Looking passed the absolutely insane answer here, no one has even brought up the whole issue of AC vs DC. Batteries are DC, while your fridge that plugs into your wall running on AC. I know they make DC ones, but it isn’t like they are interchangeable.
Funny thing, most modern refrigerators use DC motors for their compressors so that they can run at variable speeds, so there’s likely an inverter that you could bypass if you know the appropriate voltage. The DC ones for RVs are the same internals, just without the inverter.
Correction: they still use AC motors, but those motors don’t use line AC. It goes line AC > rectifier > DC > inverter board > variable frequency AC to run the compressor motor.
Most RV fridges just use DC motors, but there are some that use VFDs and AC motors.
There are DC-AC converters you can use (might be called inverters in English idk), which are pretty interesting circuits. They are used all the time, e.g. to use solar energy
I’m not sure of the max load output on a car battery, but with a 15 amp 1800 watt dc to ac inverter, you probably can run a fridge off one. It probably just won’t last all that long.
Bring back standardised headlight, and a maximum height allowance on vehicle’s headlights so that they’re not right in a sedan’s driver’s rearview mirror when a pickup is tailgating.
Yeah but that won’t solve the problem, just reduce it. It’s annoying in cities and everything but in my experience the problem is worst in country roads with that one asshole in a pickup. Both a place and vehicle not easily lending itself to public transit options.
maximum height allowance on vehicle’s headlights so that they’re not right in a sedan’s driver’s rearview mirror when a pickup is tailgating
That's actually already legally mandated at least in states that require state inspections. Headlight angle is supposed to be one of the things you have to check in order to pass inspection.
In practice, mostly nobody checks it and it doesn't matter. But it should.
Not just the angle tho, the height of the headlights themselves! Even if aligned properly if the headlights are 5’ off the ground and my back window is 3.5’ when they tailgate it illuminate the inside of my car !
I saw a graphic of how big the “blind spot” is in front of modern trucks and it was bigger than most giant construction equipment.
And that’s for an average height driver.
Most of the huge truck guys also happen to be well under the average height, so entire reasonable size cars disappear in front of them when they tailgate. They might see the roof, but they won’t see brake lights or taillights.
It’s flat out not safe for other people. Which is why we have people driving giant SUVs instead of minivans now. Which just makes it worse for everyone else.
I choose to misrepresent your argument, attack it, and then declare myself the winner. I also refer to you as “slick” throughout and finish every sentence with :-)
Exactly, lemmy needs to grow but if it just continues to grow and grow eventually it will just turn into what reddit is now. I’m happy to have something small to be a part of for now… i don’t think you needed me to tell you this but they say commenting is good for lemmy, so here i am
Are you kidding me? It’s been par for the course as far as car assessors go. Sirus radio was like 100 and still required a subscription. A lot of GPS were that price and most had subscriptions.
Just like they want to charge you to use the heated seats you’re paying the gas to lug around anyway
That’s not the same thing at all. As bad as e.g. Sirius or GPS subscription might be, at least with those the subscription is for ongoing access to new data being transmitted to you. In contrast, a subscription purely for the use of hardware already included in the car is literally theft.
Just because it’s percieved as normal doesn’t mean it’s something we should put up with though.
With GPS subscriptions (the ones I’m aware of anyway) they will still navigate you from A to B when you stop paying the subscription, you usually just miss out on traffic updates, map updates and other localized enhancements. If there are any that deny you navigation outside the subscription that’s plain scummy IMO.
I’m not familiar with Sirius Radio but from what I can see online, it’s a satellite radio subscription service that seems to bring new things to the table (like starting a radio station at the beginning of a last song etc). The hardware appears to actually serve a purpose, i.e. it’s the satellite receiver for the radio service subscription. I believe we could compare this to buying a Starlink dish for internet access, and paying the monthly subscription. The spotify device shown here is not a standalone device and is only fitted with bluetooth IIRC, requiring a phone for operation.
In comparison to Spotify, Sirius does not appear to have ever had a free plan - whereas Spotify does… I see is no reason why Spotify could not make their free plan usable on this device.
You can root it. Didn’t look too much into it but you might be able to do something with that.
Also failing that, get a short range radio transmitter. They’re cheap and the audio ain’t great but you can plug your phone in and get audio on your car.
Yeah it’s a dumb gadget even at the $45 they eventually cut the price down to. It’s basically got an always shrinking market of people who don’t have CarPlay or Android Auto, and the niche who don’t want to use a phone holder, Siri/Google, and car mode in the app.
I think I got an Echo Auto for $25 (during the public tests). It doesn't need any kind of a subscription to use as far as I'm aware. It only does streaming still, but there are Alexa skills that let you stream from your Plex or Jellyfin server.
Those I don’t fault. Sirius has satellites to maintain and they don’t get ad revenue.
GPS makers, well making maps on that scale is very expensive. Not everyone can be google and give it away to end consumers by harvesting user data and selling ads to businessplaces.
Spotify though, fair enough to charge for the hardware but once bought should work with the ad-supported version of their product…
I mean, it’s basically a cheap smartphone or computer tablet, with a lower resolution, but nice quality screen, and a giant volume spinner. $100 does not get you much at all in the phone and tablet space. I don’t think there’s much of any profit margin, if at all for it.
I considered getting one of these a couple years ago and saw Spotify was discounting them heavily and even giving them away for free in some cases. I didn’t wind up getting one but do wish they would release a simple player + speaker like this for home use.
Large media figures should be held to a higher standard than the average person. Drake specifically should be held to a higher standard because literal children idolize and impersonate him.
Really has felt like the thrediverse has been quite active lately. During the exodus we had a lot of posting about... the exodus. But now we have a lot of posting about actual topics and what feels like a pretty healthy community building save for a few instances that will probably get defederated before too long.
Same I find the engagement is raising. The threads here are more sincere. Sure it’s not as active when it comes to some things but that’s fine IMHO. Building an online community right takes time.
I greatly appreciate the lack of reddit meta getting repeated adnauseum. 69 and 420 references really stop being funny when repeated in so many threads.
I love it, just the feeling of actually engaging of people. Something I didn’t have on Reddit. I think it really opens my eyes on how much our attention gets commercialised.
Oh sorry, I wasn’t clear enough. I’m taking about the posts that have an authoritarian slant to them.
“There should only be one (memes or whatever) community across the fediverse. Someone… should deal with all these copies.”
Fedi doesn’t map exactly into their single server reddit experience. They want to re-create king spaz for some reason. It was kinda gross and I felt a few randos really showed their ass.
Nobody should be ashamed of the history of their people. That encourages some to hide from it. Instead one should not shy away, but try to study and learn from the mistakes of their forebears, so their children might get a better world someday.
Shame for something you yourself have not done, though? Pointless.
I always think about this when I hear people talk about their ancestors or criticize other people’s ancestors. They were other people. Ppl get “proud” of their ancestors siting in a fucking chair eating doritos. Go do something yourself
Basically, the US obsessing about race but refusing to face it’s history with blanket word bans that are frowned upon no matter the context.
The US is clearly not facing their slavery past and instead avoiding the difficult and deeply disturbing vocabulary associated with it.
IMHO there is nothing wrong with the N word used in an history lesson. On the contrary, I think it’s especially important to show younger generations how evil some our ancestors were.
And I say that as a french guy living in a city that was extremely important during the slave trade. We know what our ancestors did, we are not proud of it, we don’t feel responsible for it but we do make sure it’s not forgotten.
I think any view that tries to paint the whole US as obsessing over something is extremely incomplete. So extremely incomplete as to be basically pointless. It’s just a lot more complicated than that, with different groups thinking different things are important.
That being said, I really have never visited a country where race is mentioned as frequently as in the US.
In many European countries I have visited it just didn’t seem relevant.
Sometimes it’s not just a cliché or a prejudice against a nation, it’s just how it is.
I have no doubt at least that the peculiar history of the US has shaped the way racial discourse is prevalent or not in that society.
Would you agree that race is more commonly talked about in the US than in the rest of the world?
I think it’s pointless to ask on Lemmy for an accurate depiction of the importance of race in the american society. You may say it’s too reductive but I think it’s a more productive conversation than your comment. I would much rather have someone politely argue and explain that I’m wrong rather than calling my comment “almost pointless” and basically presenting it as some outlandish and prejudiced caricature of the US.
The “your comment is too reductive and therefore is pointless” could probably be applied to every posts in there. Just saying.
Unfortunately, it’s a complex topic that is sufficiently outside my specialization that I’m unwilling to really dive deeply into it. For instance, if I tried to say whether I personally thought race is more talked about in the US than in the rest of the world, that would just be one random guy’s (me) opinion. What would I be basing it off of, personal travels? That’s not good data.
The only even remotely honest answer I can give is “I don’t really know.”
I have to know what I’m talking about first, for there to be any kind of point.
I think the anti immigration right wing rise across several European countries rn shows that they’ve just never had the dialogue that the US does about race from being such a melting pot, and as such have ignored racial issues and racism in their societies bc they haven’t had as terrible of a racist past as the US (Jim Crow laws, neoslavery, etc) that they have to confront. Now that the globalized world is causing more demographic change in Europe there’s a loooot more anti-immigration and racist rhetoric. That’s not a coincidence.
bc they haven’t had as terrible of a racist past as the US
You do know the Holocaust happened in Europe right?
Other than that, I do agree with you. Europe is still very racist but we like to think we’re not. Just because it’s less talked about, doesn’t mean it’s not there.
The problem with the US is we have the state too much individual rights when it comes to how we handle our citizens. There should be a federal curriculum standards, such as teaching about slavery. Same with voting, especially in federal elections.
IMHO there is nothing wrong with the N word used in an history lesson.
Have you spoken to any [other] people that have been subjected to anti-black bigotry directly about how its inclusion would affect them in a lesson?
I am a white man that had a similar view to you. About 10 years ago I had a conversation with a black classmate about appropriate use of that word. It was my position that it’s too bad we continually empower the word by avoiding it even in dry intellectual contexts and we shouldn’t censor it when reading quotations.
She said:
I know you’re not being racist but it still makes me super uncomfortable to hear you say it.
I made the decision not to say it ever again. Obviously my classmate can’t speak for all black people, every person has different experiences, and reactions will be along a continuum. There might be situations where the educational value of using that word explicitly, outweighs the discomfort it causes. But I think it’s pretty inappropriate for me to ‘whitesplain’ prejudice (and the language of prejudice, and the power… of the language of prejudice)
Teachers have to ask themselves: How much will its explicit use enhance the lesson? How many students are we willing to risk alienating? How much time would we like to spend defending our decision to use the word explicitly? How much of that will be class time?
Even with a lengthy preamble setting the perfect context to use it explicitly with minimal potential for alienating students there’s a significant chance we’ll fuck it up and spend the rest of the class reteaching the class why we think they are wrong to be offended.
Some of them will be disingenuous, some of them will be sincerely offended white soyboys not too dissimilar to me, some of them will be legitimately alienated racialized minorities.
We’d also be implicitly asking the non offended racialized minorities to stick up for us. Their well meaning friends will ask them to weigh in on the subject (and speak for all blacks). It’s not fair to them.
In a context where class time is limited, I have to think that students are best served with more lesson time and less meta-discussion. So I don’t think it’s a good idea to use the word explicitly in educational contexts, unless maybe there’s some sort of vetting of students for the course.
The US is clearly not facing their slavery past and instead avoiding the difficult and deeply disturbing vocabulary associated with it.
Certain individuals and organizations are doing this, sure, but then you have the monumental amount of academic research in the humanities into slavery, you have publicly and privately owned historical sites and museums that explicitly teach about the history of slavery in the United States, and you have a non-trivial amount of media depicting the horrors of slavery. It’s not a monolithic cultural rejection in the same way that a nation like Japan has attempted to totally erase any record of its wrongdoings in the first half of the twentieth century.
Experience shows, that the general population – and people in power especially – are inherently bad at learning from history or even their own mistakes.
Psychopathy can sometimes be a positive asset in politics. This dramatically slows down how quickly we can move anything forward on the larger scales. You just can’t make everyone have the same values, that would destroy the very innovativeness and adaptability that we prize so much.
For instance, had the Israeli PM working on the peace deal never been assassinated and replaced by Netanyahu, our world might look very different today. That one bullet, fired by a psychopath, killed someone who did study history and replaced them with someone who did not.
I’m guessing you’re not a programmer yourself? Because it’s really really not that east to /just/ detect in the server side, hacks can be super sofisticsted these days and there are often many client side exploits that you simply cannot detect serverside.
Using rootkit anti-cheat is a shortcut that reduces cost for both dev time and hosting time at the expense of your customers' security and CPU. You also have to lay your cards on the table for those who are attacking you. It is not the right solution for this problem.
Authoritative servers.
Never trust the client, especially with information the player shouldn't have right now.
Look at behaviors and group players based on if you think they cheat or not - let the cheaters play together, no need to spoil their fun and let them realize you know they cheat.
People do some or all of this on the server now, but root kitting all machines to try to solve this problem to play video games is one of the dumbest approaches ever and we will realize it one day when a state level actor pops their zero day against a big install base.
This. Having worked on some in-house anti-cheat solutions myself, it absolutely is just offsetting the processing and security cost to the players. The attack vector of having such a rootkit running on so many devices is just not even close to be worth the trade off of catching marginally (if really measurably at all?) more cheaters.
Never trust the client, especially with information the player shouldn’t have right now.
This is a big part of the problem, but it’s not the only problem. If you do all of that stuff right, you can’t build a responsive first person shooter. There’s some level of trust you need to put in the client.
Disclaimer: This is based on my experience playing shooters and as a programmer. I have not worked on anticheat systems hands on.
We see less and less of the “god mode” hacks where players can send the packet for a carpet bomb and the server just blindly trusts it. Or the ludicrous spinbots that spin at an extreme speed and headshot anyone that comes into line of sight.
What we’re seeing is increasingly sophisticated cheats that provide “buffs” to a player’s ability. An AI enhanced aimbot that when you click gently nudges your hand to “auto correct” the shot and then clicks is borderline impossible to detect server side. It looks just like a player moved the mouse and fired.
The “best” method to prevent these folks from cheating seems to be to detect the system or the game has been tampered with.
Maybe the way to deal with that is to just let it happen and deal with smurfs down ranking… So these “soft” cheaters just exist in the “pro tier” where the pros can possibly stand a chance.
One strategy I have seen that I wish more developers would do is sending “honeypot” information to the game client (like a player on the other side of the wall that isn’t really there but an aimbot or a wall hack might incorrectly expose).
Maybe the increasing presence of hardware cheats will result in new strategies that make these things unnecessary. I keep wondering if a TPM could be used to solve this problem someday… But I’m not sure exactly how/we may need faster TPMs.
You don't necessarily need to detect the cheat itself, you can look at things like players having suddenly higher kill rates and put them into a queue for observation by either more advanced (more expensive) automation to look for cheating or eventually involve a human in the loop.
Even on consoles after a while it becomes obvious that you cannot control the hardware, let alone the software on the client side. Those are the very best argument for this kind of approach and they get cracked eventually.
You don’t necessarily need to detect the cheat itself, you can look at things like players having suddenly higher kill rates and put them into a queue for observation by either more advanced (more expensive) automation to look for cheating or eventually involve a human in the loop.
That’s true, if the player suddenly has higher kill rates. However, that doesn’t work if they’ve been using the cheat from the start on that account. A sufficiently advanced AI powered aim bot would also be nearly indistinguishable from a professional player. Kind of similar to how Google created the CAPTCHA that uses mouse movement … but had to go back to (at least in some cases) the additional old school captcha.
I think by the end of your message you were starting to arc around a little bit to the right way you need to think about clients: as outside your security envelope. (TPM is a joke in my mind, just like client side anti-cheat.)
There are many ways to try to identify and stop cheating on the server side that have not been explored because executives have directed use of off-the-shelf anti-cheat because they do not understand why it is snake oil.
I thought this at first as well, but they have an interesting property.
They have a manufacturer signed private key. If you get the public key from the manufacturer of the TPM, you can actually verify that the TPM as it was designed by the manufacturer performed the work.
That’s a really interesting property because for the first time there’s a way to verify what hardware is doing over the network via cryptography.
Hmmm… I was going to say no because it’s asymmetric crypto, but you’re right if you are somehow able to extract the signed private key, you can still lie… Good point
But… have you considered having control of 0-ring software that runs on hundreds of millions of computers, that can perform targetted updates to change behaviour on just a select few computers, even interact with the network adapters unbeknownst to the OS.
I’m not talking about zero days popping up for this. But rather, this being part of the design?
A less nefarious application: The root kit anti cheats already continuously monitor processes. Say it finds a crypto mining one. It can request the instructions needed to search for a wallet and snatch that off.
A more nefarious one: RK is known to be in the device owned by the kid of a military contractor. Etc.
Trusting the client is a fools errand. So we are in complete agreement. I never understood why the effort isn’t placed on server side. People are very good at knowing when others have cheated. They know this from information that exists on the server side, so with the correct classifier, the server should also be able to know this.
It’s not easy, but it’s really not worth the massive gaping security vulnerability you are giving your users. One disgruntled employee giving out the keys to the castle or one programmer plugging in an infected USB, and every user now has a persistent malicious rootkit. The only way to fix an issue that deep after it gets exploited is to literally throw away your hard drive.
The only way to fix an issue that deep after it gets exploited is to literally throw away your hard drive.
This can’t be right.
Don’t throw your hard drive in the trash. Quarantine the infected computer, and then wipe that hoe and slap your choice of OS back on it and scan/monitor to see if any issues arise.
Edit: since folks may or may not read though the rest of the conversation: I am wrong, throw that SSD/HDD in the garbage like barbarian said.
I’m sorry to disappoint, but with rootkits, that is very real. With that level of permissions, it can rewrite HDD/SSD drivers to install malware on boot.
There’s even malware that can rewrite BIOS/UEFI, in which case the whole motherboard has to go in the bin. That’s much less likely due to the complexity though, but it does exist.
Outside of monitoring individual packets outside of your computer (as in, man in the middle yourself with a spare computer and hoping the malware phones home right when you’re looking) there’s no way of knowing.
Once ring 0 is compromised, nothing your computer says can be trusted. A compromised OS can lie to anti-malware scanners, hide things from the installed software list and process manager, and just generally not show you what it doesnt want to show you. “Just remediate” does not work with rootkits.
Dude… That’s fucked. They should really go a little more in depth on rootkits in the CompTIA A+ study material. I mean, I get that it’s supposed to be a foundational over view of most IT concepts, but it would have helped me not look dumb.
Please don’t walk away from this feeling dumb. Most IT professionals aren’t aware of the scale of the issue outside of sysadmin and cybersecurity. I’ve met programmers who shrug at the most egregious vulnerabilities, and vendors who want us to put dangerous stuff on our servers. Security just isn’t taken as seriously as it should be.
Unrelated, but I wish you the best of luck with your studies!
Good morning! If anything this was a great example of not being able to know everything when it comes to IT and especially cybersecurity. Thank you for your well wishes! I earned my A+ last month and I’m currently working on a Google cybersec certificate, since it’ll give me 30% off on the sec+ exam price. I really appreciate your insight on rootkits and it’s definitely going in my notes!
Just as another thing to add to your notes, in ordinary circumstances, it’s practically impossible for non-government actors to get rootkits on modern machines with the latest security patches (EDIT: I’m talking remotely. Physical access is a whole other thing). To work your way up from ring 3 (untrusted programs) all the way to ring 0 (kernel), you’d need to chain together multiple zero day vulnerabilities which take incredibly talented cybersec researchers years to discover, keep hidden and then exploit. And all that is basically one-use, because those vulnerabilities will be patched afterwards.
This is why anti-cheat rootkits are so dangerous. If you can exploit the anti-cheat software, you can skip all that incredibly difficult work and go straight to ring 0.
EDIT: Oh, and as an added note, generally speaking if you have physical access to the machine, you own the machine. There is no defence possible against somebody physically being able to plug a USB stick in and boot from whatever OS they want and bypass any defences they want.
Cheers to the note as to why the anti-cheat is basically satan in software form. This is the real reason that riot isn’t open to community discussion on this topic. It’s indefensible… and if the userbase understood more they wouldn’t have any users left.
It’s the same reason stuff like antivirus is a huge vector for attack. It runs at elevated permissions generally and scans untrusted inputs by default. So it makes for a great target to pivot into a system. These anti cheat kernel modules are no different in their attack profile. And if anything them being there is a good reason to target them you have a user that has a higher end gpu so the hardware is a known quantity to be targeted.
I’m a programmer, yes it is. It’s not easy in the sense of easy to implement, it’s easy in the sense that everything else is impossible. Client-side anti-cheat is impossible, and by that I don’t mean hard, I mean perpetual-motion level of impossibility. If someone tells you they implemented a foolproof client-side anti-cheat you should be just as skeptical as if someone tells you they created a perpetual motion. It’s impossible, never going to happen, want an example? Robot using a camera to watch the screen and directly moving the mouse and keyboard, completely undetectable from the client side.
From the server perspective the person is cheating or is behaving like a human. If they’re behaving like a human their behavior is completely indistinguishable from a human, so who cares if they’re cheating?, whatever they’re doing has them still at human level so if the game has skill based matchmaking (which most of these games do) he’ll rise up until his cheating puts him in the same level of more skilled humans and everyone has fun. If he keeps rising forever he’s not on a human level, therefore a cheater. More importantly this also penalizes people who buy bot leveled accounts, because their matches will be all against people they can’t hope to win and the game will not be fun.
Server side can also trick clients into giving up that they’re cheating, e.g. sending ghosts behind walls to check for wall hacks or other similar things to gauge player responses.
But what do I know? I’m just a senior programmer who’s been working on servers for some years. l never worked on the client side anti-cheat though, also never tried to build a perpetual motion machine.
Could they harden their clients somehow or maybe randomize memory locations for things? Seems like their should be a better solution than installing malware to prevent cheating.
You’re asking good questions but factor this in: a development team at a game company will only want to spend as little time as possible on this process: it doesn’t make them more money - it costs it. Conversely a hacker / cheater is being paid (or gaining) directly from breaking this code. Which is more motivated? Now remember that the protection has to be in place first. Who has the advantage? Client side code will always be breakable. A rootkit doesn’t change the game - it just adds a new vector to attack for other hackers to exploit.
It’s not easy. And league is free. So banning people won’t work well either. They can’t ban ip addresses either without banning college campuses, some apartment buildings, and Internet cafes.
There are solutions to this problem but they don’t want to permanently ban them. A ban = a new registration… maybe even two. Bonus! You get to pad your ban numbers and user registration numbers at the same time!
But that wastes their clockcycles to make sure you’re not cheating. So much easier to make everyone’s experience worse so they don’t have to upgrade and build out more servers.
I’ve long believed that the main point of client-side anti-cheat is to serve as security theater.
If the player sees “PROTECTED BY ACME ANTI-CHEAT” on the boot screen of a game, they’re less likely to cry wolf when they get their ass kicked. At least, until they see a blatant example of hacking and lose all faith in the ability of the platform to protect them from it; from that point on, everyone better than them must be cheating from their perspective (speaking from firsthand experience here).
Given how infamously toxic and high-strung the LoL community is, I can only imagine that Riot’s basically at the end of their rope here. If you read the original forum post, they sure make this sound like a Hail Mary. “Sorry, it’s just what we have to do to make sure the game is fair.”
Hilariously, they even undercut their own points in the FAQ:
Q: If Vanguard is so good, why do I still see cheats on VALORANT?
For starters, we do not action every cheat or account instantly. Every ban is like broadcasting a signal to the developer that their cheat has been detected and that they need to “update” it. In order to slow the progression of our “cheat arms race,” we delay bans based on the sophistication and visibility of the cheat and cheater, respectively.
But also, cheaters gonna cheat. [Emphasis mine.] We’ve really driven our preventative layer as far as we can feasibly go without colliding with existing setups and hurting legitimate players. [Linux players aren’t legitimate I guess?]
Also, they’re apparently not bothering enabling Vanguard on OS X because apparently few people have actually developed cheats on it yet. Really tells you what’s the more developer friendly platform, Linux or OS X, doesn’t it? Or maybe the OS X market share is too small to care.
They do also mention using machine learning to detect cheating server-side but lament that it’s not always enough information, and that cheat developers have added “humanization” elements that play more like humans.
My thought is… if a cheat doesn’t make someone obviously better than a human player of a certain skill level, then what does it really matter? Congratulations, you made a bot that’s indistinguishable from a human, thanks for padding our player numbers.
The real problem is that botters don’t pay for microtransactions. And players who buy bot-leveled accounts probably don’t spend a ton either. Why would they? They got everything unlocked for them, they didn’t have to grind for it. That’s all Riot really gives a shit about.
In practice, client side anti cheat is essentially DOA because hardware cheats that analyse the player’s screen on a 2nd computer and proxy inputs to your mouse USB have made it so cheat clients are never actually executing code on the host machine.
At that point, even players cant tell someone is cheating because the cheats aren’t modifying the game state in a noticeable way- they’re still weak to effects that obscure your vision and have inputs that are difficult to differentiate from a “real” player.
IMO cheating is a social problem and one that is totally impossible to beat with rootkits by design.
This happened to me irl. My cousin said he doesn’t wash his asshole in the shower cus of this. Ignoring the glaring bs, me and my other cousin just told him “wash yah ayse”
Also I thought about mentioning the airplanes, but couldn’t think of any good puns to fit in. Looking at the other comments, they’re better at it than me, go read those instead.
Yeah, touching your cock is gay. When I pee, I just fling my dick around with the gyration from my hips so I don’t touch my dick, otherwise my roommate will come over me in the bathroom and start screaming “GAYYYYYYYY”. I can not stand the shame I will feel, the looks from neighbors. My peers will look me in the eyes I will see it in their eyes, their disapproval. Rainbows will rain from the sky and the ground will cry blood because I am gay. That’s why I will never ever ever tough my dick, worst case is the shower, I use chopsticks when I need to clean it. When I walk, I walk with my hands behind my back so I can keep a safe distance from my dick and have an object between them.
Sometimes it’s less about the person that you’re targeting and more about what that access gives you.
Low level accountant? Office worker with an excel file full of passwords or has correspondence with your actual target at a different company that you can pose as to gain access into?
Happened to me because I had an account on a crypto exchange. The attacker went in to my phone carrier’s store, likely with a fake ID, convinced the store they were me, then got a new SIM card and reset my password on everything they could with it. They logged in to my crypto exchange mere minutes after they got the SIM, saw the $0.03 in my account, and logged out.
I’m not sure where this idea of high profile target comes from. The sim swap attack is pretty common. People just need to be in some credentials leak DB with some hint of crypto trading or having some somewhat interesting social media account. (either interesting handle or larger number of followers)
There are now organized groups that essentially provide sim swap as a service. Sometimes employees of the telco company are in on it. The barrier to entry is not that high, so the expected reward does not need to be that much higher.
Although it’s true that you are increasing the attack surface when compared to locally stored OTP keys, in the context of OTPs, it doesn’t matter. It still is doing it’s job as the second factor of authentication. The password is something you know, and the OTP is something you have (your phone/SIM card).
I would argue it is much worse what 1Password and Bitwarden (and maybe others?) allows the users to do. Which is to have the both the password and the OTP generator inside the same vault. For all intents and purposes this becomes a single factor as both are now something you know (the password to your vault).
That’s not quite right though, there’s the factor you know (password to your vault), and the factor you have (a copy of the encrypted vault).
That would be true for offline vaults, but for services hosted on internet I don’t think so. Assuming the victim does not use 2FA on their Bitwarden account, all an attacker needs is the victim’s credentials (email and password). Once you present the factor you know, the vault is automatically downloaded from their services.
This is something I hadn’t thought until know, but I guess password managers might(?) change the factor type from something you know (the password in your head) to something you have (the vault). At which point, if you have 2FA enabled on other services, you are authenticating with 2 things you have, the vault and your phone.
Assuming the victim does not use 2FA on their Bitwarden account
A pretty tall assumption given that we're already talking about someone who knows to turn on 2FA for other things. If someone knows about 2FA and password managers, they'd be insane not to have 2FA set up on the password manager itself.
That’s a fair point. I just wanted to highlight that there may be cases where a password manager isn’t automatically protected by 2FA by the two factors you mentioned (The password you know and the copy of the vault) since in the case of bitwarden fulfilling one can give you the second. In order to actually achieve 2FA in this case, you would need to enable OTPs.
And yeah, I personally use Bitwarden with 2FA on the Bitwarden account, but don't store any 2FA tokens in Bitwarden, handling them all separately. Don't want all the eggs in one basket.
Though given I have fingerprint access on phone and computer for bitwarden, i suppose that one basket is my finger. But if someone is taking my finger, I've got more immediate concerns than my passwords.
Many password managers use a biometric factor to sign in (your fingerprint, for example, using some kind of auth app if needed). This basically moves the MFA aspect to one service (your password manager) instead of having each service do their own thing. It also comes with the benefits of password managers - each password can be unique, high entropy, and locked behind MFA.
Many password managers use a biometric factor to sign in
The only thing this does is replace the authentication mechanism used to unlock the vault, instead of using your master password (something you know), it uses some biometric factor (something you are), although it uses your biometric data, it’s still a single factor of authentication
This basically moves the MFA aspect to one service (your password manager) instead of having each service do their own thing
I am not sure I understood you here. What do you mean by “instead of having each service do their own thing”? Each website using their own method of delivering OTPs?
It also comes with the benefits of password managers - each password can be unique, high entropy, and locked behind MFA.
I am not discrediting password managers, they have their uses, as you mention you can have unique, high entropy password on a per service basis. The only thing I am against is the password managers themselves also doubling as OTPs generators (take a look at Bitwarden Authenticator which kinda defeats the purpose of OTPs. From the perspective of OTPs it makes much more sense to use a separate application (Like Google Authenticator or Aegis Authenticator), preferably on a separate device, to generate the OTPs.
although it uses your biometric data, it’s still a single factor of authentication
Speaking from my experience, I use my phone for biometric authentication. At least from my point of view, I see that as two factors (what I have and what I am) since the biometric authentication only works on my phone.
I am not sure I understood you here. What do you mean by “instead of having each service do their own thing”? Each website using their own method of delivering OTPs?
Basically having multiple places where codes may be generated. This way you can use one location to get OTPs instead of having them delivered via SMS or generated by a different app/service. It ends up being easier and more convenient for the end user (which of course increases adoption).
I guess this has more to do with services adopting OTP generators than sending them via SMS though.
From the perspective of OTPs it makes much more sense to use a separate application (Like Google Authenticator or Aegis Authenticator), preferably on a separate device, to generate the OTPs.
If logging into the password manager to get the password is sufficiently secure (locked behind MFA), then I don’t see the benefit of using a separate OTP generator (aside from maybe if your password manager has a data breach or something, which should be a non-issue except it clearly isn’t thanks to LastPass…)
I’m starting to wonder if phones (or other auth-specific devices) should just become dedicated authentication devices and passwords should just be phased out entirely tbh. Passwords have always had issues because their static nature means if someone learns your password without your knowledge, that method of authentication becomes worthless. The main concern would be what happens when you lose your phone I suppose.
Arguably, if you use 2FA to access your passwords in 1password, there’s little difference between storing all your other OTPs in 1password or a separate OTP app. In both cases, since both your secret passwords and OTPs are on the same device (your phone), you lack a true second factor. The most likely way someone would gain access to 1password secured with 2FA is if they control your device and it’s been compromised, and having your OTPs separated wouldn’t provide additional protection there. Thankfully, the larger benefit of OTPs for most people is that they are one-time-use, not that they originate from a second factor.
There is one theoretical situation I can think of where having your OTPs and passwords separate could be an advantage, and that’s if someone gained all your 1password login details, including the 2FA secret key. But for someone able to gather that much sensitive intel, I’m not sure how much more of a challenge an authenticator app would be.
If you truly feel you need a second factor though, you’ll probably want to look at something like a Yubikey or Titan. I’ve considered getting one to secure my 1password vault to reduce the risk of a lost phone compromising my vault.
Arguably, if you use 2FA to access your passwords in 1password, there’s little difference between storing all your other OTPs in 1password or a separate OTP app. In both cases, since both your secret passwords and OTPs are on the same device (your phone), you lack a true second factor. The most likely way someone would gain access to 1password secured with 2FA is if they control your device and it’s been compromised, and having your OTPs separated wouldn’t provide additional protection there. Thankfully, the larger benefit of OTPs for most people is that they are one-time-use, not that they originate from a second factor.
As you said if you have both the password manager and the OTP manager in the same device it goes against the concept of 2FA, and you can throw most of guarantees out the window.
I think one distinction worth making is that the encrypted vault itself is still only protected by one factor, the password. The OTP 1Password asks you is part of their service authentication mechanism. If for some reason the attacker manages to get an encrypted copy of your vault (Via App cache, Browser add-on cache, mitm, 1Password’s servers, etc…), “all” the attacker needs is to brute force your password and they can access the contents (Password and OTP seeds) of the vault without requiring the TOPT token. Yes you can mitigate this with a good password/passphrase, but as GPUs/CPUs get faster will that password continue to be good enough in few years time? If your master password becomes “easily” brute forceable, now the attacker has access to all of your accounts because you had the password and OTP seeds in one vault.
If you truly feel you need a second factor though, you’ll probably want to look at something like a Yubikey or Titan. I’ve considered getting one to secure my 1password vault to reduce the risk of a lost phone compromising my vault.
I have one, but unfortunately the amount of services that support U2F as a 2FA mechanism is relatively small and if you want to talk about FIDO2 passwordless authentication even less.
The least secure part of the sign-in process is the person. It doesn’t matter what the 2FA method is.
You can be using a one time pin and someone can look at your paper and see the next one. Someone can trick your grandma into giving out the Google authenticator pin over the phone because “they’re from Google”. Someone can trick you into making the financial transfer yourself because “you’re getting a deal”.
Which is why sms-based 2fa is useless if you’re being targeted by a motivated hacker. If you’re an important person (e.g. a government official, an exec on a big corp, a celebrity, etc) it’s not safe to use sms-based 2fa. Heck, even if you’re nobody, a hacker might decided to target you anyway to access the company you’re currently working at, or because you have something they want (e.g. a desirable Twitter handle). One call to your cellphone carrier to complain about losing phone, with some social engineering skill to dupe the minimum wage call center worker who doesn’t really care about being vigilant, and suddenly the hacker gain access to your cellphone number (doubly easier to with e-sim) and thus your sms-based 2fa.
Bulk download a shit ton of research papers through the university’s educational license and distribute them for free on the internet, cutting out the completely unnecessary profit driven middle man leading you to eventually do away with yourself due to the pressure from the government and corporations to make an example out of you with a strong sentence.
The point is that 1 million is a big number (or a lot of money), as is 1 billion. But 1 billion is so big, it makes 1 million seem small by comparison. 1 thousand is not a big number.
lemmy.ml
Top