something like a timestamp in milliseconds where it will be obvious that the signature would have expired. If an attacker captures the authentication attempt, with passwords they get the actual password and can the use it again whenever, while with nonces, they can't.

Iirc, the server sends the device a code and the device must send the signed code back, so the service knows that the one trying to authenticate is the device. No need for passwords.

Now, if you need to authenticate to gain access to that private key, that's of course an attack vector, so if you want any kind of syncronisation of passkeys, you need to make sure that you don't need to send a password to get the pkeys. I use bitwarden, and unless I misunderstood, you don't authenticate against the bitwarden server, when you access your vault they actually give you you the encrypted data, which you then unencrypt with the password locally on the browser. I'll have to double checknon this because I have a 2fa on that for extra measure butidk how it actually works. My plan for the future is to actually use a yubikey to authenticate against bitwarden, following the same logic explained above, to then gain access to a bigger pool of passkeys. This way, ultimately all access is protected with my physical key which I can connect to most devices I use, and I can, with NFC use the key to authenticate the android bitwarden app, so it should be completely usable.

In any case, passkeys are better than passwords, provided toy don't store them in a less secure place. As we all know, the security level of a system is the security level of its weakest cog.

Wdym, once you fine the book you can download it, and if it's in a blog format you an either copy the text or save the webpage.

Come on it's 2024 it's not like people don't know how to use what q computer offers.

All they care about is the unborn. The moment those kids are born their care goes out of the window anyways.

Android is a OS with several phone brands. IPhone is a phone, a single phone, with a single OS that works with it, iOS.

It is expected that swapping OS is a pain, what's not expected is that the whole ecosystem of all apple machines use an isolated software too.

If you like the interface but the data predictions start to not work, you can investigate and see if they provide any other weather source more accurate for your zone. That's the beauty of the provider agnostic apps, that their focus goes into the information presentation and the content itself can be swapped into whatever works for you.

It got my hyped up when I saw you can have custom sources of weather, but according to github it doesn't support the public Spanish provider, AEMET, so weawow it is for now.

Prices are adjusted form profit of course but there's also the workforce cost. Maintenance and support workers need to be paid accordingly to what people of the country earn.

If you factor that the 'reasonable profit' should also be scaled around the median income, the prices now make sense.

Now, you could say that both of those are inflated for excessive profit, but that's another discussion.

Considering that, according to a consultancy I worked for, indian workers were 9 times as cheap as spaniards (comparing workers in our company), and spaniards are one of the chespest in europe, i'd say that the indian price is more expensive accounting income.

You say even more, as if it was comical to begin with. But yeah, it's annoying sometimes but I'm not dropping 1k for a new GPU anytime soon, I'll have to suffice with the one I have. Yeah I do update them weekly almost, every time I do yay there's a new driver version, it updates and it works. No major issues besides the explicit sync but that's being fixed soon and I installed a patch so yeah.

For sure I spent more time customising it than I did in windows, but that's kind of the point isn't it? Linux is about that, windows is not supposed to be. I don't mind spending time customising and tinkering if I know that a megacorp isn't taking my data. That was the trade-off, data and money for convenience. Now that convenience has been reduced and the data has increased, it's not worth it for me anymore.

So yeah, with windows you need to work against the system, disabling stuff that they intend to ship that is harmful, while on Linux you work with the system, tinkering and customising stuff the way you like it, with the defaults being a community thing, not a megacorp thing.

Cool, as stated though, I would have persevered if it wasn’t for the vertical taskbar being removed. Oh you can't have the main taskbar only be shown in the secondary monitor either. Look, I get that they are implementing features and apps are adapting and all that, but these features missing make it feel like a regression, alongside weird interactions with sound volumes I'm having in my work laptop where even if I change the volume, it gets lowered again and I have disabled all the features that let apps take control, dunno.

I'm a developer, I get that beginnings are kinda rocky, but that's what I expect from a FOSS product, not a paid one. Is it weird that I feel that it's unreasonable to get out of beta with all these kind of issues? To suggest very aggressively to upgrade? Specially when the upgrade was free for all the win10 users? It's not like they had a big monetary incentive to push the release forward.

Win10 might have had tons of security holes and the cortana stuff, but it was really configurable, you could format the start menu as the win8 panel, as the simple win7 panel, or as the hybrid win10 panel natively, you could move the taskbar to wherever you wanted, across multiple screens, configure it as you liked natively. Now you need to install 3rd party stuff to emulate half baked imitations of those features, and if security holes appear in those products microsoft won't fix them. Win 11 feels way too restrictive, in a way that I feel like it takes a lot of decisions not for me, but from me, and I really dislike that.

Yeah, I know that the win10 panels can be re-enabled through the registry, but until how long will they be patched? They are clearly deprecated.

Anyway, sorry for the rambling, I'm happy that you like the product.