@emma @whitequark @glyph @mcc Precisely. This is why I am so adamantly against mandatory 2FA and pushes for device-based authentication. It's inaccessible to and discriminatory against anyone for whom "something you have" is not tenable. Refugees crossing borders. Unhoused people subject to police confiscation of belongings. Children of abusive parents. Adults with abusive partners. Elders with abusive caretakers. Etc.
Conversation
Notices
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:16:13 JST 
Rich Felker
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:19:18 JST
Rich Felker
@whitequark @emma @glyph @mcc Yes, as long as you can store them on a general purpose computer you can backup and move data around on, rather than just in black boxes, they are viable.
-
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:19:19 JST 
✧✦✶✷Catherine✷✶✦✧
@dalias @emma @glyph @mcc as a refugee who had to cross borders i am fine with passkeys because passkeys do not have the problem you are describing
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:19:58 JST
Rich Felker
@whitequark @emma @glyph @mcc If they help get rid of SMS 1FA I'll be thankful for that. I'm not holding my breath tho.
-
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:19:59 JST
✧✦✶✷Catherine✷✶✦✧
@dalias @emma @glyph @mcc in fact, *because* passkeys are seen as strong as SMS-based MFA, passkeys provide a vast advantage to me, someone who has repeatedly lost access to accounts due to stupid phone number shenanigans
i hope every bank i have adopts passkeys asap
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:30:40 JST 
Glyph
@dalias @whitequark @emma @mcc But passwords are WAY worse than I think you're realizing, even with extremely good password manager hygiene (which is punishingly difficult to maintain)
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:30:40 JST
Glyph
@dalias @whitequark @emma @mcc and at some point, you do have to just start discriminating against people. I think that unhoused people and refugees in camps need to be given dignity and respect and resources, but I also do not think that we should lead with giving them all administrative force-push access to the repos for openssh
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:30:40 JST
Rich Felker
@glyph @whitequark @emma @mcc Well then we just have a fundamental difference of values.
I don't buy into the whole "supply chain" bs. GitHub is not to pull-and-execute from. It's where development takes place. We don't have to fuck actual people over so corporations can more safely exploit their free labor.
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:30:41 JST
Glyph
@dalias @whitequark @emma @mcc I can think of a couple of sites where I've been able to ditch SMS 1FA in favor of passkeys. it's slow going because the biggest problem with SMS 1FA is incompetent financial institutions, and that's a problem that the auth vendors can't solve.
I should note that there ARE people for whom device instability is so bad that they really shouldn't be using passkeys ( c.f. https://glammr.us/@jessamyn/113743765591001673 ) and educating those folks is a big challenge. They're not perfect.
Rich Felker repeated this. -
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:37:32 JST
✧✦✶✷Catherine✷✶✦✧
@dalias @glyph @emma @mcc fwiw I'm kind of in betweent these positions
GitHub or whatever is where development takes place from
but also, GitHub is where probably millions of people people grab .exe's from and run them unsandboxed
I wouldn't want to be the vector through which someone else gets their life fucked
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:37:32 JST
Rich Felker
@whitequark @glyph @emma @mcc As someone publishing software on github intended to be downloaded as exes and run, I would say the responsible thing to do is not have weak authentication likely to get popped.
OTOH I don't accept that it's github's business to impose this on everyone who might be developing personal hobby projects and might be at risk of losing their account due to 2FA requirements.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:39:35 JST
Rich Felker
@glyph @whitequark @emma @mcc The problem with (4) is that the parties imposing these requirements don't actually know the scenarios, and can't.
GitHub isn't distinguishing "my personal hobby game" from "critical component everyone is curlbashing".
So they end up imposing the discriminatory requirements on everyone.
-
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:39:36 JST
✧✦✶✷Catherine✷✶✦✧
@glyph @dalias @emma @mcc (this seems like a jarring strawman to me)
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:39:36 JST
Glyph
@whitequark @dalias @emma @mcc sorry I may have made too big a logical leap here, let me back up
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:39:36 JST
Glyph
@whitequark @dalias @emma @mcc
- there are people who demonstrably cannot maintain continuity of access to a passkey vault; they require password-based access to services they use
- these people are often in desperate and vulnerable situations
- higher-security mechanisms like passkeys (and MFA) should *usually* not be mandatory, in part to accommodate such people
- in certain scenarios, where higher security is required, requiring them is reasonable, which means those people get excluded
Rich Felker repeated this. -
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:39:59 JST
✧✦✶✷Catherine✷✶✦✧
@glyph @dalias @emma @mcc yeah, this is what I assumed you meant, but not really what you wrote
I'm kind of upset about having mandatory 2FA enabled on PyPI because my software got too popular (today it's mandatory for everyone I think, but initially it was a punishment for being good at OSS) but with keepassxc's TOTP support it's fine I guess
-
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:41:54 JST
✧✦✶✷Catherine✷✶✦✧
@dalias @glyph @emma @mcc "simply don't get phished" is not a viable security strategy on social scale
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:41:54 JST
Rich Felker
@whitequark @glyph @emma @mcc The problem is that folks are insisting on one-size-fits-all "social scale" solutions to people whose minds, behaviors, needs, etc. are vastly different from one another.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:45:53 JST
Rich Felker
@whitequark @glyph @emma @mcc One thing that might make passkeys viable even for people who can't store them is if the system admits brainwallet style passkeys (i.e. derived with KDF from a passphrase). I'm not sure if this is possible and kinda doubt it, since there's PKI involved and they're probably signed by the other party. But maybe tooling could be made to store the public part in content-addressed storage, addressed by public key...
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:46:18 JST
Glyph
@dalias @whitequark @emma @mcc the last public talk I gave was kinda about this :) and it's very complicated and nuanced, with a lot of moving parts, a lot fo which have to do with how permission primitives work with respect to code execution on pretty much every modern platform.
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:46:18 JST
Glyph
@dalias @whitequark @emma @mcc but I do think it's illuminating to consider that PyPI, which is run by a nonprofit, stewarded by the community, and has an extremely different set of motivations and constraints, came to more or less the exact same conclusion as Microsoft (née Github) did, which I think at least *hints* at a real problem that bears consideration here
Rich Felker repeated this. -
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:46:18 JST
✧✦✶✷Catherine✷✶✦✧
@glyph @dalias @emma @mcc I actually have no idea what was the decisionmaking behind PyPI's decisions and if I had to guess I would feel that some industry pressure probably came into it. do you know what the reasoning was? I'd be interested
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 18:56:43 JST
Rich Felker
@glyph @whitequark @emma @mcc This is one of the reasons I'm such an advocate for distros rather than obtaining software directly from an author/maintainer/publisher.
-
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:56:44 JST
✧✦✶✷Catherine✷✶✦✧
@glyph @dalias @emma @mcc something I find useful to keep in mind, for myself, is that I'm in technology because it is an almost unbounded force multiplier
between various packages, software I wrote has been downloaded over _eight billion_ times
that's a lot of potential for malice.
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:56:44 JST
Glyph
@whitequark @dalias @emma @mcc I feel this burden quite heavily already and wow that is a _lot_ more than me :)
-
Embed this notice
ティージェーグレェ (teajaygrey@snac.bsd.cafe)'s status on Tuesday, 31-Dec-2024 18:57:22 JST 
ティージェーグレェ
Believe me, as someone who had two devices pocket "smart" phones die on me this year, so-called "device instability" is a real problem.
But educating me? I'm only on a first name basis with a handful of PhDs in cryptography.
Good thing I am also still a student and open to education.
But might I ask: have you ever been incarcerated or had all of your physical possessions forcibly removed from you?
Because I have and I was still able to regain access to accounts despite that.
Some authentication choices are chosen deliberately for threat models that I don't think passkeys are even beginning to try to comprehend.
There are a lot of authentication mechanisms I avoid because they have extremely bad failure modes.
But I am not here to teach lessons in those to people who think that I need more education, unless you're paying my tuition for me because I already am in debt and homeless.
Meanwhile, to borrow a phrase from a past coworker: "we now have more people [developers] creating problems than we have people [ops] capable of fixing them."
CC: @dalias@hachyderm.io @whitequark@mastodon.social @emma@orbital.horse @mcc@mastodon.socialRich Felker repeated this. -
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:58:25 JST
Glyph
@teajaygrey @dalias @whitequark @emma @mcc when I say "them" I am talking about people who are in this situation and inadvertently selecting passkeys and locking themselves out, who do not understand the nuances of the passkeys threat model (because it is poorly communicated! because vendors are not investing in education in even a tiny fraction of what they invest in product! not their fault!) but it does not sound like you are anywhere near that demographic
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 19:15:50 JST
Glyph
@dalias @whitequark @emma @mcc okay it is nearly 2AM where I am so I am going to take a deep breath and put a pin in that, because I _super_ do not have the time to get into why distros should not exist and why the incentive structures of the community and the industry are such that they do the _opposite_ of this (distros create accountability drains so everyone can avoid responsibility, not robust institutions that can be depended upon). see this classic for the intro: https://alexgaynor.net/2015/mar/30/red-hat-open-source-community/
Rich Felker repeated this. -
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 31-Dec-2024 19:15:50 JST
Rich Felker
@glyph @whitequark @emma @mcc Again, fundamental disagreement of values...
-
Embed this notice
✧✦✶✷Catherine✷✶✦✧ (whitequark@mastodon.social)'s status on Tuesday, 31-Dec-2024 19:16:24 JST
✧✦✶✷Catherine✷✶✦✧
@glyph @dalias @emma @mcc i'm going to go ahead and say that anyone who uses my software from a distro Must, and that is a capital-M must, obtain all support from the distro itself
the distro is of course free to obtain support from me
-
Embed this notice
All GNU social JP content and data are available under the