This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
Yeah, sometimes security really is that bad.
For a less serious example, "somebody" walked into the phone store, asked for a replacement SIM for my account (providing the phone number and possibly my name, but no other information), and walked out a few minutes later with the old SIM deactivated and the new card in their possession. That person was me, but they had no way of knowing that because they never asked or checked.
I think elections should at least be protected against that level of fraud.
This is why SMS is not a recommended second authentication factor for high-security or high-profile accounts: this can and has been abused before, many times.
What do the recommendations for account security in 2024 look like?
As a bank employee, I am expected to use a token tied to a physical device - either one of those SecurID tags which generates time sensitive 6-digit codes or a soft token loaded onto a phone app (which stays on the single phone and is not uploaded to iCloud etc.)
More options
Context Copy link
For multifactor authentication, specifically:
For passwords :
More generally:
Good comment. My additions:
More options
Context Copy link
That is one hell of an answer, thank you for typing all that!
More options
Context Copy link
I have heard reasonable explanations of the new passkey systems that the big tech companies are slowly trying to roll out. It's effectively replacing a symmetric password (client and server both know the password) with an asymmetric signature (my client can prove itself to the server without the server itself learning enough to do so itself). It doesn't solve the two-factor problem itself, but probably could change how user passwords are handled.
On the other hand, they are distinctly too complex to commit to memory, so they end up having to be stored in a physical device, which has its own issues. Also viable backups and account restoration have conflicting concerns with privacy: keeping a copy of your credentials on Big Tech servers is, for some, the antithesis of the goal.
Passkeys don't necessarily solve the two-factor bit, but if the device is bioautheticated as most phones are this is kind of/mostly a moot point. A more relevant trifecta when it comes to the point of passwords/authentication is 1) something you know, 2) something you have, and 3) something you are.
Passkeys are nice because they swap the (something you know which you can be tricked into giving + something you have which less-commonly via sim-swapping or the like the system can be tricked into thinking someone else has) for the equation of (something you are, which is really hard to fake + something you have, with similar weaknesses). Note that you can't really lose accidentally or give away "something you are", like biometrics, so as long as the authentication protocol is solid, the passkey approach patches a major weakness. And since some passkey protocols try to verify that the something you have is physically located next to the actual access point, it's also a stronger something you have, even if it's not necessarily exactly the same as 2FA.
At least that's my understanding. Haven't yet migrated, but am very close to doing so.
Of course still excellent points about the cloud-passkey paradigm, but since passwords are just so easy to make weak (even with fancy rules to attempt and make them more secure), it still seems like an order of magnitude security improvement.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
Funny story, some folks were robbing carrier stores in order to use SMS OTP.
The way it worked was that some dudes would come in and make a loud ruckus about smashing and stealing things, and while everyone was paying attention to that, someone would grab the admin tablet and run off with it to remap phone numbers.
Beautiful piece of criminal work tbqh -- why bother social engineering or anything else when you can just hire the lowest-skill-imaginable dudes to create a distraction and just take the tablet.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link