@glyph Did you quote post something?
Uncategorized
903
Posts
312
Posters
0
Views
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph I totally lost access to my work MS account because THEY had a login loop bug in teams. Appeal denied. Second appeal denied. I’m just done with them. Client wants to me to be in their Teams? Sorry.
-
granted, probably 1/3 of the difficulties here have to do with microsoft’s ill-conceived “think of the children” account system, and buying the game as a regular adult with a single account would have been massively easier. but still, you’d think that a PM somewhere in the org would have considered that it is *possible* that a child might want to play … minecraft
@glyph Yes absolutely. The trivial solution to this problem is teaching children you always lie about your age. All it ever took us setting up this stuff was entering password and copying a 2FA code from email.
-
> passkeys offer zero advantages over existing technology
what passkeys offer is cryptographic resistance to replay attacks. If you have a password, even if you have a TOTP code, you can be tricked into sharing it with an attacker, and the attacker can "replay" it back to the original site, taking over your account. The way they achieve this is that "the HTTPS domain name of the site that's asking" is baked into the key exchange; an attacker cannot trick your browser that way
@glyph so there's some kind of challenge/response going on?
-
@morgan @glyph You can definitely make Google accounts with non Google email addresses. I and other family members have a number of them, some even made recently. The setup process for a new phone might not allow creation of new Google accounts that way, but you can sign in to them on new phones and in general you can make them.
-
@aburka If you "use passkeys" as a normal person, even with something like 1password, there's a recovery path, even if you have only a single device. For example, the way that this works with Apple is that you drop your phone in a toilet, then when you get a new phone, you enter the *device passphrase for the old phone* to decrypt your iCloud Keychain locally, and it syncs down from the cloud. This doesn't work with Advanced Data Protection, but that is very much opt-in.
@glyph I think we're agreeing on this point -- the passkeys have to be backed up off-device
-
Luanti is not bad, it is a little different I would argue is a fun tool to learn how to squeeze as much power out of lower end devices.
Of course you could install & run it from the same device but it functions much better in a server/client setup.
It does have Mac builds, they can be picked up from the download page. It can be built from source to run it on older Mac devices. -
Luanti is not bad, it is a little different I would argue is a fun tool to learn how to squeeze as much power out of lower end devices.
Of course you could install & run it from the same device but it functions much better in a server/client setup.
It does have Mac builds, they can be picked up from the download page. It can be built from source to run it on older Mac devices.@glyph
To get the most squeeze, if on Linux I would use 2 programs to get the most oomph out of a RPI4:
1: ZRAM for compression & eliminate swap file usage.
2: tmpfs for speeding up the disk IO by creating a RAM disk that you store your sql3 database that stores the game world files.In systemd I created a startup script; start tmpfs & load world from disk.
reload: in case something goes wrong, reload world files & restart server
stop & use RSYNC to sync all changes from the tmpfs to disk. -
if this is how most people encounter passkeys it’s no wonder that they fucking hate them. it feels like getting tricked. because it is getting tricked. I was tricked
I'm a somewhat tech-savvy person, and passkeys just feel so much like I'm being scammed.
I trained myself not to trust the browser to store a password, and instead use a password manager, but now I keep getting prompted to let the browser manage some magical thing.
What happens if I need to use the same account across different devices? Do I use some complicated login practice on each one and get a magical key? Is there some way other than signing in to Chrome or Firefox sync to share the "passkey" (what is it, a cert, a gpg key, some other magic number?) between my devices. If so, how do I prevent that from being compromised.
I know there's no magic silver bullet for security, and the complete mess that I see when places do use passkey makes me really unsure about it as a solution.
-
@glyph here's the question I would ask. I've recently had similar frustrations with the simple act of logging into hotmail. it is now a process which on my phone, takes me through nine different web pages every single time I try to log on. I would chalk it up to garden variety incompetence, if at every step it didn't say some variation of "this would be easier if you gave us more of your personal information!"
did you get a lot of that? or was it all normal screw-ups?
-
@glyph so there's some kind of challenge/response going on?
-
@aburka @glyph the technical detail of that is each key has a "Relying Party Id" that is part of the initial creation and that id has to be a domain name. There are then rules for what domains match that RP id, with things like "subdomains match parent keys, except when the RP id is on the public suffix list: https://publicsuffix.org/learn/".
The browser then enforces that condition, and won't accept responses from keys with RPs that do not match.
https://docs.corbado.com/corbado-complete/helpful-guides/passkeys/relying-party-id -
@aburka @glyph the technical detail of that is each key has a "Relying Party Id" that is part of the initial creation and that id has to be a domain name. There are then rules for what domains match that RP id, with things like "subdomains match parent keys, except when the RP id is on the public suffix list: https://publicsuffix.org/learn/".
The browser then enforces that condition, and won't accept responses from keys with RPs that do not match.
https://docs.corbado.com/corbado-complete/helpful-guides/passkeys/relying-party-id -
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph That's one of M$'s defining features. Authentication tacked on afterwards, and the concept of privilege sometime after that.
-
It is difficult to express how bad microsoft’s authentication system is. like it’s not just “bad” or “broken” or “buggy”, it is a world-historic interaction design catastrophe. no matter how bad you think it is, no, it’s worse than that actually.
@glyph 100% same. Buying a 2nd Minecraft account for my kiddo, I - a veteran software professional - ended up accidentally creating an entirely unwanted 3rd Microsoft account, to which the license is irrevocably attached.
-
I can’t even describe how ridiculous the series of steps are that are required to enable multiplayer on java minecraft for an account of someone under 12. literally 100% of the labels on the relevant options are simply incorrect. there are constant references to “xbox” when nothing here is even vaguely related to xbox. this is a java game on a macintosh computer with multiplayer on my LAN. the text in the tooltip on the disabled multiplayer button also gives inaccurate instructions for fixing it
@glyph oh no, I was afraid when this thread started it would get here. Signed, a dad who has finally given in on Minecraft for someone under 12
-
@glyph oh no, I was afraid when this thread started it would get here. Signed, a dad who has finally given in on Minecraft for someone under 12
@luis_in_brief haha. have you already figured it out? I can help you with this part (I will literally hop on a call if you need, this was almost implausibly miserable)
-
I can’t even describe how ridiculous the series of steps are that are required to enable multiplayer on java minecraft for an account of someone under 12. literally 100% of the labels on the relevant options are simply incorrect. there are constant references to “xbox” when nothing here is even vaguely related to xbox. this is a java game on a macintosh computer with multiplayer on my LAN. the text in the tooltip on the disabled multiplayer button also gives inaccurate instructions for fixing it
@glyph oh my god I have had to go through this too. It is horrible. We have Minecraft on the Switch and trying to get it to play online for our 6 year old (in a Minecraft run private server) has been impossible. It keeps logging him out and each time we have to run a gauntlet of this stuff. I’ve given up honestly
-
@luis_in_brief haha. have you already figured it out? I can help you with this part (I will literally hop on a call if you need, this was almost implausibly miserable)
@glyph appreciate the offer! Probably a next-weekend problem, after I consult with the other parents whose kids A wants to share realms/building with.
-
@glyph oh my god I have had to go through this too. It is horrible. We have Minecraft on the Switch and trying to get it to play online for our 6 year old (in a Minecraft run private server) has been impossible. It keeps logging him out and each time we have to run a gauntlet of this stuff. I’ve given up honestly
@CatherineFlick Bedrock is an entire additional layer of misery which is why I have been gently guiding other parents towards Java when they can manage it. But some kids don’t have devices that can run it, and so we are in the process of setting up Geyser and Floodgate and all kinds of backend sadness. I have even done it once before but replicating it is nigh impossible
-
@CatherineFlick Bedrock is an entire additional layer of misery which is why I have been gently guiding other parents towards Java when they can manage it. But some kids don’t have devices that can run it, and so we are in the process of setting up Geyser and Floodgate and all kinds of backend sadness. I have even done it once before but replicating it is nigh impossible
@glyph I've set that up a few times, and currently maintain it on two servers. I'm using Paper instead of vanilla+Fabric, though, which may not match your scenario.
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@Sirchrism le consultazioni sono uno strumento frequentemente adottato dall'Unione
-
@rl_dane I once dropped my work Thinkpad down two flights of concrete stairs. Still worked. They're indestructible. 🔥
-
Messaggio in codice da Qaanaaq
-
Avete fatto bene ad accendere i caloriferi...
.
#caturday #CatsOfMastodon #Miagolina
-
@poleguy yes, ty! In real time wasd control.
On video below it’s how I see it on pc screen (with actual audio).
-
@js wow, that's *TurboTax*?
-
@ut3usw that's fun. Are you controlling/calculating this in real time?
-
@gmarcosanti buona come la focaccia ligure?
