2x35: Two Point Five Billion Factor Auth


#1

Jeremy Garcia, Jono Bacon, and Stuart Langridge present Bad Voltage, in which we answer a question from @peterrenshu about what a Linux expert is, we are unsurprisingly loath to upload all our passwords to a startup with a big smile and a Bootstrap website, and:

Come chat with us and the community in our Slack channel via https://badvoltage-slack.herokuapp.com/!

Download from https://badvoltage.org


#2
  1. I think GvR is taking a mistake (pep 572) all the way, and it’s a bit baffling until you realize that he’s now 62. Attitudes to human nature and to one’s own righteousness tend to harden with age, and in the early-60s most people are transitioning to retirement.

  2. I’m surprised nobody mentioned, in the Peertube bit, Cloudflare, which I think is basically solution n.1 anyone would think about. (N.2, if you’re rich, would be Akamai or whatever it’s called now). Still, I think peertube is pretty cool - finally a distributed cdn that doesn’t put you at risk of hosting child porn.


#3

There are two (very German) points I want to add:

  1. SLES is the standard Linux Distribution for most German public authorities.
    I think this can have a meaningful impact to the value of it.
  2. Recently “Germany’s highest court has ruled that the parents of a dead daughter have the rights to her Facebook account[…]”

#4

Yep. That’s certainly another solution. Peertube is a different type of thing, but one very easy solution to “save me bandwidth” is “stick Cloudflare in front of my website”, indeed.

Interesting. Money quote: The Federal Court of Justice (BGH) said online data should be treated the same as private diaries or letters, and pass to heirs. So… if you don’t want your heirs to get access to your data, work out now, before you’re dead, what you’re gonna do about that…


#5

Related to the show, Google just announced a Yubi competitor named Titan at Next:


#6

heh. The Yubikey people presumably now look like this: :expressionless:


#7

if it’s anything like the Google Home (a me-too half-baked device that gets worse by the day), the Yubi people shouldn’t lose much sleep.


#8

Oh yeah, Peertube is a step in the right direction of de-centralizing the web, absolutely.

I was just surprised nobody mentioned Cloudflare when the conversation became about saving bandwidth, rather than Youtube - YT comes with a lot of baggage, as you mentioned (ads, tracking, censorship, etc etc…), whereas CF is a very neutral and simple solution. I guess one would choose YT if one couldn’t be arsed to deploy his own video player controls, but I’m sure in 2018 the browser does most of the work anyway and there will be 155263738 angulreactvue libraries to help.


#9

heh. I’m an Alexa chap, as is well known. But I suspect @jonobacon will consider them as fightin’ words :slight_smile:


#10

I’m kind of surprised to hear Jono so incredulous about peertube. If the Ubuntu podcast wanted to embed a videos for our show, we wouldn’t have the bandwidth to deal with hosting it ourselves (assuming a reasonable proportion of our listenership streamed the video for each episode, on top of the current burden of mp3 downloads).

So, just upload to [wherever]. Great. When we started uploading shows to youtube, we got a whole bundle of content ID violations because people claimed they owned the rights to our (out of copyright) theme tune. When we appealed this, our account got banned. The only way we managed to get it un-banned was because we happened to have a contact in another part of Google who was kind enough to ask the Youtube people to fix it (obviously not an option for most people). I know other podcasters have struggled with things like this before (Chris Fisher of Jupiter Broadcasting has spoken about it, in particular). When you’re hosting yourself, you don’t have to play by someone else’s secret rules.

If nothing else, its an option for people who want to keep control of their content, like hosting your own Nextcloud rather than using Dropbox.


#11

Interesting PodCast

I liked the topic about distributed video hosting.
One thing that I used to really like about the web is that it was decentralised, and now sites like YouTube are so dominant with video on the web and so centralised that I quite like the thought there could be other ways of doing web video.
(I had a look at the website, and lots of the channels looked quite NSFW)

I just researched the Jeremy Corbyn story you spoke about.
For people not overly familiar with UK politics, Corbyn is the leader of the UKs main opposition party.
He is is painted as an outsider with radical ideas about how to run the country.
He has appeared onstage at the Glastonbury music festival and has been very scathing about cuts to public services.
I think a lot of people consider him and his team to be very tech savvy and “down with the kids”.
That’s why the story on your podcast had a rather amusing aspect to it, that Corbyn himself got caught off-guard by being in an advertising bubble.

The source of the story seems to be “Ctrl Alt Delete: How Politics and the Media Crashed Our Democracy” by Tom Baldwin
Write-ups:


Interesting that the Guardian’s take on the book makes no mention of Corbyn and derives completely different points from the book.

I also love using Python, I wish Guido Van Rossum all the best, and thanks for the Language.
A colleague here at work asked me to help her write a templeteing engine, and I had to explain tokens and execution branches to her, it is quite a fascinating topic, I’m going to try and write my own Turing-complete language and put it on GitHub (or something similar).
@jonobacon I’m also winging an understanding of interperators lol

With Python I do find Python’s equivalents to nodeJs’s “npm” or PHP’s “composer.phar” very poorly implemented, I wish dependency management was easier with python, apt-get, easy_install, pip, etc… so bewildering as they seem to be in conflict with each other.
Sometimes I just write bash scripts to git clone from GitHub as it is easier (for personal projects).
Also the fact that the move from Python 2 to Python 3 has been so painful, so many projects are tied to specific versions of python, rather than the latest stable.

I think in the past you guys spoke about what happens to personal data when you die, I think someone mentioned a “dead man’s handle”, that if you don’t log into a server regularly then a script runs and deletes stuff that should be deleted.

Recently I did some auditing on the services I use (I try not to get too locked in with Google or anyone else), and I realised just how many things I use, and how they are related, and how I authenticate with them. It was an interesting exercise and it definitely gave me greater sense of being “in control” of my digital life. I got to think about - what are the ways of recovering access if I get locked out etc, definitely worth doing!


#12

As I said, I am not saying it is bad, I just don’t think it solves a particularly common or important problem.

If YouTube doesn’t work for your podcast, how about DailyMotion, Vimeo, Twitch, archive.org, Veoh, Flickr, or something else?

If none of these options work, then sure peertube is a good choice.


#13

@jonobacon It is ‘another’ free-er platform, Jono.

I wouldn’t want to use any of those other options, because I would have to subscribe to their “your just a number” rules.

You highlighted archive.org - so I guess thats your linked-option, there (I dunno).

Archive.org is very old and has made many friends and enemies, and I believe it is time for something new.

Also it asks for your money every so-often, which I don’t agree with - because there’s no way to see how any of my money is being spent.

Perhaps I only use it for PDF’s on the whole (and some web-archiving) - but it is certainly a poor solution for visuals/video.

good try though.


#14

So a thought about how you could deal with accounts after death, especially in the case of larger, wide spreading accounts (e.g Google):

Storing passwords in a location is obviously a bad idea and keeping them up to date as you update them through the years would be a hassle, however API keys could provide a solution.

You could use API keys with limited scope to define access, for example you could provide a key with would allow read access to email, photos and manage billing - but not the ability to send emails, see your google drive or add youtube videos.


#15

isn’t an API key that can do that just the same as a password? That is: if you have a password change policy where you alter your password every now and again to limit damage, you should be doing the same for API keys, no?

I think the distinction I’m coming to on access after death, for me personally, is that my designated person can maybe have access to my email account, but not to its history.


#16

Depends, passwords tend to have to be changed and recycled due to the fact you type them in so many places, where trust is low, companies get hacked and passwords dumped. Assuming you’re storing the API key offline and that Google doesn’t get hacked you should be fine.

Although obviously this all depends on API keys being the way to access in the future, let’s say we set up anything today the chances of any company and it’s current processes for access still being around in 20 years time are slim to none.

Passing on credentials be it API or otherwise probably works in sad cases where you know you have X amount of time to live, but not in scenarios where you plan to exist for another 40 years.


#17

The Death Note

I just wanted to share how I handle my digital secrets when I die.

I have two close, tech savvy friends who are unlikely to lose their GPG keys. They are business partners as well.

I have two other, close friends who don’t know the first pair.

I periodically send out a “Death Note” to the latter pair of friends. In it is a complete list of my current passwords, passphrases, etc. The note is encrypted using the keys of the first pair.

Should I die, the second pair of friends will send out the Death Note to the first, and they will be able read my passwords, etc. This will allow them to access any of my business information (for continuity) as well as to assist my spouse with accessing any information she might need.


#18

So, remember when we said in the show that basically nobody has thought about this?

We were wrong. One person has. Good approach, @Tarus_BALOG.


#19

I take it you all never travel together, much like the royal family?


#20

We don’t, actually, but we do often work together.

The office is just above a brewery ('natch) so there is always the chance that could blow up and take us all out. Gonna need to find a third person to tie into this. Thanks for the thought.


Please respect our code of conduct which is simple: don't be a dick.