Nah, it’s cool. We’re clearly talking at cross purposes. Have a good one.

It was bought by Microsoft after becoming established. Most free software projects don’t care enough to move if they don’t self host.

And I’m just letting you know that link bombing isn’t, and it’s actually a discussion if you explain your point rather than dropping someone else’s novel.
If for no other reason than because you don’t have to dig for what part of what was posted is related to what they were saying, and you can much faster say “ah, you’re talking about something totally different than I am”.

Just so you know, from looking at the wall of text you pasted by proxy: those are arguments against the notion that a tpm can make the device itself secure, not that it is untrustworthy for the notion of signing and storing encrypted data.

Next time, make your point and provide references (or not), rather than just link bombing.

I’m not seeing anything that’s not a great look about requiring strong authentication for access to sensitive portions of a users account. What you’re saying is akin to calling it a bad look that they force users to use complex passwords against user wishes.

I’m not sure what “trust me bro, my cloud is safe” has to do with anything. Passkeys live on your device. There are ways of facilitating device to device migrations of the keys if you want. You don’t need to use them to use passkeys. And at least on Android you don’t need to even use Google to manage the keys.

Most semiconductors are closed source. The processor, ram, and radio are also more than likely closed. The software interfaces to all of them have open specification and implementation. There’s like, six for Linux. Microsoft open sourced theirs.
Tpms are not security through obscurity. They are obscure, but that’s not a critical component to their security model.

What they do isn’t really what “collecting biometrics” implies. They’re storing key points in a hashed fashion that allows similarities to be compared. Even if it wasn’t encrypted in a non-exportable way you still can’t do anything with it beyond checking for a similarity score.

You’ve done a good job explaining what I said previously: there’s sometimes a disjoint between privacy and security concern, and so sometimes people don’t understand something about security.

That’s close enough for a privacy perspective. There’s also limitations on domains that can request the auth, specifically ”only the one the credential is for", and there’s a different key per domain and user typically.
It’s also implemented in a way where if the user doesn’t choose to disclose their account to the service, the service can’t know.

Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunate because the way it authenticates is a lot harder to track across domains by design.

I understood they had a lot of concerns, one of which was biometrics via passkeys since GitHub was a very early adopter due to the supply chain risk they pose.

I know how device fingerprinting works, thank you though.

You don’t need my fingerprint, hardware or personal, or biometric shit.

To me that sounds like hardware identifiers, but also quite specifically the things passkeys use. Hence I mentioned it as aside from their main point, which was “don’t track me”, because the biometrics GitHub or any website is going to ask you to use can’t be used for that.

Tangential to the main point you’re going for: when you say fingerprint or biometrics I think you’re referring to passkeys.
Passkeys don’t share any of your fingerprint or other biometric identifiers with anyone.

https://www.eff.org/deeplinks/2023/10/passkeys-and-privacy

One of the major design criteria of their creation was to be an increase in security without sacrificing privacy. It’s made them more finicky to get working but there’s a very good reason they’re very popular with security professionals.

You’re currently connected to your neighbors that intimately. Chances are a good chunk of your neighbors are on the same ISP as you.
What disconnect do you think a non-local ISP is providing that a local one wouldn’t?

Some countries have more consumer protections than the US does, and consumers from there are wary of the lack of assurances a lot of us products have.

To them, it’s like being told you have to pay for your food at the restaurant even if they mess up your order and you don’t get to eat it. It doesn’t matter that the waiter probably isn’t going to drop your food on the floor, throw it away and then give you a bill: the fact that they could makes you not want to go there.

Likewise, your watch will almost certainly not break via factory defect after more than a month, but the expectation is that if they sell you something it’ll either last the expected lifetime or be suitably replaced or refunded on failure.

We’re used to our particular blend of capitalist hellscape, so a company saying they’ll replace things if they’re obviously broken the moment you buy it, but beyond than you’re out of luck just seems normal. It’s on us to make sure they don’t mail us subtly damaged microelectronics and tiny lithium bombs.

It’s really not new age reconning, the old testament literally has angels and other quasi devine entities in it. It’s not that they thought the foreign gods were demons, it’s that they had stories from their own religion that involved other gods.
Previously, it was common for nations and tribes to have their own God that they worshipped.
A segment of the Israelites believed that their national diety was best God, but not only God, because that would be silly. Everyone know El, Ashera, Yahweh and Marduk all exist, but Yahweh is first amongst the pantheon, or that Yahweh was actually the same as the other god but just used a different name for reasons.
When political strife broke out with Babylon that sect gained prominence and shifted towards monotheism as a rejection and denunciation of the Babylonian gods, both as a middle finger to Babylon and as a bolstering of national identity: preserve the culture by saying it’s not just that this is your God, or that’s it’s the best God, but that it’s the only God.
The difficult part is the thousand years of stories and belief making it extremely clear that there are other deities. So those stories warped and recontextualized those gods as evil gods or lesser good gods, errr… Demons and angels. A perfect, all powerful, all knowing god who created everything has special helpers to do things for him and has an adversary who is somehow able to resist him, but is also a companion, or a betrayal. Baal. Or is is baelzebub? Samael? Satan? It’s so tricky to keep track of which came from early Judaism and which is a syncretism from a neighboring religion.

You slightly underestimate how broad the world of the Israelites was. They lived in tribes, but those tribes had a diety different from a neighbor tribe that they still recognized as “them”. Different households would have their own God, and the nation as a whole had a patron God. They lived in areas with enough traffic and people that other gods wasn’t a weird notion. Their interactions with Babylon are a significant recognized historical occurrence, and Babylon had a population of more than 200,000 by modern estimates during the relevant time period.

It’s confusing to say that it’s ignoring the social control aspect of religion to recognize that they weren’t monotheistic at the time the ten commandments became part of the religious canon. It took a thousand years for them to switch from a subset of the Canaanite religion to a distinct monotheistic one.
The purpose wasn’t to stop people from making their own gods, it was to stop people from saying any of them were better than Yahweh. It is not a subtle set of rules.

It’s a coherent argument built on the flawed premise that the interpretation of the text as applied to modern Judaism is the same as it was applied to the proto-judaism of 3500 years ago. We have ample evidence that it would not have, and that time has changed the interpretation and, in some cases, the actual words, like the written form of Yahweh that would be pronounceable in their language being changed to an honorific and subsequently lost to time.

It’s less to stop worshipping fake gods, or asserting they’re monotheistic, it’s a directive to stop saying any God is “better” than Yahweh. At the start, it was a religion based on worship of Yahweh as the foremost diety, and eventually that started to include taking attributes from the other deity’s in the pantheon, and eventually saying they weren’t really gods, but spirits, demons or angels. Lesser devine entities strictly below Yahweh. Add in a couple centuries of linguistic drift and religious practice and you’ve got yahwehs name being replaced with “the LORD” in many places to avoid invoking the special power of names, and his name becoming your word for deity, making translation an absolute mess.
It’s not linguistic trickery to cast the “no other gods before me” as being a polytheistic belief. At the time it was and they only thought one god was worthy of worship.

Calm down, jeez. You said you have a system for generating passwords. Scheme is just a word for a system of doing stuff in a security setting.
I’m literally just asking what your system is and you’re acting like it’s the most aggressive thing ever.

Do you expect everyone to agree with you immediately? Disagreement isn’t aggression, it’s the starting point for the debate you keep mentioning.

There’s a principle in security, https://en.wikipedia.org/wiki/Kerckhoffs’s_principle, roughly summarized as “the enemy knows the system”. It’s the notion that you should be able to fully describe everything about your system except the secret key and still be secure.

My concept is a bit like this (don’t wanna give it all away):

That’s always a concerning thing to encounter at the beginning of a description. That implies that there’s an awareness that if you knew how the system worked it would be weaker, which in a security setting is considered a very notable defect.

If we’re looking at the actual security of the system you describe through that lens, the name of the company doesn’t add to your security. Neither does your word substitution rules. The secret in your system is the passphrase and the number you’re using to modify the letters from the company name.

Now, using a passphrase is good, but it kinda felt like you were implying that you use the same passphrase for all services and then modify it. That’s not a good idea, since it reduces your effective security to a single number.
Additionally, a passphrase should be random words, not a known phrase. If the phrase is grammatical it reduces the security pretty fast since it’s weirdly easy to guess word sequences.

Adding a character to the end of a password during rotation is also a bad idea. Anyone breaking a password database will automatically try with a series of characters tacked onto the end specifically to catch that, so a password of yours that got leaked years ago can be used to figure out your current password just by checking it with different endings.

A better system would be to write a truly random password down on a sheet of paper along with 31 others. Now fold up the piece of paper and put it in your wallet.
You are already adept at keeping paper in your wallet secure, and anyone not in physical proximity to you has to fall back to the usual tricks to get at your stuff.
Better yet would be to use a password manager, ideally one you can export to something you carey, encrypted, with you while you go.

Uh huh. When was I rude? You started by calling me ignorant, and I just asked you some questions about your system. You seem extremely defensive, since it seems to take only the smallest disagreement for you to dismiss someone as ignorant, lacking common sense, and unable to hold a discussion. Take a breath, and try actually explaining your system so there can actually be a discussion of what is or isn’t wrong with it.

I’m not looking for a fight, but I am extremely skeptical of your scheme because it’s one that people bring up often, and it’s never done in a secure way. Maybe yours is, but there’s no way to know if you don’t actually say what it is.

How often does any of that happen to you?

For the second one, that seems unlikely, and you can just type the password you read off your phone.

The printer scenario seems both unlikely, and has nothing to do with password managers.

If you’re memorizing your passwords, you need to factor in the likelihood you forget, and for the actual security of the password. It sounds like you’re memorizing weak passwords, which is the heart of the problem, not a downside to password managers.

What’s your system? I love hearing about people’s great systems for generating passwords. How much entropy does your system produce per password?

You’re extremely confident for someone disagreeing with literally every security professional I’ve talked to, and considering I work in the industry, that’s a lot of people.

Because your brain is terrible at remembering random data. Your simple system is extremely unlikely to produce passwords of any particular quality.

Also, I have 170 passwords saved. I don’t know how many of those live in the category of “once every six months”, which is too infrequent to remember easily.

Okay. You’re still doing tech support either way. I have no way of knowing how much free tech support you’re willing to give, hence my caveat of how much you’re willing to support them.

Netflix would disagree. People feel like they’re supposed to be getting access to a service, and if they’re not getting it they’ll complain to the nearest party to what isn’t working. In this case that’s you or Netflix being asked questions about why the router isn’t working.
That it’s wrong or irrational has nothing to do with who’s getting asked the question, and who’s the first line of troubleshooting when the service doesn’t work.

If people didn’t ask the wrong people questions, Netflix wouldn’t need support articles on how to reset your router.

Honestly, you’re supporting a chunk of her network by being a media provider in the first place. “It won’t play” doesn’t usually come with an assurance that it’s not a device or network issue.

Neither plex nor jellyfin seem remotely worth the effort to provide to others in my opinion, I just felt like sharing that there are ways to afford network protection to locked down devices.