No no. He has five fingers. The problem is that he has five fingers plus a thumb, instead of five fingers including a thumb.

I prefer security keys. At work I use a yubikey, and I have Google’s security keys for my personal stuff. I tend to use totp as a backup.

For everything not banking, it’s great, I agree. I still prefer my security keys to everything. It’s hard to duplicate a digital key when it only exists on protected storage on a physical device, where that key never exists outside of that physical device.

In case anyone doesn’t know: FIDO works using a pair of asymmetric digital keys, the public key is sent to the remote site, and only the private key can decrypt anything encrypted by the public key. So a challenge (usually some mathematical calculation, not sure), is encrypted by the site/service that is handling the login, it sends over the encrypted request, which is passed, in it’s entirety to the fob. The fob requires a physical activation to process the challenge (usually a touch, but some require a fingerprint). The challenge is then decrypted, processed, the response is encrypted, and sent to the site for login, which decrypts the response with the public key, and compares the result to the result of the challenge that was sent.

There’s no part of this that can really be compromised. An eavesdropper can obtain the encrypted challenge (unable to be decrypted in any reasonable manner), and the response/public key… The public key isn’t useful, and the response is only valid for that specific login because there are aspects of the challenge that are unique per login.

All information in flight is unreadable nonsense. The only unique information to the key that is sent anywhere is the public key, which is supposed to be public.

Totp has the vulnerability of needing to relay the seed, usually by QR code. The only vulnerability there is when you set it up and the seed is shared to you, it can be intercepted. If that seed is stored anywhere that becomes compromised, then it becomes meaningless. It can be mined from an authenticator, or captured in flight.

Both of these are better than alternatives. Email/sms codes can be intercepted, either by an administrator or by an internet relay, or by sim duplication, etc. You know that already.

I don’t hate totp, I just recognize the faults in it.

There’s problems with physical security keys too, mainly in the fact that, if you lose the fob, you’re screwed. So it’s recommended to have a backup. Either in the form of a second fob, which is setup for all the same accounts which is stored securely, or in the form of another authentication method like totp.

Personally, I use a backup FIDO key for my accounts whenever possible. I also have a password manager that can store my totp so everything is in a single vault. If the vault is compromised then I’m screwed though… 90% of my accounts use a password reset email which is not stored in my vault. Only two things are not in my manager: that recovery email login (secured by my Fido key) and my bank (obviously also the vault login).

At work, I use the yubikey for everything that supports it, with totp as backup in my work’s duo authenticator account (duo is also setup to use my yubikey). So it’s all Fido/totp.

The only service I really want to use my security keys with that doesn’t support it, is my bank account… I suppose, also my government stuff, but almost all of that is informational. I can’t really make changes to my government stuff from their webpages. It’s generally just the government telling me things about my tax returns and whatnot (all SMS secured).

I hate the trend of companies requiring an app for 2FA… Something that’s not totp, but similar. You have a specific authenticator app for a single service on your phone only and it’s not great… Obvious examples include steam and Blizzard. Fuck that. I hate it. Go away. Give me normal MFA options… Dick.

I’ve ranted enough. Back to work for me.

Well, I have no arguments with what you’ve said. I think security keys/FIDO tokens should be more prevalent too. Otherwise this is 100% correct and I feel the exact same way.

Your story reminds me of something that my bank started doing. I got a robocall about something to do with my credit card, and the voice said to verify using x and y using my keypad, I think it was day/month/year of birth or something and I immediately noped out of the call. I hit all the wrong buttons until it got me to a person and I ripped them apart, and their supervisor for basically training their userbase to answer security questions given by an automatic voice on the other end of the line with no way to verify who is calling.

You can spoof your caller ID, you can get a text to speech robocall bot with DTMF recognition and just spam call a whole area where the bank operates and gather a bunch of personal information because it sounds just like the bank and there’s no way to prove who called.

What a crock of shit. It’s a security nightmare.

I did call my bank after at a known valid number, verified them as they verified me, and there was something going on, so the call was legit, and totally unacceptable.

These clowns want us to trust them completely, and give us no reason to do so, but they want us to bend over backwards to validate ourselves. Fuck that.

That was two hours ago. How did it go?

I agree with the idea of bodily autonomy. Above all, someone should have the right to do, or not do, whatever they want with their own person.

Whether that is to listen to doctors advice, buy pharmaceuticals and self-administer as prescribed, or even end your own life, and everything in between.

Quick disclaimer, suicide should still be evaluated by a psychiatric professional, and simply being suicidal shouldn’t necessarily mean that nobody can, or should stop you from committing that act. I’m mostly referring to medically assisted self termination, after the appropriate safeguards, checks, and balances have been cleared. Simply wanting to off yourself without being cleared as having sound mind should be something we, as a society, should address carefully, with the assistance of mental health professionals.

With all that being said: I probably would DIY some pharmaceuticals. Anything that’s an opiate or other restricted substance, definitely not. But if I can buy the ingredients without needing a special permit or license, I definitely would.

Something I’ve noticed with institutional education is that they’re not looking for the factually correct answer, they’re looking for the answer that matches whatever you were told in class. Those two things should not be different, but in my experience, they’re not always the same thing.

I have no idea if this is a factor here, but it’s something I’ve noticed. I have actually answered questions with a factually wrong answer, because that’s what was taught, just to get the marks.

What if this lifetime is also a dream.

Like inception.

I think we agree that capitalism is the problem.

The USA was founded on capitalist ideals. This is the system working as intended.

The price will be whatever the market will bear. Right now, they’re figuring out exactly what the market will bear. They’ll step back from the line just a little bit then slowly creep up over time to reclaim all the profits.

If you’re old enough to remember, this happened with fuel prices not super long ago. Prices were sent just north of ~ $3/gallon, and there was outrage. The prices dropped back to somewhat normal levels and everything resumed but the prices always kept trending higher and higher, now, we barely even flinch at $3/gal, and often, that’s considered a good price for fuel… At least, it is where I am.

The same people who were outraged by it now seek it out. This isn’t any different. They spiked prices, now sales are falling like a brick. They’ll bring it down to something “more reasonable” in the near future to recover sales, then over the next 5-10 years they slowly jack it back up to the current price and beyond and we will barely even notice.

My hot take is this:

Crypto currency, when in its infancy, had a halfway decent concept… now? It’s a shitshow.

Crypto bros tend to argue about the main currencies, Bitcoin, etherium, etc. Meanwhile, there’s about 1000 currencies that aren’t talked about for every currency with any weight behind it.

The main problem with CC’s is that it’s all hype and confidence based. There’s nothing tangible attached to it. I often equate it, for non-cryptocurrency people, to stocks trading. Often, stock is trading above what the actual value of the stock is. Most of the time in IPOs the price of the stock immediately jumps after the stock is released, then trends along some impression of how the company is doing. If there’s a loss in confidence in the company the value of the stock drops, etc. It’s pretty simple supply and demand beyond that. If investors have high confidence in the company to profit, demand for their stock will increase, and since supply is pretty much fixed (aside from shenanigans like stock splits and whatnot), price goes up. Same goes for the inverse, low confidence leads to low demand, price goes down.

It’s similar with so-called crypto. Confidence goes up but supply is fairly stagnant, so the price goes up. Same with the inverse.

The primary difference between the two as investments, is that stocks get repaid (depending on a few factors) if the company goes under. The stock represents a monetary value for assets owned by the company, both liquid and physical assets. Crypto, however, has no such backing. If Bitcoin goes away for some reason, all you’re left with is essentially digital trash.

This is mainly true for all of the talked about cryptocurrencies. The majority of currencies are not really following the same trends. After the initial golden era of CC’s, it became a breeding ground for pump and dump schemes. Since it’s entirely unregulated, borderline impossible to regulate, and AFAIK, no such regulation exists to govern it, there’s no law against pump and dump schemes in the CC world. So it became a huge problem. We see this a lot with NFTs. Touching on NFTs for a second: if you own an NFT, all you actually own is a receipt that is an attestation or receipt that you paid for whatever the NFT is. That’s it. The content behind the NFT, whether it’s artwork or whatever, isn’t locked. It’s actually the opposite of locked, it’s publically available on the blockchain, by design. The only thing you “own” is a tag in the blockchain that says you paid for it.

Pump and dump, for those unaware, is where you artificially inflate the value of something making it seem like a really good deal so everyone buys it, raising demand and prices, then the people who generated the hype dump their investment, cashing out when the value is high, and making off with the money while the value of the investment tanks.

This is very very frequently the case with NFTs. Since it’s unregulated and entirely confidence based, the creators of NFTs will say whatever they have to (aka lie), to increase the confidence in the NFT, then sell it, and let the value freefall afterwards. They’ve even gone to the point of buying their own NFTs with dummy accounts for top dollar to have records on the blockchain that people can look up, which say it was sold for x amount in whatever cryptocurrency, to inspire others to think they’re getting a bargain when they get it for some fraction of that initial transaction. The perpetrators then sell and disappear.

Several other crypto scams like this have also happened, mostly with NFTs but also with lesser known currencies. One that I heard of, required some token to exist to perform any transactions on the blockchain. When the perpetrators were done, they deleted the token, effectively locking the currency to never be traded again. Therefore those with the now digital trash of that crypto/NFC, couldn’t sell to anyone else and they were stuck with the digital garbage data that used to represent their investment.

“Big” currencies, especially older currencies, are fairly stable in terms of confidence, but they’re still volatile, and backed by nothing more than confidence. Any “new” CCs are a gamble to see whether they’re legit at all, or just a pump and dump. The number of currencies that start high, then drop to nil and never recover, is significant.

Here’s a controversial one, Elon Musk, for all of his flaws, isn’t an idiot. He pump and dumped Dogecoin, by tweeting about it to bolster it, then divesting when it surged from his influence. I think this was pretty obvious, but I think a lot of people missed it. IIRC, he did it twice. I’m speculating, since I don’t know which blockchain wallet is his, so I can’t verify, but, he likely picked up a crapton of Doge then did his tweet, dumped when it went high, waited for it to drop again, picked up a crapload more, tweeted again, and finally dumped at another high to earn even more. Since then, doge has not been doing superb. He inspired volatility in the currency and profited from the crypto bros getting excited about it.

The evidence is there and when you look past the confidence game, and look at the numbers, it tells a story that most people don’t want to see.