- 0 Posts
- 33 Comments
How exactly does Samsung police this? Surely the repair shop could just… not tattle?
Well there is a contract in place and there would be consequences for not upholding the agreement. Sure, they could probably get away with it for quite a while. But it likely isn’t worth the risk, they would rather just out Samsung as being a piece of shit and go on their merry way.
It would be pretty easy to catch this as well. Samsung can just occasionally submit a phone with a known third party part for repair and see if the expected report comes in.
I’m sure some people will demand it. But for 99.9% of the population you don’t need 1000Hz content. The main benefit is that whatever framerate your content is it will not have notable delay from the display refresh rate.
For example if you are watching 60Hz video on a 100Hz monitor you will get bad frame pacing. But on a 1000Hz monitor even though it isn’t perfectly divisible. the 1/3ms delay isn’t perceptible.
VRR can help a lot here, but can fall apart if you have different content at different frame rates. For example a notification pops up and a frame is rendered but then your game finishes its frame and needs to wait until the next refresh cycle. Ideally the compositor would have waited for the game frame before flushing the notification but it doesn’t really know how long the game will take to render the next frame.
So really you just need your GPU to be able to composite at 1000Hz, you probably don’t need your game to render at 1000Hz. It isn’t really going to make much difference.
Basically at this point faster refresh rates just improve frame pacing when multiple things are on screen. Much like VRR does for single sources.
My biggest problem with hardware keys are replacement. If I lost one of my keys and get a replacement I would now need to go to a hundred sites and enroll the new key (and remove the old one). Until this workflow is automated I can only reasonably use hardware keys with a small number of “critical” accounts.
So for 99% of sites I’m going to use a synced software key.
But… PAKE is used as a method for ongoing exchange of messages
I don’t know what you mean.
In really don’t see it that complex, in my last job IT installed a passkey in my laptop
They can also install a randomly generated password just as easily.
Sending passwords is insecure because if an attacker gets the password, you lost
That is why you use a PAKE, you don’t send the password.
Old people won’t adopt it unless forced
They also won’t adopt passkeys unless forced. What is the difference?
https://en.wikipedia.org/wiki/Password-authenticated_key_agreement
Cloudflare also had a fairly good post a while ago about a newer PAKE algorithm: https://blog.cloudflare.com/opaque-oblivious-passwords
a scary amount of users are using the same rather weak password for lots of different accounts
This is true, but you can force them to use a random password just as easily as you can force them to use a randomly generated key. The end UX can look basically identical if you want it to. My point is that this is basically a UX problem. Instead of just making the change we are inventing this new protocol to shuffle along a UX change at the same time. Maybe part of this is because the change has major unaddressed downsides that would be too obvious to slip by if made as an incremental upgrade to passwords.
One team person does the login, adds a key, then let’s the second team member put in their key and so on.
There is no reason you can’t have multiple passwords associated with an account.
I also find passkeys to be underwhelming and hope they don’t catch on. It seems like a huge mire of complexity for very little gain. It seems like there are two main goals here:
- Don’t sent secrets to the sever.
- Stop phishing.
Both great goals. However I wonder if we threw out the baby with the bathwater with passkeys.
A password manager is already a huge step to blocking phishing, because if the password doesn’t auto-fill you get super suspicious. If you push your user to randomly generate their passwords then they also don’t remember them so would have to look them up, then copy them over. If you are worried about users who are a risk to themselves you can make the route to extract a password from the password manager as complicated as you like.
As for not sending secrets to the server I think using a PAKE would have been a great option. If this was paired in a browser-integrated password manager it could be very secure. Think about some type of form field that can be filled with a password that isn’t accessible to the page itself. The browser would then tag the password as PAKE and never expose it to the page again.
Another cool think able PAKE is that they can also authenticate the server. TLS-integrated SRP was very cool like this as you could have a self-signed certificate but verify it by entering your username and password. The UX may not have been good enough for public sites but it was an amazingly easy and secure option for private sites. This would actually be more secure than a PKI signed certificate as you aren’t risking CA compromise. That being said integrating this with browsers with good UX may be quite difficult. I would love to see it.
But the biggest thing we lost was understandability. Even my grandmother understood what a password is. She knew how to back it up, how to transfer it to a new device. She could use it in two different browsers without setting up some multi-browser sync tool. She could write it in a notebook and log in at the library computer.
I really think that we should have just iterated on passwords. Switch to a PAKE and keep improving password-manager UX and pushing most users to auto-generated passwords. So much was lost by switching to a system that most users don’t understand.
I wrote a blog about this a while ago. https://kevincox.ca/2022/04/07/passwords/
This has been a feature of Google Ads forever. It isn’t even “found a way” it is just a box to fill in the ad manager.
Presumably this is so that they can use tracking links to analyze the performance of the ad without making the URL “ugly”. But it is easy to abuse. (Although I think Google attempts to do some checks, but of course those are always going to be unreliable.)
Have you read the article? https://www.theguardian.com/world/2023/jul/06/canada-judge-thumbs-up-emoji-sign-contract. I think that the thumbs up was actually pretty clear in this case. He had a history of accepting contracts which had already been discussed verbally with a short text like “Ok” or “Looks good”. It seems very likely that “👍” meant the same thing.
Emoji doesn’t have anything to do with it. The fact is that he was responding to a legal agreement informally. There is really no difference between “Looks good” and “👍”. This is only a story because he tried to weasel out when the price shot up.
Have you read the article? https://www.theguardian.com/world/2023/jul/06/canada-judge-thumbs-up-emoji-sign-contract. I think that the thumbs up was actually pretty clear in this case. He had a history of accepting contracts which had already been discussed verbally with a short text like “Ok” or “Looks good”. It seems very likely that “👍” meant the same thing.
Emoji doesn’t have anything to do with it. The fact is that he was responding to a legal agreement informally. There is really no difference between “Looks good” and “👍”. This is only a story because he tried to weasel out when the price shot up.
This article references another article: https://www.theguardian.com/world/2023/jul/06/canada-judge-thumbs-up-emoji-sign-contract
Apparently the message was an image of the contract and “please confirm flax contract”. Seems like the most likely interpretation of the 👍 is agreeing to the contract, not confirming receipt.
A lot of people don’t understand that there is nothing magical about a written contract with a signature. If you agree to something you have a contract. It doesn’t matter if it is written, spoken, gestured or anything else. Written contracts with signatures are often preferred because it is very clear that there was an agreement and what was agreed to. But just about any method of agreeing is just as binding.
IANAL but it depends. In the US there is strong protection for the contents of your mind and self-incrimination. So if your keys were locked behind a strong password the legal system wouldn’t be able to access it. But if you had no password they would be able to seize the device and read the messages.
So basically if the messages are inaccessible other than a secret that you know them yes, they wouldn’t be forced to reveal it.
This is what I can agree with. We could blame Meta for encouraging people to give them data. Messenger does actually have E2EE encryption (apparently) but it is quite hidden and limited in functionality. If they made it the default this wouldn’t have been a position they ended up in, and they could have responded to the warrant with “We have no information matching this request.”
Good luck with that. The way voting works in the US basically guarantees a 2-party race. With only 2 parties you end up having policies grouped into these huge bundles, so making an actual decision on any particular issue is incredibly difficult. (Unless you are a billionaire and want to lobby a party for a law)
Almost all countries have similar systems for obtaining evidence. These people were criminals, they broke the law and the legal system worked as designed to bring them to “justice”. Meta was just a pawn here with very little influence.
If this story was about a murder rather than an abortion people would think that Meta did the right thing to bring the murderer to justice. As I see it the problem is that people disagree with the law and are using Meta as a scapegoat. But you don’t fix stupid laws by having corporations go vigilante. I’d rather not have billionaires coming up with their own set of laws, that is a recipe for disaster. I think we need to fix the laws, which will fix the root cause of this issue.
Also use E2EE for all private information, cryptography can’t be compelled to reveal your private data by a court order.
If law enforcement knocks on my door with a valid warrant I’m going to comply. It would be nice to have some legal assistance to help validate the warrant but at the end of the day in this case it was almost certainly valid.
If this was about a murder rather than abortion people would be applauding Meta for helping catch the murderer. I think what people are actually mad about is the law, and they are using Meta as a scapegoat.
But at the end of the day E2EE is the best solution here. Don’t give private data to others, they can’t be trusted because they can be compelled by the law.
People are getting all upset at Facebook/Meta here but they were served a valid warrant. I don’t think there is much to get mad about them here. The takeaway I get is this:
Avoid giving data to others. No matter how trustworthy they are (not that Meta is) they can be legally compelled to release it. Trust only in cryptography.
There is of course the other question of if abortion being illegal is a policy that most people agree with…but that is a whole different kettle of fish that I won’t get into here.
This is sort of a confused article. blob: URLs (not blob in the url) are references to local data. They can’t really be downloaded (well if they are still live you probably can) and typically only contain a small slice of the video (timewise).
What this is doing is finding the playlist file that describes this video and playing this (or using a player like VLC to stitch these chunks together).
Then it has other instructions to use different tools for specific sites.
So really the only reason blob: is relevant at all is because it is what you might see if you try the “simple” solution of right-click save. The actual article doesn’t deal with the blob: URL at all.
So guess the more accurate title is “Are you trying to download a video but it has a blob: URL? There is a decent chance that this is using DASH or HLS under the hood. You can try to find the playlist like this: $find_m3u8 and then stitch that into a single video like $vlc”.
I don’t agree. As a single counter example of many YouTube has a huge wealth of information and content.
Maybe that value isn’t worth the ads, that is much harder to say for certain. But it is clear that there is some valuable information on some sites that are supported by ads.