For me it’s the paranoia surrounding webcams. People outright refuse to own one and I understand, until they go on and on about how they’re being spied. Here’s the secret - unplug the damn thing when you think you won’t use it or haven’t used it in a while.
They, whoever it is, can’t really spy on you on something that’s already off and unplugged!
I call this one forbidden knowledge because I see it so little in public, but I’m sure it’s well known in privacy communities: A password like “I have this really secure password that I type into computers sometimes” is a much stronger and easier to memorize password than “aB69$@m”. It seems more often than not I find networks where the SSID is a better password than the WPA key.
“correct horse battery staple” remains firm in my memory
xkcd #936. Nice.
Difficulty to remember: You’ve already memorized it
It’s true! And nobody remembers the first panel’s password.
I agree - I do use passphrases in some critical cases which I don’t want to store in a password manager.
However, I believe passphrases are theoretically more susceptible to sophisticated dictionary type attacks, but you can easily mitigate it by using some less-common 1337speak character replacements.
Highly recommend a password manager though - it’s much easier to remember one or two complex master keyring passwords & the random generated passwords will easily satisfy any application’s complexity requirements.
Yeah that’s basically what I do, I know the passphrase to decrypt my drive, and the one to open Bitwarden and then I basically let that just handle everything else.
Oh and the
sudoone I guess.
I agree but I think the problem is that some apps/sites have strict password requirements, which usually includes adding upper-case, symbols, numbers, and then limits the length even sometimes…
At my previous bank the password had to be a 5 digit PIN code…
Sketchy indeed. I’ve seen this as well, and the redeeming thing about it is that you’re locked out after 3 unsuccessful login attempts - so no matter how easy bruteforcing would be, there’s a safety catch deal with this.
At one point, Charles Schwab allowed a password of infinite length, but SILENTLY TRUNCATED ALL PASSWORDS TO 8 DIGITS.
This is something I sent a few angry emails about wherever I could find an opportunity.
Which is funny because those strict rules reduce the number of combinations an attacker has to guess from, thereby reducing security.
Provably false. That’s only true if the rules specify some really wacky requirements which I haven’t seen anywhere except in that one game about making a password.
Think about it this way. If you have a password of maximum length two which only accepts lowercase letters, you have 26 choices for the first character & 26 for the next. Each of the 26 characters in the first spot can be combined with any of the 26 characters in the second spot, so 26 * 26 = 676 possible passwords.
By adding uppercase letters (for a total of 52 characters to choose from), you get 52 * 52 = 2704 possible passwords. It increases significantly if you increase the length beyond two or can have more than just upper & lowercase letters.
Computers have gotten so efficient at generating & validating passwords that you can try tens of thousands of passwords in a minute, exhausting every possible two-letter password in seconds starting with
aaand ending withZZ.The only way you would decrease the number of possible passwords is if you specified that the character in a particular spot had to be uppercase, but I’ve never seen a password picker say “your fourth character must be a lowercase letter”.
By adding uppercase letters (for a total of 52 characters to choose from), you get 52 * 52 = 2704 possible passwords.
You don’t add them, you enforce at least one. That eliminates all combinations without upper case letters.
So, without this rule you would indeed have the 52x52 possible passwords, but with it you have (52x52)-(26x26) possible passwords (the second bracket is all combinations of 2 lowercase letters), which is obviously less.
The only way you would decrease the number of possible passwords is if you specified that the character in a particular spot had to be uppercase
Wrong. In your example, for any given try, if you have put a lowercase letter in spot 1, you don’t need to try any lowercase in spot 2.
Any information you give the attacker eliminates possible combinations.
I think I’m confused on your point.
I interpreted your statement to mean “adding a requirement for certain types of characters will decrease the number of possible passwords compared to no requirements at all”, which is false. Even in your example above, with only two letters, no numbers / special characters allowed, requiring a capital letter decreases the possibilities back to the original 676 possible passwords - not less.
Perhaps you’re trying to say that passwords should all require certain complexity, but without broadcasting the password requirements publicly? I suppose that’s a valid point, but I don’t think the tradeoff of time required to make that secure is worth the literal .000001% (I think I did the math right) improvement in security.
Even in your example above, with only two letters, no numbers / special characters allowed, requiring a capital letter decreases the possibilities back to the original 676 possible passwords - not less.
No it doesn’t. It reduces the possibilities to less than the 52x52 possibilities that would exist if you allowed all possible combinations of upper and lower case letters.
You are confused because you only see the two options of enforcing or not allowing certain characters. All characters need to be allowed but none should be enforced. That maximizes the number of possible combinations.
that passwords should all require certain complexity, but without broadcasting the password requirements publicly?
No, because that’s still the same. An attacker can find out the rules by creating accounts and testing.
Here’s what I’ve shared with my company.
the SSID is a better password than the WPA key
This is an insult I am definitely saving for later
Honestly, just Googling (or DuckDuckGo-ing) things. I tend to be the “tech person” that people ask about their computer problems quite often, and 9/10 times I just copy-paste the error code into the search bar and it tells me what to do. I’m not secret about it either, I’m like you can literally just Google it and it’ll usually work. But people still seem to think it’s magic lol.
My colleague (we work in web dev) will literally sit there staring at an error message but apparently not reading it, and then he’ll open ChatGPT and start asking it what to do. The fucker never even Googles error messages, it’s an absolute nightmare.
ChatGPT can be super useful, but I’m kind of worried about people learning to use it exclusively.
I tried helping a PhD student assemble a set up for measuring transistors. He used ChatGPT to do all the code for the software control (python), which is fine, even if he relied on it to fix every single part of his code when a quick trip to the reference manuals of the equipments would solve the problem instantly.
At a certain point I realized I maybe had misunderstood his set up design and asked him “wait, which device do you want to connect to your gate? Which terminal even is the gate?”
And I kid you not, the dude asked ChatGPT which terminal in his device was the gate
(he also reeked of weed so there’s that)
Nah. People are using you and too lazy to care. They pretend it’s magic cause it’ll get you to continue being their gateway to laziness.
I think you’re underestimating peoples’ ability to filter out the massive amount of garbage results/astroturfed reviews/posts/websites out there.
Unless it’s Windows giving you some long hexadecimal number. Those never return any results.
And the solutions to Windows problems are almost always ludicrously esoteric and stupid anyway lol. It always turns out to be something like “the CPU usage went up because the clock in the taskbar on this specific version of Windows syncs to a different server that closed down so it tries to ping it 400 times a second for some unknown reason and that’s why you get a 78-character hexadecimal error code and all your USB devices disconnect whenever you render a video.”
Overheats when you hold down the space bar.
Don’t change that! I need that feature for my workflow
If it’s not a crash it’s probably an ntstatus and if it shows during a bsod then it’s a bughcheck code. That said the most common ntstatus I see is the very unhelpful 0xC0000001 - status unsuccessful.
The one I came across had something to do with…you remember Intel Optane? How there was a brief window there where they’d sell you a PC with a spinning rust hard disk and like a 16GB special NVMe drive that acted as a kind of cache for the hard disk? I was replacing that with just a normal NVMe drive, and there’s some settings in the BIOS you have to tinker with. And BIOS settings are bullshit. TMP. XMPP. FLP. TLQ. DKR or LXD. Which combination of these settings means “no more optane, just normal bulk storage on the NVMe socket?” There’s nothing that says anything like that.
I apparently didn’t get this quite right and Windows would get a ways through the install process before failing with an 0x2ac4d7f9f2 code or something. Windows’ installer doesn’t give you a functioning desktop, it’s in its own useless environment, so you have to manually type this into your phone to look it up, which returns no results. Like it doesn’t link to a page on Microsoft’s website because of course it doesn’t.
I then tried to install Linux Mint. Boots to the live environment, I get a full desktop. I run the installer, which fails partway through. The error message spells out the issue in plain English, contains a clickable hyperlink to a relevant wiki page which launches in Firefox because we’re in a live environment, and it has a QR code you can scan with your phone to go to the same page on a smart phone. Armed with this knowledge I got the setting right in the BIOS and successfully installed Linux.
But Windows is just so much more user friendly you guys.
It’s not a question of googling, it’s about recognising bullshit answers and skipping them
I had a chat with someone that is a Senior Staff Engineer at a huge company a while ago, on what I’d say is a pretty big service that millions use.
They don’t write much code any more, but they debug a lot of issues. The way they described the workflow to mastery is:
- If you know nothing, ask someone that knows something
- If you know something, Google, and there will be answer from an expert
- If you’re an expert and Google doesn’t work, read the docs and specs from the masters
- If you’re a master, start writing the specs, and offer addendums for when the spec needs to change.
IMO, Googling gets you 99% of the way there in many situations, but if you know nothing the answer might be in front of you and you wouldn’t know it.
There’s a hidden skill in there that allows you to filter out the bullshit/scam/unhelpful solutions and zero in on the helpful, legitimate stuff.
You also need crazy fast reflexes for all the popups.
Password managers. People will use anything but that: paper, notes app (without any security), using the same password everywhere…
Came to say this exact thing.
FFS I have 100’s of passwords saved in my keepass DB, they are all different.
Passwords will only autofill on the correct site, so look alike sites are captured by that simple bit of security.
I keep trying to convince my parents. Then they say but what if I forget the master password? I say they won’t with a passphrase but they don’t believe me.
Also I don’t have experience with PW managers other than 1Password, Bitwarden and Roboform. I personally didn’t like Bitwarden. I think it’s UI is janky and oldschool. Roboform is so bad I don’t even know where to start complaining. So I keep using 1Password even though the UI has been getting worse but it still works for me because of the good integration into the Apple ecosystem. But it’s rather expensive for managing the 20 something passwords my parents have. I read about breaches on other PWMs sometimes so I don’t really know what to trust and recommend.
Keepassxc works fairly well for me, with a few quirks. Don’t know how it is on apple though.
Show them you can export the passwords and print them. It will help them to make the switch to know they cannot lose everything because it is on paper. It is what helped my parents
Set my family up with Bitwarden. Had them think up good passwords, told them not to tell me, etc. etc. they went and promptly forgot it.
One of these days I’m going to set them up again but this time I’m going to have to save their master passwords on my account.
Eh, I don’t trust any 3rd party enough to give them all my passwords and I don’t trust myself enough to secure a server for self hosting a password manager.
I know all my passwords, can’t forget em, no paper or notes, no repeat passwords.
Fucking THANK YOU.
A very good friend of mine doesn’t use any password manager. I’ve often in the past told them why don’t they? They argue that then all their passwords would be gone if they forget that one master password. Okay, I say, how the fuck is having to remember 1 password harder than having to remember 20 passwords?
Any good password manager nowadays also has an account takeover feature if you opt in. Basically your spouse / child / parent can take over your account to recover it for you if you can’t get in.
I had to save my wife’s account before on 1password family. It worked nicely!
Keepass. Password database is a local file.
Sorry stupid question, but how do I import my passwords from Proton Pass to KeepassDX?
I looked it up for you; you can export your Proton Pass database as a .csv file and then import it into KeePass. Not sure about KeePassDX but on XC, there’s a csv import option. There’s also a json import option but it says BitWarden for that so I’m not sure if the json Proton Pass exports is in the same structure as KeePassXC expects.
Thanks for the answer! Another question: does saving the data on KeepassDX keep all the passwords and such for me to import to other apps if needed? Or what does the file include?
You can export as csv, html, xml from KeePassXC. Dunno about DX but you can just try it on your desktop if it’s not an option on mobile.
You know I’m looking up all these answers right? I don’t mean to be rude but you can and should just look these up yourself. You can check import and export options by opening keepassxc/keepassdx and checking for yourself
Yeah, you’re right. Sorry, I definitely have a tendency to treat Lemmy as a search engine sometimes. Nonetheless I appreciate you answering me!
Keepassdx is an android app for keepassdx databases with a nice ui. I use it too.
Yes, and personally I use syncthing to sync newest file to all devices when they connect to my home network.
Technically you could use PGP to encrypt a .txt file with all your passwords in it. Which would be more or less the same thing with a lot less polish to it.
Sorry, what is PGP?
PGP is ‘pretty good privacy’; it’s an encryption standard. It’s not the best, but it’s fairly easy to use, and it going to resist decryption pretty well, for most use-cases. The idea is that you have a public key, and a private key. The public key allows messages to be encrypted, while your private key allows decryption.
this is the way
If you know all your passwords and can’t forget them, I’m assuming your using some sort of pattern to remember them in which case you have a major issue in case of data breaches as your other passwords can be guessed.
Just as a heads up, sometimes the pattern is not that easy for computer to brute force. As an example, my old password contains a birth date but with an alternating shift making them a combination of digit and symbol.
The issue is if you are a) targeted, and b)involved in multiple breaches. If they can get the pattern, they potentially get everything.
Is it worth it? That depends. Are you willing to risk it NOT being worth it to a random guy in Africa earning a few $ a day?
Yeah, a fair point
I keep telling myself I need to start using a password manager but I’m worried I won’t be able to log into things on my phone or other devices like my work computer when I need to because I don’t know the password. Is that a legitimate worry or is there a solution for this? How do you sync passwords between computer and phone?
What annoys me about webcams is that they could have easily used the power line to the camera to light the LED. Then if the camera was on the light would be on.
But for some reason the LED is enabled separately from the camera, so it can be hacked through software that the camera is on but LED is off. Leading to a lot of paranoia. It’s just a non sensical design choice.
It’s simple enough to just cover a camera. I’d be far more worried about the always listening microphones.
They should both have hardwired LED indicators. Actually, every powered component should, because why not?
LEDs are fucking annoying
Webcams should not have mics built into them, they all suck anyways.
Like putting speakers in monitors.
An ad blocker, on desktop and phone.
It blocks annoying ads and also protects you against malware (malvertisement).
And please just enable blocking cookies and annoyances in unlock origin. It has filters that can be enabled, and you’ll never see a cookie banner again.
I set up my Pi-Hole years ago and haven’t touched it since. Maybe I should update it.
Always get the version of the gadget with replaceable batteries unless you want a brick in 3-10 years. Additionally, prefer 18650, AA, AAA batteries, and keep some rechargeable ones around.
Eneloop batteries (the white ones, not the black ones) are the best AA and AAA batteries out there for sure. Panasonic sells a package of Eneloops with a charging device that accepts both AA and AAA batteries, it’s very good. Can be charged via USB and can also charge other devices, it’s the kind of device I dreamed about in the 90s.
Why not the black ones?
They don’t last as long and have less charge cycles, but IIRC they have a larger charge capacity. Eneloop white batteries have 4x more recharge cycles than the Eneloop black batteries. Hard to justify larger capacity (2550 mAh for black, 2100 for white) at 1/4 of the lifespan/charge cycles.
Some people use them for specific things like gamepad controllers (i.e. X-Box/Playstation controllers) because you’re less likely to have interruptions but personally, I just change batteries when I dip below 30%. I keep 4 spare AAs in a charging cradle (La Crosse Technology, apparently they don’t make chargers anymore which came as a huge surprise because they were THE battery charger back in the day 🤓). I use a program on my PC for keyboard macros that has an additional feature displaying gamepad battery percentage and I find it far more accurate than the native app or alternatives.
To me it’s like having a 16 gal gas tank and some guy tries to tell you he can swap it out for a 20 gal gas tank, but then you find out the "upgrade" has 1/4 of the lifespan because it’s far more likely to corrode. Not worth the tradeoff for the vast majority of drivers who can simply fill up a little more often.
It’s a gimmick to basically upsell people an additional battery type that in fairness to Panasonic is literally right on the packaging (2100 vs 500 charge cycles) but unless you’re actively comparing charge cycles between battery types, which the vast majority of people buying batteries aren’t paying attention to because they (reasonably, IMO) assume all AA batteries have a similar life cycle/capacity these days, it’s hard to notice the above differences that I pointed out. So a lot of people buy the white, then the black thinking "ooOoOO Pro edition = better", only to find out 2+ years later that their black batteries are dead while their white batteries keep chugging along.
I know that’s a super long winded explanation but I think it’s good to explain all this. I mostly recommend Eneloop whites because I’m not a big fan of waste, battery waste in particular, so I think that if someone has to use batteries then it makes sense for them to use the ones that are reasonably priced and will last far longer than any other battery. That said, the price of them definitely has gone up over the years, though that applies to most things.
Thanks for that info re Black vs White.
No problem! I love removable/rechargeable batteries.
To the people who insist on me adding a sticky note to my webcam, I can only say
sudo modprobe -r uvcvideo
deleted by creator
Anyone with root (or equivalent) access to your pc could easily undo that though.
If they have root access to my PC, webcam access is arguably not my biggest concern
It’s not the biggest, but it still is a concern, and is exceedingly easily mitigated.
RTFM
Majority of “webcam” use is in laptops, tablets and phones, grandpa… No “unplug the damn thing” to be found?
They often come equipped with a privacy slider to cover the lens. Or you can just put a sticker on them.
They don’t “often come with” I’d say it’s fairly rare, and especially in the last generation of computers that most have now.
Also, what you mention are all steps above and beyond OP’s direction to “just unplug it” and they come with compromises - I.e. A shutter cover isn’t a HW disconnect, two very different things. And, a sticker isn’t really removable temporarily when you actually do need the camera deliberately. Certain high end laptops have a purported physical HW disconnect toggle or even some “flip around” cameras that are only deployed when needed, but again, few and far between.
Sorry if I was wrong about the prevalence of such protections. My perception may be biased because the notebooks used by our company are all equipped with a switch or shutter of some sort. (HP brand, IIRC) Regarding your second point, however: surely a shutter physically obscuring the camera lens is just as effective as disconnecting the camera when it comes to protecting the user’s privacy?
Yes, common that folks in more privileged positions can have these skewed views on products, like, “Uber is a pretty good service and a good value…” but you only pay on your corporate expense account… When normal people need a ride now, it’s $80 for a 14 minute ride that used to cost 25-30 bucks. Someone’s we can just live fully different realities from most people.
You often forget to close camera shutters (they are often tone on tone and designed to be more invisible, or they can fall open/off. The microphones are also often located near/in camera modules, so a slide shutter can give a false sense of security, but you can still be heard even if not seen sometimes. I do hope it gets to a point where HW disconnect is the norm
Ok, I hear you. But here’s the secret: I don’t want to use a webcam at all. If you want to see me, agree to a physical meetup. Obviously that’s not the only reason.
I work in a remote first company. We are spread across the whole country. To manage things we do daily meetings. Every single time my camera is covered and nobody has any issues with that. However, when I’m interviewing a potential employee I turn on my camera.
If I could get laptops without webcams or mics I 100% would
If you don’t have your files on another physical location you can show me, you don’t have a backup, you don’t own your files, you basically give your “digital life” to someone else.
But that extremely expensive NFT I bought has my name on it, not yours. Therefore it is owned by me and nobody else.
No I won’t show it to you.
Likewise, as the old rule goes, if you don’t have a secondary backup, then you don’t have a backup.
Yes, two is one and one is none.
I use raid 0 for backup.
^/s
My RAID5 of 28 disks is ultra safe I tell you
I’ve never heard that expression before.
I like it!
The other day, I was chatting on a Discord server about how people manage their photos, which keep piling up each year. I asked which cloud service they use, and one person replied, ‘Save them offline.’ That really struck me because I haven’t invested in offline storage devices in years, and I realized I wasn’t storing anything offline.
This touched me deep
People who complain about ads on YouTube. I tell them about ads blockers and they always go “Huh, you sure it works? Sounds good, I might try that” and then proceed to forget about it and complain about ads in a few months time…
I’m pretty positive by this point that people love to bitch about ads for the sake of bitching about ads. They bring this onto themselves.
Same goes for them going onto sites without ad blockers. Then when you tell them, it’s either “OHHH THANKS!” or “Uhhhh, I cAn’t” for no reason.
Or people, like my mom, who
arewere relatively educated about technology and don’t want to learn new technologies/tools under the pretense of security (even if the software is foss, like again most adblockers.My mom built computers in the '90s and '00s, she taught me how to use the command prompt to play my dos games. now she can barely use one. I don’t know what the hell happened.
Well, my mom is a computer engieneer, who had me reflash a phone from work and install libreoffice on her windows laptop (the secomd one was probably just lazyness).
People have a fantastically high resistance to change
I just install it for them or tell them to use Brave (don’t down vote me, these people aren’t going out of their way to use firefox and download all the needed extensions)
😤 how dare you make reconsider my absolutist views
I think this happens because people believe that ad blockers are “too good to be true”. That was what I first thought when first getting an ad blocker, that there was going to be some kind of “catch” like slowing down websites, making them less functional or being malicious. But it turns out they actually improve performance, rarely affect functionality and are even recommended by the FBI because they protect against malicious advertising.
I hate the ad blocker argument for youtube. How am i supposed to do that on my tv or my phone?
I mean, don’t you want less ads anyways?
- invidious
- piped
- some TVs have 3rd party specialized versions of the official webapp
The first two have web pages and phone apps. You can find the phone apps on F-droid.
Fun fact: did you know that the youtube app on your TV is just a no-effort web browser with a URL fixed to a web page, which you could even use on your PC?
Can I do any of these on FireTV?
Use smart tube on fire tv and other android tv devices: https://github.com/yuliskov/SmartTube
I literally just use normal Firefox with normal ublock origin on my phone
Rebooting your PC really does fix a lot of issues.
But in Windows, you have to go to a sub-sub-sub-menu of the old control panel, click on a button called “choose what closing the lid does”, then on “change settings that are currently unavailable” and then disable “fast startup (recommended)”, just to get your pc to reboot properly.
Hold shift while you click start and shutdown (or reboot) when necessary. This will have windows do a full shutdown instead of a hybrid shutdown.
Thank you, this will save my monday morning restart after a weekend of
off‘hibernation’
Here’s an even easier hack than all of that :effort:
Just hold the power button down for about 10 seconds, ez-pz
I like to call that the “putting a pillow over its face” method of rebooting. Reserved for when even a
shutdown /r /t 0doesn’t workThrow a /f in there for good measure.
I prefer yanking the cord out while furmark, prime95 and a full delete 0 write on the spinning disks is going.
Press windows D to go to desktop and press alt F4 until you get the shutdown menu.
Unplug your inbuilt webcam?
Some laptops now have physical privacy shutters for that - and for those that don’t, you can get one that you can stick on top.
That still leaves the microphone.
The actual sane solution would just be to require indicator leds hardwired to the literal power supply lines of the camera chip/microphone, so they’re physically impossible top turn off while recording.
This is exactly what I do with my tobii eye tracker. I’m a bit paranoid about what it can see so I have it plugged into a USB hub with power buttons that I just disable when I’m not using it.
