Rob Dickerson @robd@types.pl

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

This is a reminder that Amazon is discontinuing their Kindle magazine subscriptions. This is going to have a significant impact on our bottom line (and future). If you are currently subscribing on Amazon, please read this:
https://clarkesworldmagazine.com/amazon-subscribers/

And if you aren't currently subscribing, this would be a great time to start. If you subscribe direct, you can lock-in our current monthly price. Subscriptions starting after September will be more expensive.
https://clarkesworldmagazine.com/subscribe/

#LGBTQ #GoodNews

#Missouri trans ‘snitch form’ down after people spammed it with the ‘Bee Movie’ script

https://techcrunch.com/2023/04/21/missouri-trans-snitch-form-down-after-people-spammed-it-with-the-bee-movie-script/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cubWVtZW9yYW5kdW0uY29tLw&guce_referrer_sig=AQAAAGTbS47txiniQoGK8j6gqDd6na0SwFK-PiKtqf58Y5isHNHtEgCFOLO8Qrd4Npkjo2A0syyog4R3oo9OrVz7TjhSCPw2M13Y-OMw064Gu-9N6GNRqUwNIMTW7JbKKiqSs0KhHeisVLa8EFjXSwkXNDO9CLhQbNMFwGOY_yco1u4u

Some people I recently followed that have been posting extremely high-quality content:

@kottke
@samlitzinger

#FollowFriday

Conference organizers: it is not safe for your trans participants to go to a conference in Kansas because they can no longer safely and legally pee there. Florida is likely to do the same soon. And maybe in the future any state without positive protections in law already in place.

Pick your future venues carefully and ask for escape clauses in your venue contracts should anti-trans laws be passed.

Burning the candle at both ends? Cut that shit in half. Boom, two more ends to burn.

American Public Media Group has also announced that they are suspending the use of Twitter in an e-mail to current/previous donors

"After much discussion, we concluded that continued use of the social media platform Twitter by our organization was contrary to our mission and core values. Instead of being a neutral and efficient channel for serving the public, Twitter is now actively aiming to undermine the integrity of public media organizations like ours.

All of American Public Media Group’s channels will cease to post and engage on the Twitter platform at this time. The decision will be effective immediately, but we expect winding down use of the platform will take several weeks, primarily due to some of our contractual obligations.

The decision to leave Twitter was neither simple nor easy. It was instead the product of much discussion. In deciding to label public media organizations as “state affiliated,” then “government funded,” then “publicly funded” over a week period, Twitter inaccurately describes what public media is and does. That inaccuracy undermines the value of what our employees do for people and their families: providing accurate, unbiased journalism and information about our country and the world."

This is how #emacs was meant to be driven. https://github.com/everythingishacked/Semaphore

3000 BCE: Imagine talking to someone anywhere in the world
1000: Imagine talking to someone anywhere in the world
1400: Imagine talking to someone anywhere in the world
1800: Imagine talking to someone anywhere in the world
2007: Nice! My first cellphone! 📱
2020: *Declines Call*

It was pointed out to me that Leon Henkin's PhD thesis, "The Completeness Of Formal Systems" is not digitized or easily available, and the UC libraries had a copy.

So I have scanned it and posted it to archive.org: https://archive.org/details/the-completeness-of-formal-systems

Because it is old and faded, and in parts handwritten, the OCR isn't very accurate.

According to everything I have read it should be in public domain as it lacks a copyright notice and was published in 1947. So hopefully I don't go to jail.

And on the topic of obscure mid-century analog electronic instruments that are still useful, behold the Potomac Instruments FIM-41 field intensity meter. This handsome device, resembling a large lunchbox, is designed to precisely measure the RF field strength of AM (MW) broadcast radio stations, for maintenance and compliance with FCC rules. (Mine was purchased surplus from the FCC). The lid, when opened, serves as a directional loop antenna, allowing quick setup in the field.

Everyone’s linked to the NYT piece on the hideous environmental/economic cost of Bitcoin mining: https://www.nytimes.com/2023/04/09/business/bitcoin-mining-electricity-pollution.html?smid=nytcore-ios-share&referringSource=articleShare

The question: What to do about it?

Suggestion: Every public agency (mostly but not entirely in the USA) that holds significant Btc (mostly seized from criminals) co-ordinates to set a D-Day where D stands for “Dump”. That day, they all go and sell their Btc for fiat at any price whatsoever.

That might just solve the problem right now. Because the liquidity ain’t there.

Seeing people post positively about Substack now that it's challenging Twitter.

Reminder: Substack is also centralised. Worse, the business model is basically to take what would once have been blogs and paywall them as premium 'newsletters'.

Substack is not a friend of the open web.

Memories of Bob Lee, especially from his early Java monster days.

https://news.ycombinator.com/item?id=35457341

#BobLee #CrazyBob

the abbreviation "sic" comes from the Latin, and is used to indicate that the word or phrase preceding it was fucken sick

No surprise that Kent Beck's article "Thinking about Code Review" has an excessively good value:words ratio. His point about incentives of pull-requests is spot-on, and I really like this quadrant.

https://tidyfirst.substack.com/p/thinking-about-code-review

So sad to hear about Bob Lee. He was an incredible coworker, leader, and friend. So much of Square and Cash App engineering culture is directly linked to him, and certainly our propensity for using and releasing open source software.

💚 Bob was a kind person who lived more life in 43 years than most would do in 430. I will miss him and his magic.

https://publicobject.com/2023/04/05/bob-bent-the-universe/

#CrazyBob