sylver_dragon

You're one of those folks who are too stupid to understand probabilities and what polls are actually saying, aren't you?The polls in the run-up to the 2024 Presidential election were actually pretty good. The final aggregate error was right around 3.4 points [1]

Anyone who suggested that there was a clear favorite was lying about what the polls said. That's not a failing of the polls, its a failing of the media reporting on the polls. Sure, there were some particular, individual outliers. The Anne Seltzer poll comes to mind. But, credit where it's due, Seltzer published an outlier poll, because that was the outcome of the poll based on then methodology she had been using for a long time. Like with scientists publishing null results, it's actually really important that such things are published and not hidden, but they are usually hidden.

Go talk to people in the real world, instead of reading articles written by fellow shut-ins, and realize that the narrative is FAR different for the average person.

Then plural of "anecdote" is not "data". And quite the opposite here, if you're out talking to people within your own social bubble, you're far more likely to get a warped view of reality. This is one of the reasons polling is so hard, getting a truly representative sample of the population is hard. It is also likely a reason polls keep underestimating Trump. People with low social trust seem to favor Trump, and those same people are very hard to poll. They don't often pick up the phone and often aren't willing to divulge their political choices to strangers on the phone. So ya, expecting the polls to "miss" by 3-5 points, underestimating Republicans isn't all that out of line.

My prediction is the Dems will pick up just barely enough seats to take back control of the House. Not a snowballs chance in hell of taking back the Senate.

This is funny, because this is very much an opinion which will have been informed by polling. It's also what most analysis are coming up with:

Articles like the one posted by the OP are just pure hopium. Dems may make some gains this year, but a rational analysis of the current polling data tells a bleak story. They might get the House, the Senate is basically out of reach.

I can think of a couple of reasons off the top of my head.

You don't say, but I assume you are working on-site with your work system. So, the first consideration would be a firewall at your work's network perimeter. A common security practice is to block outbound connections on unusual ports. This usually means anything not 80/tcp or 443/tcp. Other ports will be allowed on an exception basis. For example, developers may be allowed to access 22/tcp outbound, though that may also be limited to only specific remote IP addresses.

You may also have some sort of proxy and/or Cloud Access Security Broker (CASB) software running on your work system. This setup would be used to inspect the network connections your work system is making and allow/block based on various policy settings. For example, a CASB might be configured to look at a domain reputation service and block connections to any domain whose reputation is consider suspect or malicious. Domains may also be blocked based on things like age, or category. For this type of block, the port used won't matter. It will just be "domain something.tld looks sketchy, so block all the things". With "sketchy" being defined by the company in it's various access policies.

A last reason could be application control. If the services you are trying to connect to rely on a local program running on your work system, it's possible that the system is set to prevent unknown applications from running. This setup is less common, but it growing in popularity (it just sucks big old donkey balls to get setup and maintain). The idea being that only known and trusted applications are allowed to run on the system, and everything else is blocked by default. This looks like an application just crashing to the end user (you), but it provides a pretty nice layer of protection for the network defenders.

Messing with the local pc is of course forbidden.

Ya, that's pretty normal. If you have something you really need to use, talk with your network security team. Most of us network defenders are pretty reasonable people who just want to keep the network safe, without impacting the business. That said, I suspect you're going to run into issues with what you are trying to run. Something like SyncThing or some cloud based storage is really useful for businesses. But, businesses aren't going to be so keen to have you backing their data up to your home server. Sure, that might not be your intention, but this is now another possible path for data to leave the network which they need to keep an eye on. All because you want to store your personal data on your work system. That's not going to go over well. Even worse, you're probably going to be somewhat resistant when they ask you to start feeding your server's logs into the businesses log repository. Since this is what they would need to prove that you aren't sending business data to it. It's just a bad idea all around.

I'd suspect Paperless is going to run into similar issues. It's a pretty obvious way for you to steal company data. Sure, this is probably not your intention, but the network defenders have to consider that possibility. Again, they are likely to outright deny it. Though if you and enough folks at your company want to use something like this, talk with your IT teams, it might be possible to get an instance hosted by the business for business use. There is no guarantee, but if it's a useful productivity package, maybe you will have a really positive project under your belt to talk about.

FreshRSS you might be able to get going. Instead of segregating services by port, stand up something like NGinx on port 443 and configure it as a reverse proxy. Use host headers to separate services such that you have sync.yourdomain.tld mapped to your SyncThing instance, office.yourdomain.tld mapped to your paperless instance and rss.yourdomain.tld mapped to FreshRSS. This gets you around issues with port blocking and makes managing TLS certificates easier. You can have a single cert sitting in front of all your services, rather than needing to configure TLS for each service individually.

Large companies are already heavily involved in Linux. Based on this data some of the biggest contributors this year were Meta and Google. Both companies are at the forefront of enshitification of the internet, but they built their mountains of shit on a foundation of Linux.

I'll extend the truffle hate to all mushrooms. If I wanted food covered in fungus, I would have waited for it to start rotting.

This strategy really depends on their ability to bribe President Trump for a pardon.

Theoretically you could hit replacement rate by making everyone a millionaire but I don’t know how that could work.

I doubt this would work. Financially, my family is towards the middle of that chart now. We were lower when we had our first kid and only a bit improved when we had our second. And honestly, it was pretty touch and go whether or not we would have the second. Our first was a handful as a baby and it left us wondering if we could handle a second. Thankfully, he calmed down a lot (or we just got used to the new normal) by the time he was pushing 18 months. After we had the second one though, I fully embraced the "cut my nuts off" solution to birth control (vasectomy). I don't regret that choice at all. None of that was ever about finances. It was simply about the fact that raising children is hard and takes a lot of time.

Ultimately, I think the decline in birth rates isn't about finances or selfishness, it's just a change in social norms. Society has spent decades training people to the "nuclear family". Movies, TV, and other media has pushed the "2 kids and 1.5 dogs in a home in the suburbs" for so long, that people internalized it. So, folks who do want to have kids shoot for that. Having 4 or 5 kids is now seen as an oddity, rather than the norm.

There is also a much better acceptance of women as something other than a walking womb to be filled. We no longer look at an unmarried woman in her 20's or 30's as some sort of spinster to be shunned. Sure, negative stereotypes still exist (e.g. Crazy cat lady); but, it's much rarer for fathers to be selling off their 16 year old daughters to 40 or 50 year old men as child brides to be kept barefoot, pregnant and in the kitchen for the next 30+ years of their life. Women are expected to have full lives now, which may or may not involve raising children. As one might expect, many have taken full advantage of that and simply chose to not have any. This move from what amounts to sexual slavery to being treated as an actual person is going to mean there are fewer women having children and many of them delaying until they are actually old enough to make an informed decision about it.

Depending on which version of Sleeping Beauty you're reading, this isn't that far off.

I'm not sure if they have tried a crossbow on the breastplate or brigandine. I do know Tod Cutler has, in the past, created a crossbow specifically to mimic the longbow Joe Gibbs shoots. So, my bet would be on it being pretty similar. At the end of the day, armor really did work and worked well. There is a reason it stuck around so long in history. Even to the point of firearms showing up. Some armor could stop early muskets.

So a couple possibilities come to mind:

Someone else has your password. Do you have kids and do they have access to devices which may have your Google account linked? You may want to change your password (use something long, hard to guess and unique).
Your local system is compromised in some way. This would be a really odd way for someone to use that access, but it's always possible. Take a look at the apps and any browser extensions you have installed and make sure there isn't anything you don't recognize.
There is some sort of Cross Site Scripting (XSS) vulnerability which is being leveraged to subscribe you to stuff. I would expect Google to be better than to have an XSS on YouTube (they bought Mandiant a while ago, FFS). But, big companies doing stupid things is common enough. When you got the pop-up, was it in the YouTube app or a web browser. Did you have other tabs open? Other background processes from sketchy apps?
It is Google, them doing shitty things to their product (that's you) for their customers (the advertisers paying for your eyeballs) is basically their business model. Don't like it, de-google your life (warning: this is actually really hard).

Replace the screen, maybe? And now you have an extra laptop.

Well, here's my TIL:Fun fact: the earliest known appearance of the F-word in the English language is “Roger F$#%-by-the-Navel” who appears in some court records from 1310-11.

More info.

Funny enough, they tested something similar. They got a modified compound bow to push the same archer and he shot a replica 15th century breast plate. He also used a 70 pound compound bow to shoot the breastplate several times.

Give it a try, it might be. I actually have no clue what my Lemmy password is. I just semi-randomly smooshed out 16 characters. I use KeePassXC as a password vault and I let it generate, store and usually type my passwords for me. I haven't the slightest clue what most of them are and can't be arsed to care. I did check the length of my password while typing up my comment, but other than mentally processing the number of characters, I wasn't paying attention to it.

Thanks for adding that. I mentioned salting in a parenthetical and then completely ignored it. This is a good addendum.

You made this, this is yours now.

It's really a lot more in depth and interesting. In this one, they shot a lot of arrows against a target in brigandine, mail, and arming doublet with arm armor and gauntlets. Thanks to the volume of arrows shot, there were hits on basically every bit of it, including one hit to a eye slit in the salet.

I know you gotta store the passwords hashed but doesn’t that just move the goalposts?

Yes, kinda. Security isn't about making things 100% secure, that's not really an achievable goal. It's about making it so hard to break the security that it's either not possible with current technology, or at least hard enough that it's not financially feasible. Password hashing is a great example for this, which gets to your second question:

How come someone can’t use the hashed end result to get into the service it was used for?

They can, though there are technical methods for preventing this. But, there is a whole class of attacks called Pass the Hash which do basically this. This is also part of the reason that many organizations are moving away from passwords alone (or at all) and more towards things like Pass Keys (which work in an entirely different way) or Two factor authentication, which pair a password with something else (biometrics, One Time Passwords, etc.).

To dig into the details of why passwords are hashed (and salted), it's important to consider why that is recommended. This is really about slowing down an attacker's ability to get your password back from the hash. Consider for a moment that I go and compromise a website's server (say, lemmy.world). One of the pieces of information I am going to try and get away with (exfiltrate) is the database of usernames and passwords. Even better if that data is tied to email addresses. Now, if all of the passwords are stored in plain text, I can immediately start using those usernames and passwords both on the compromised site, but also on other sites across the internet. Many people still reuse passwords (or similar enough passwords that I can guess them) across different sites. Maybe only 0.1% of users will have the same email address and password used on their bank account as they do on the compromised website. For 10,000 users, that means I get to drain the bank accounts of 10 of them. If I average $1000 from each, that's an easy $10,000 I walk away with, with almost zero effort.

Hashing makes this harder and take longer. First off, there is no mathematical way for me to go from a hash back to a password, it's literally impossible. What I have to do is guess a password, run it though the hashing algorithm and see if that guess is a match. So, I guess "Password1" and that hashes to something, if it's not a match, I try "Password2" and check if it is a match, and so on. Unlike the movies, I cannot discover the password one character at a time, either I get it perfectly right or I don't, there is no information in between. If your password is "Password3", I will get no information by guessing "Password2". I'll just know that "Password2" wasn't your password. And while calculating a single hash value is reasonably quick, when the number of possible passwords I need to guess is mind-mindbogglingly big, the small increments of time add up really fast.

For example, my Lemmy password is exactly 16 characters. It contains the usual combination of upper and lower case letters, numbers and special characters. Let's call this 70 possible characters in each position. So, there are 70^{16 possible passwords, that is 332,329,305,696,000,000,000,000,000,000 possible passwords (assuming my calculator isn't truncating digits, but close enough). If we assume Lemmy is using bcrypt (I haven't checked) and the attacker has several modern GPUs to throw at the problem, they might be guessing 1,000,000 or so passwords per second (maybe a bit more or less, but what's a few zeros between fiends). That translates to 3.32329305696 * 10}23 seconds of guessing, or about 10,000,000,000,000,000 years (rounding a bit). That's likely a few years longer than I will have a Lemmy account. Even if they are guessing a thousand times faster than I used in my example, it's still a really, really long time.

And so this is why hashing is exactly about "mov[ing] the goalposts". All we've done is make it take a bit longer to get my password from the hash. But that "a bit" gives the defenders time to discover the breach and get users to update their passwords. If someone gets my password hash today and starts guessing, as long as Lemmy lets me know about it and I update my password before the heat death of the Universe, it's probably fine.

There are some caveats to this. People are actually pretty bad at choosing passwords (me included). And we tend to pick predictable things and use common words or numbers (like birthdays). So, instead of guessing every possible combination, attackers can use wordlists with common changes to those words (numbers at the start or end, symbols at the start or end, replacing letters with numbers such as 1337 sp3@k, etc.) to crack some passwords faster. Which is one reason network defenders are pretty quick to pull the "please change your password" lever. They have no way of knowing if your password is "I Love Puppies 99!" or "r39%^0m'AferF@&B". The former would fall out of a wordlist attack pretty fast, the latter is in the "heat death of the Universe" territory. You can also go in for Diceware passwords. Using 4-5 truly random words can also push that password cracking time close enough to "never".

So, "doesn’t that just move the goalposts?"

Yup, it is. But when the goal posts are moved to "this will now take more time than might ever actually exist", that's plenty far enough.

Sadly, yes a lot of organizations didn't get the memo. But this really is the current guidance. In NIST 800-63B Section 5.1.1.2:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

I deal with this sort of thing pretty regularly for the company I work for. We get threat intelligence from several vendors when they see our users show up in "dumps". Basically, threat actors will package up stolen credentials in a large zip file and make that available (usually via bittorrent) for anyone to download. Security vendors (e.g. Mandiant, which Google bought) download those dumps and search for accounts associated with their customers and send out these warnings when they find one. On the customer side, if the breach was recent we'll force a password reset and warn the user about the breached password, with a recommendation to change their password on the affected site and also change any passwords which might be similar elsewhere.

Why do we force the password reset, even when it wasn't the account for our business which was breached?There's a couple reasons for this. First off, people still reuse passwords all the fucking time. Maybe this victim didn't, but we have no good way validate that. Second, even without direct reuse, folks like to have one main password that they apply slight variations to. They might use "Hunter 42!" at one site and then "Hunter 69*" at another. This isn't smart, attackers know you do this and they have scripts to check for this. Lastly, if an organization is following the latest NIST guidance, you're not changing your password on a regular cadence anymore. With that is the expectation that passwords will be rotated when there is a reason to suspect the credentials are compromised. Ya it's annoying, but that's part of the trade-off for not having to rotate passwords every six months, we pull the trigger faster on forced rotations now.

If you get one of these, consider it a good time to think about how you come up with and store passwords. If you are re-using passwords, please turn off your computer/device and don't come back to the internet until you have thought about what you have done. If you aren't already using one, please consider a password vault (BitWarden or KeePassXC make great, free choices). These will both help you create strong passwords and also alleviate the need to memorize them. Just create a strong master passphrase for the vault, let it generate the rest of your passwords as unique, long (12+ character) random junk, and stop trying to memorize them (with the exception of your primary email account, that gets a memorized passphrase).

Ya, I actually run both uBlock Origin and NoScript in my browser on my phone and personal machine (desktop). On my work laptop, those are a no-go. So, I get the full ads experience on my work machine when traveling.

sylver_dragon

@ sylver_dragon @lemmy.world

Posts

6
Comments

728
Joined

3 yr. ago

sylver_dragon

Dragged down by an unpopular president, Republicans are bracing for a midterm trouncing

Question about accessing my services from corporate Network

how to defend against embrace & extinguish?

What do you think is an overrated food?

Pirate archivist group scrapes Spotify's 300TB library, posts free torrents for downloading 86,000,000 tracks — investigation underway as music and metadata hit torrent sites

fertility crisis

Many fairy tales have this same methodology for waking up the princess.

Arrows vs. Armor 3

I just got randomly subscribed to another YT channel without my knowledge, this has happened several times in the past, I know that more people have seen this, but does anyone know the reason?

I found a MacBook Pro with a broken display. Any creative uses?

Does swearing make you stronger? Science says yes.

Arrows vs. Armor 3

ELI5: How does hashing/encryption algorithms keep your password safe?

ELI5: How does hashing/encryption algorithms keep your password safe?

ELI5: How does hashing/encryption algorithms keep your password safe?

Arrows vs. Armor 3

ELI5: How does hashing/encryption algorithms keep your password safe?

everyone warning!!

Arrows vs. Armor 3

everyone warning!!

What are your opinions of using Pi-hole for DNS within a homelab environment?

Self-hosted blog options.

Request to take over c/virginia

Infill percentage versus stiffness

Winchester man reveals name of soldier who created massive peace sign in Vietnam at height of war

Horribly inefficient party favors