I’m with you: the experiences people have with these tools are just dramatically different from mine. They are quite good. By no means even close to perfect, but they’re just so much faster than me at pulling up some random information that would be hard to find with an Internet search myself and very good at going from nothing to something that works with code. I don’t particularly enjoy using them because I find the whole industry abhorrent, but their usefulness isn’t in question to me.

I imagine the low level form of each model being free indefinitely, possibly ad supported. It’s already probably becoming the most consistent “we’re pretty sure this is from a human” training data they have.

“Difficult to recover from” was referencing setting all of your accounts back up. I should have also included “lost” and “broken” to make that more obvious. Many hardware (most? all?) passkeys do not allow for backup and restore.

But I do see an issue with stolen hardware passkeys being used for access too if they’re a primary factor. With the mitigations you mentioned hopefully holding up.

They will almost certainly lead to vendor lock in. Why do you think they won’t? Apple’s password manager is definitely an example of vendor lock in. Many others have a simple to use export feature to CSV or something that others can understand

Edit: it could be that you don’t know what the WebAuthn/FIDO2 specification says or we understand it differently? Do you know how the attestation mechanism works? That ties the key to a device or software authenticator (the software authenticator is likely going to tie it to the device somehow, possibly even via a TEE).

There is no full stop there… A password that is sufficiently long will never be cracked no matter the hashing algorithm in use. Passwords are easily transferrable and can be communicated to a third party in the event of an emergency. They also provide tunable security, where you can trade off security for convenience if you want.

Some (not all, I know) passkeys are tied to a device. Stolen device means stolen passkey, and it’s potentially very difficult to recover from that. Passkeys are also locked to a certain standard, passwords have no such restrictions.

Tbh I don’t understand the move for passkeys replacing passwords. They should become the second factor when a user wants additional security. They’re perfect for that niche.

I once again cannot disagree more strongly. This is the BS that has been pushed by the mobile phone world. It couldn’t be more wrong. Well designed root access to your own device would dramatically increase its security for those who chose to use it.

Here are a few things you simply cannot do on a phone and would be considered terrible in any other context:

• Control system, root level services running on your device. The idea that you can’t do this is a security nightmare. It is the single most basic security tenant I can think of that is grossly violated. You have no control over your device’s attack surface
• Control privileged non-root applications
• Control network traffic. You have no low level control over your device’s firewall without root. You want egress rules? Sorry.
• Linux namespaces. You literally are banned from accessing the single greatest Linux security feature since UIDs and GIDs. Network namespace isolation? You can’t do it. UID remapping? Nah. Mount namespaces? Nope.
• SELinux policy. Android relies heavily on SELinux and you have no control over it at all.
• Device handling. There was a great root exploit a long time ago with just a plugged in USB that would have never existed on devices that sanely disabled automounting.

There is so much more. I can’t even imagine calling a device I had no root access to “secure” in a personal threat model. Business? Sure. Personal? God no. Not even close.

This is in addition to the privacy benefits.

Are you using those in the US? When I needed to get a new phone they still weren’t available here, but I’m hoping that has changed or changes by the time I need a new one again

But “give up a bit on security” doesnt preserve privacy that’s the whole thing.

I gotta disagree with this. GrapheneOS has bought into the crappy smart phone threat model, but the most obvious way to preserve my privacy is to give me complete control over my device and let me tailor it as I see fit. This means root. GrapheneOS doesn’t allow root access and that’s horrible for privacy.

Sent from my GrapheneOS phone

https://en.wikipedia.org/wiki/86_(term) and Trump is the 47th president

Lol, ok, fair.

I guess I see a lot of wiggle room in the marketing speak of their page and I haven’t actually “looked in to” Proton Mail’s claims in a loooong time. So I guess what I really wanted to say is that it’s interesting to me that people take that marketing at face value if they’re actually trying to maintain secrecy. I’ve always just taken it as a given that third party services aren’t particularly good at that, especially as they grow in complexity like Proton has. Signal has been easier for me to believe because of the singular focus and the reputation of the founder in the crypto community; although I guess he’s long gone.

It’s interesting what people expect of Proton Mail. I’ve used it for a long time but for only one reason really: their revenue stream is my subscription and not ads. I’ve never even given a second thought to all their encryption claims. Even with Proton Mail if I ever wanted to send a “secret” email I’d wrap the content in my own personal keys.

With respect to IP addresses of email logins, I’m surprised they ever claimed they don’t have logs. You’ve always been able to review the IP of a login through the web UI as far as I remember. Was the idea that that was also supposed to be encrypted?

Personally I’m OK with them complying with court orders, but I understand that “the definition of criminal is state defined” and that poses serious issues. It kinda seems like if you want to do something that could be considered criminal at some point in your life by your country you should consider something other than a 3rd party email provider for those messages. Signal would be a step up in that regard if you still wanted to use a third party.

We seem to have a very different view of the discussion of “open source” and “open source models” above. I don’t entirely see how you arrived there, but that’s OK. I don’t think I took it on a tangent at all. No biggie I guess it’s just a forum.

Does that actually match with the discussion in your opinion? The discussion about building open source projects? Does the information I provided not help in understanding my response?

Are you being serious or just trying to be pedantic…?

I agree, but given the context of the discussion and the commonly accepted definition of Linux from Scratch, what else do you think they could have meant other than building a complete Linux based operating system from source?

The average person wouldn’t be building an open source LLM either. I don’t think I follow. I was just saying that your comparison wasn’t going to hit correctly at all due to how easy it actually is to build Linux and a full Linux distribution.

… Then why did you use it as an example?

It’s mad easy to build your own Linux from scratch in comparison to building an LLM. You can have your own distro running in like an hour. With buildroot you can have it in even less than that.

The difficulty of black box over white box is the reason obscurity has benefits…

only using my own code

You’re going to write your kernel and bootloader as well? Drivers for the hardware? And a compiler for those? And an assembler to build that bootstrap compiler? Build the CPU? The second any of these are “out of your control” you lose “absolute security”. The reason people say there is no “absolute security” is that it is not a useful concept to even consider. Since you have to approach it theoretically, you can easily end up stuck at the fact that every computation changes the state of the world and thus every computation can in some way be measured. It’s a useless endeavor even if it were theoretically possible because it leads you to absurd solutions against absurdly powerful attackers. You want security in a well defined threat model not some “absolute”.

Air gapping isn’t sufficient to prevent communication either. For example there are functional TCP stacks working over audio. Silence on the Wire is quite old at this point, but also explores esoteric exfiltration methods.

People like to think in black and white, but you’re definitely right. Having your SSH server on port 36271 will likely stop a ton of drive by attacks because they simply won’t check it. Having it only listen on IP6 would stop almost all of them because you can’t trawl the IP6 space efficiently. These are “obscurity”, but they have real benefits. The idea that “obscurity” doesn’t help is just a meme that people love to quote because it’s a great single sentence with some nice rhyming “security by obscurity”. I assume the reason it became a meme is because tons of products fully relied on obscurity; I still see it all the time. As you said, it’s all layers.

Yes I’m not going to take some “survival of the fittest” nonsense approach to security: consumers need securely built devices and software. This is the first line of defense always: we need to make things secure and then have secure defaults according to whatever we decide “secure” means in the context of our widget or software. Then we need to provide “advanced” (or even just “ignorant but risk tolerant”) users with the ability to change the device or software to match their definition of “secure”.

The easiest example is secure boot. Your laptop likely has a key provided by your OEM and likely Microsoft’s key preinstalled. This is a valid “secure boot” path for the average user, provided your OEM and Microsoft don’t get compromised, which is APT territory. However you are provided with the ability to use a different key if you know how to do that. You have thus opted in to protecting your own private key but now you have more control over your device. This design is notably absent in phones, which is absolutely bananas and actually less secure in some threat models

You could extend examples like this if you wanted. One could easily imagine a device that does soft brick itself after the EOL date to simply protect people that are ignorant of the potential risks, but also provides an advanced user with the ability to revive it in a “less secure” state. The less advanced user will then have to either learn something new or buy a new device.