I’m slowly moving away to open source, self-hosted applications where possible. Changed search to a combination of Gibiru and Yep. Email to a mailcow server I host on a vps, and I’m moving photos to an Immich server I’m setting up. Home Automation is next, I have a Raspberry Pi 5 to act as the Home Assistant server. And a few other projects in the works to split from Google as much as I can and mostly it is all better.
I mean it depends on the intensity of the surge, but basically you’d be making it so your PSU is unable to protect the devices from surges. The more sensitive the electronics, the more critical the ground is and CPUs are pretty darned sensitive among other things. And depending on the type of components in the PSU, “surges” also include things like inrush current. Basically, when you turn on a transformer or certain other devices, there is a surge of sometimes as much as 10 times the rated current to create the initial magnetic flux. Depending on the components, this excess energy may end up getting shunted to the ground to avoid pushing it through your electronics. So if it can’t do that, you likely will blow fuses a lot when switching the power on (hopefully there are fuses), or if you’re touching the case which is supposed to be grounded, you may end up getting that jolt.
Anyway, without grounded outlets, and especially if your electronics are cheaply made because many expect there to be grounding and don’t build in extra components to deal with not having a ground, you are likely to significantly reduce the life of your electronics, your life, or start a fire without even considering major surges. If you have a high-end PSU, you may never have a problem until that surge happens. How stable is your power? Because even a normally small surge combined with a cheap PSU, and no ground, is pretty likely to end up in damage to electronics at the best case.
Because computers have come even close to needing more than 16 exabytes of memory for anything. And how many applications need to do basic mathematical operations on numbers greater than 2^64. Most applications haven’t even exceeded the need for 32 bit operations, so really the push to 64bit was primarily to appease more than 4GB of memory without slow workarounds.
Automate as much as possible. I rsync to both an online and home NAS for all of my hosted stuff, both at home and in the cloud. Updates for the OS and low level libraries are automated. The other updates are generally manual, that allows me to set aside time for fixing problems that updates might cause while still getting most of the critical security updates. And my update schedules are generally during the day, so that if something doesn’t restart properly, I can fix it.
Also, whenever possible I assume a fair amount of time for updates, far beyond what it should actually take. That way I won’t be rushed to fix the problem and end up having to revert to a backup and find time later to redo it. Then most of the time I have extra time for analyzing stats to see if I can improve performance or save money with optimizations.
I’ve never had a remote provider just suddenly vanish though I use fairly well known hosts. And as for local hardware, I just have to do without until I can buy a replacement. Or if it’s going to be some time, I do have old hardware that I could set up as a makeshift, temporary replacement like old desktop computers and some hardware that I use for experimenting like my Le Potato that isn’t powerful enough for much, but ok for the short term.
And finally I’ve been moving to more container-based setups that are easier to get up and running again. I’ve been experimenting with Nomad, Docker Swarm, K3s, etc., along with Traefik and some other reverse proxies so o can keep the workers air-gapped for security.
Yes, this is exactly what it’s for, as well as Winnie the Pooh in China, LGBTQ+ materials in Florida, or any other ridiculous laws. As fascism is taking over many countries, including the US, UK, and other Western countries, they are pressuring content storing companies to add backdoors to allow hunting down dissidents.
Oh, and also this is a way to allow selling the content to train AI since it’s less obvious that it is allowed with this kind of vague wording.
“A New Stereophonic Sound Spectacular”
But it hasn’t always been free to file electronically. The government made it required for them to offer free versions for simple returns, but that was recent.
Also, access to the Internet isn’t universal. You’d be surprised how much of the US doesn’t have affordable Internet and a fair number don’t have Internet available at all, or limited to just dialup which is not very useful. And a lot of apps don’t work right on phone browsers, especially older phones, so then you need a desktop or laptop which a lot of people don’t have. Some have access in libraries, but a lot don’t or traveling to a library is a burden. And lots of other reasons that internet isn’t a given for a large portion of households. So paper is still not just necessary, but the easiest way.
I self host a lot, but I host a lot on cheap VPS’s, mostly, in addition to the few services on local hardware.
However, these also don’t take into account the amount of time and money to maintain these networks and equipment. Residential electricity isn’t cheap; internet access isn’t cheap, especially if you have to get business class Internet to get upload speeds over 10 or 15 mbps or to avoid TOS breaches of running what they consider commercial services even if it’s just for you, mostly because of of cable company monopolies; cooling the hardware, especially if you live in a hotter climate, isn’t cheap; and maintaining the hardware and OS, upgrades, offsite backups for disaster recovery, and all of the other costs. For me, VPS’s work, but for others maintaining the OS and software is too much time to put in. And just figuring out what software to host and then how to set it up and properly secure it takes a ton of time.
Yeah, very limited, but it’s very good for more than half of the population that don’t have enough deductions to exceed the standard and don’t own property (if you properly count houseless “households” that earn income as not owning property and not just renters like most statistics). It’s dumb that they have to file a return anyway just to acres money that never should have been collected. Most just don’t know how to properly file their W-4 to not have taxes withheld in the first place. Mostly because they follow the directions and/or are afraid of paying a fine plus interest.
Anyway, it’s a step in the right direction. And if we can unbury all of the staff out of the pile of paper returns, we can devote some to go after the rich and their frivolous, often fraudulent deductions and have them pay the tax they owe.
Food and gasoline prices have skyrocketed. Infrastructure is a mess in most of the country so it takes longer and longer to get anywhere at peak times. Companies have cut costs in offices so they’re just crowded and full of distraction and germs. So yeah, lots of time and money is saved by working from home.
That electric bill, though. 🤣
I’m not saying it doesn’t count as authentication, it just doesn’t count as authentication to the security of the server directly. That’s the device’s security and configured by the user, not the server. And user devices are very prone to exploits to the point that many law enforcement agencies don’t even bother asking for a password anymore to access a device.
So, let’s move to a physical model as an example. Let’s say you have a door. It has a very simple door handle lock. You keep your key inside a hotel safe. Sure it might be difficult to get the key if they had to enter the hotel room, cut open the safe in place, and get the key while they’re standing in front of the secure door, exposed. But that’s dumb. They could just as easily grab the safe out of the room and open it later where there’s room for proper equipment, use a known exploit for the particular safe, or use other exploits all out of view of the door/server and at any time until the user realizes you know how to open their safe, because the door/server will never find out. Once that safe is open, you have not just the key to the door, but the key to all locks the user uses since now we only have “something you have” factors and the user uses only one device. Just like when we only had “something you know” factors and the user uses the same password everywhere.
So what does the passkey help with? It makes the lock and thus the key itself more complex. This makes it so that brute force attacks against the server are more difficult. But it doesn’t solve anything that existing TOTP over text messages didn’t solve, other than some complexity, and it eliminated the password (something you know) factor at the server. Something a lot of companies are already doing and we already know from experience is a bad practice. It has changed the hacking target to the device rather than the person. But still just one target, you don’t need both. Sure it’s better than a really bad password that’s reused everywhere. But it’s not better than a really good password unique to a site that’s only stored in a password manager on the user’s device that requires a separate master password to access (outside of MitM attacks that TOTP mitigates).
Now, what if we have a door with two locks, one that requires a code, and one that requires you to have access to a device. Now in order to attack the door, you need two factors right at the time you’re standing at the door. Also, there’s probably a camera at the door and someone paid to check it periodically when someone tries too many times, which isn’t the case in the user’s safe/device. So even if you get the key from the user, you still need to brute force the second lock efficiently or you need to implement a second exploit to get the second factor ahead of time. This is the idea of two factors at the server and the current state of things before passkeys.
But authentication to access the passkey is on a remote device. So the server doesn’t have any information about if or how authentication was performed for the person to access the key. If they use a 4 digit pin or, worse, the 4 point pattern unlock, it’s easy enough to brute force on most devices.
This is also why using a password manager is not two factor authentication. It is one factor on your device and one factor on the server. But no one monitors the security logs on the device to detect brute force attacks and invalidate keys. Most don’t even wipe the device if the pin is being brute forced.
Not related to the article itself, but I’m curious why use of archive.is has become so popular around here considering that they refuse to provide DNS replies without edns personal information attached? I’m not familiar with the politics involved, but a lot of DNS providers are getting blocked by archive.is for not providing that info, including my own home DNS server and cloud flare 1.1.1.1 and many others, so I’m surprised to see it gaining popularity on Lemmy.
Problem is that if the factor is not authenticated by the server, it doesn’t count. Not saying it’s not helpful, but it’s not part of the consideration when designing the security of the system.
The device can be attacked for an indefinite time and the server knows nothing about that. Or the device can disable that additional security either knowingly or maliciously and the server has no knowledge of that breach. So it’s still a single factor, “something you have” to the perspective of the server when considered security.
I’ve worked with healthcare data for decades and am currently a software architect, so while it’s not my specialty directly, it is something I’ve had to deal with a lot.
I don’t like passkeys yet because they’re implemented poorly on most platforms, IMHO, because they replace two factors with one. Some don’t let you also turn on two factor auth at all which is dumb, but the ones that do then often only have options that use your device as a factor either through text or email. So if the passkey is your phone and you add text messages as the 2 factor option, that’s still your phone. Or if your passkey is your laptop and you’re logged into your email on the laptop, it’s just one.
It doesn’t work, for point 1 very well though. The tech is fine, but the way it’s presented to users is that it’s way more accurate than it actually is. That’s marketing rather than a technical problem. Second, the tech is not as good at recognizing non-white people. It’s just a fact that there are more pictures of white people to train the tech on since white people have historically had more access to photography among other reasons. And the models used to create most of the tech was built to favor facial traits that are more likely to differ in white people.
So, the likelihood of high probability matches is much lower so the likelihood that the highest probability match that is made is actually much lower probability of it being an actual match means the bad matches bubble to the top and get accepted as real. And these kinds of uses are more interested in a “better safe than sorry” stance and they aren’t sorry about killing the wrong person, only about not killing the right one. So they’re perfectly as happy killing many people that are possible matches as they are one person that’s the correct match.
I think they were fine before, because they were offering the best experience for the people who want someone else to configure things for them and make decisions on privacy, security, etc., for them. Problem now is that they no longer offer much in the way of brand new user experiences that no one else offers, and additionally they don’t prioritize the user’s privacy and convenience and prioritize how much money they can make with the centralized user information they control and don’t allow the user to make decisions on their own privacy and security.
That will never work either. They’ll just transfer it to a subsidiary towards the end and then shut down the company. Then there’s no one to enforce the law on.
In my opinion, the difference with Google is that Google is actively using your data and you’re giving them a lot of it. For Cloudflare, what do they have exactly? Depends on what services you use, but really all they get from me is the list of servers that connect to my domains. Google does that too if you use 8.8.8.8, or if you have any of their hardware that overrides router DNS settings like Chromecast and Google TV.