site banner

Culture War Roundup for the week of July 8, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

13
Jump in the discussion.

No email address required.

Yeah, sometimes security really is that bad.

For a less serious example, "somebody" walked into the phone store, asked for a replacement SIM for my account (providing the phone number and possibly my name, but no other information), and walked out a few minutes later with the old SIM deactivated and the new card in their possession. That person was me, but they had no way of knowing that because they never asked or checked.

I think elections should at least be protected against that level of fraud.

This is why SMS is not a recommended second authentication factor for high-security or high-profile accounts: this can and has been abused before, many times.

This is why SMS is not a recommended second authentication factor for high-security or high-profile accounts: this can and has been abused before, many times.

What do the recommendations for account security in 2024 look like?

As a bank employee, I am expected to use a token tied to a physical device - either one of those SecurID tags which generates time sensitive 6-digit codes or a soft token loaded onto a phone app (which stays on the single phone and is not uploaded to iCloud etc.)

For multifactor authentication, specifically:

  • The gold standard is a Yubikey, but this is obnoxious to setup and maintain, so you probably can't unless it's your full-time job.
  • For everyone else, virtual key-based two-factor authentication, either tied to your physical phone or running on an (ideally not-device-you're-logging-in-on) computer. Authy is the Google version, there's a bunch of free third-party ones that are pretty not-awful. (If you use an Android phone, avoid sideloading onto the same device as your 2FA app, and limit browsing/weird app installs from the stores if you're paranoid).
  • Most have an online backup option. Whether you want to use it depends on your threat model -- having a fast backup option from 'phone exploded' is nice, but compromise here is pretty bad.
  • When you set up key-based 2FA for important account, you should get some number (usually 3-5) 'emergency codes'. Print two copies out: put one with your birth certificate, and one off-site (safe deposit box, friend's house, among your personal effects at the office).
  • Avoid giving phone numbers to vendors whenever possible; even if you don't use them as a 2FA setting, businesses will almost always treat them like one, except going through their tier 1 tech support instead of an actual process. Unfortunately, not possible for a lot of things like business/bank accounts.
  • If your account is high-risk or high-profile, try to contact your vendor ahead of time and specifically disavow phone-based account recovery. Probably won't work, but can be worth trying.

For passwords :

  • The Standard Advice is to use a good password manager. Firefox and Google have built-in options, as does the iPhone, but 1Password has some nice benefits in terms of Just Working. If you're willing to do the synchronization yourself, or only have a couple machines you login from, KeePass. Use them to autofill password forms; if they don't, check for likely compromise of the site (though there are a few other possible causes). Make sure your login passwords for these tools are unique, long, and memorable, and harden the password store against external attacks.
  • Whatever tool you use, make sure it's separate from your 2FA app, and that your password store isn't getting backed up to the same place your 2FA backup.
  • ... the non-standard advice is to have a unique, long, and memorable password for every major site that you memorize. This can be a very useful skill if you might need to log in at arbitrary locations from computers that you don't have a lot of chance to set up, but most people can't do it, and you're slightly more vulnerable to simple brute force attacks than password managers.

More generally:

  • Get and use an ad blocker. Because of the iPhone, piHoles are the best option, but if you mostly browse from a desktop uBlock Origin works well enough. Ads are an attack vector.
  • HTTPS-everywhere (now default in most browsers) is nice. If you're tech-savvy, knowing how to tunnel both DNS and HTTP(s) to a server you control can also be nice, especially if you're on the road a lot. The former is more realistic a concern for more threat models, but a surprising number of important but small sites will not support HTTPS.

Good comment. My additions:

  • Use masked email for most things. For example, Firefox automatically offers to fill in email fields with their Mozilla Relay service.
  • Even within a password manager, autogenerate passphrases rather than passwords. A six-word passphrase has much more entropy than a fifteen character random string. And it has the benefit of being more memorable. See this relevant xkcd.
  • Get notified by HaveIBeenPwned if your account is found in a breach.
  • Don't use SSO for online services, unless it's like part of your job. Yeah it's convenient to just click "Sign in with Google" but if your Google account ever gets nuked for whatever reason (just go on HackerNews and search for "Google account", most posts are stories about people losing accounts), then you also lose access to the non-Google service. A password manager plugin offers the same convenience as SSO, so just use that.

That is one hell of an answer, thank you for typing all that!

I have heard reasonable explanations of the new passkey systems that the big tech companies are slowly trying to roll out. It's effectively replacing a symmetric password (client and server both know the password) with an asymmetric signature (my client can prove itself to the server without the server itself learning enough to do so itself). It doesn't solve the two-factor problem itself, but probably could change how user passwords are handled.

On the other hand, they are distinctly too complex to commit to memory, so they end up having to be stored in a physical device, which has its own issues. Also viable backups and account restoration have conflicting concerns with privacy: keeping a copy of your credentials on Big Tech servers is, for some, the antithesis of the goal.

Passkeys don't necessarily solve the two-factor bit, but if the device is bioautheticated as most phones are this is kind of/mostly a moot point. A more relevant trifecta when it comes to the point of passwords/authentication is 1) something you know, 2) something you have, and 3) something you are.

Passkeys are nice because they swap the (something you know which you can be tricked into giving + something you have which less-commonly via sim-swapping or the like the system can be tricked into thinking someone else has) for the equation of (something you are, which is really hard to fake + something you have, with similar weaknesses). Note that you can't really lose accidentally or give away "something you are", like biometrics, so as long as the authentication protocol is solid, the passkey approach patches a major weakness. And since some passkey protocols try to verify that the something you have is physically located next to the actual access point, it's also a stronger something you have, even if it's not necessarily exactly the same as 2FA.

At least that's my understanding. Haven't yet migrated, but am very close to doing so.

Of course still excellent points about the cloud-passkey paradigm, but since passwords are just so easy to make weak (even with fancy rules to attempt and make them more secure), it still seems like an order of magnitude security improvement.

Funny story, some folks were robbing carrier stores in order to use SMS OTP.

The way it worked was that some dudes would come in and make a loud ruckus about smashing and stealing things, and while everyone was paying attention to that, someone would grab the admin tablet and run off with it to remap phone numbers.

Beautiful piece of criminal work tbqh -- why bother social engineering or anything else when you can just hire the lowest-skill-imaginable dudes to create a distraction and just take the tablet.