• 31 Posts
  • 62 Comments
Joined 1 year ago
cake
Cake day: July 2nd, 2023

help-circle

  • He alluded to it in the first video, and I think it’s spot on.

    They ended up with an “inventory problem”. Which is to say, some business major in the company somewhere, or a consultant or whatever saw that they were spending money to store it all, and said “A company’s assets should never cost money, they should MAKE money” or some such business speak. Ultimately that translated into every layer of the business being instructed to prioritize using that that old inventory, somehow, or pushing it to customers.

    “People don’t really want to buy all this older hardware off of us, but we can convince people who don’t know any better to rent it.”

    “We don’t have enough 4090s to keep up with demand for these high-end rentals, but we’re sure as hell not buying more when we have all these perfectly-good 4080s lying around.”

























  • As I understand it (and assuming you know what asymmetric keys are)…

    It’s about using public/private key pairs and swapping them in wherever you would use a password. Except, passwords are things users can actually remember in their head, and are short enough to be typed in to a UI. Asymmetric keys are neither of these things, so trying to actually implement passkeys means solving this newly-created problem of “how the hell do users manage them” and the tech world seems to be collectively failing to realize that the benefit isn’t worth the cost. That last bit is subjective opinion, of course, but I’ve yet to see any end-users actually be enthusiastic about passkeys.

    If that’s still flying over your head, there’s a direct real-world corollary that you’re probably already familiar with, but I haven’t seen mentioned yet: Chip-enabled Credit Cards. Chip cards still use symmetric cryptography, instead of asymmetric, but the “proper” implementation of passkeys, in my mind, would be basically chip cards. The card keeps your public/private key pair on it, with embedded circuitry that allows it to do encryption with the private key, without ever having to expose it. Of course, the problem would be the same as the problem with chip cards in the US, the one that quite nearly killed the existence of them: everyone that wants to support or use passkeys would then need to have a passkey reader, that you plug into when you want to login somewhere. We could probably make a lot of headway on this by just using USB, but that would make passkey cards more complicated, more expensive, and more prone to being damaged over time. Plus, that doesn’t really help people wanting to login to shit with their phones.


  • Automated certificate lifecycle management is going to be the norm for businesses moving forward.

    This seems counter-intuitive to the goal of “improving internet security”. Automation is a double-edged sword. Convenient, sure, but also an attack vector, one where malicious activity is less likely to be noticed, because actual people aren’t involved in tbe process, anymore.

    We’ve got ample evidence of this kinda thing with passwords: increasing complexity requirements and lifetime requirements improves security, only up to a point. Push it too far, and it actually ends up DECREASING security, because it encourages bad practices to get around the increased burden of implementation.



  • I think the big reasons for most people boil down to one or both of two things:

    A) People having 0 trust in Google. I.E. people do not believe that paying for their services will exempt them from being exploited, so what’s the point?

    B) YouTube’s treatment of its content creators. Which are what people actually come to YouTube for. Advertisers and copyright holders (and copyright trolls) get first-class treatment, while the majority of content creators get little to no support for anything.






  • An additionap note on what a certificate is, to supplement everyone here who’ve desceibe howbthat’s the missing piece:

    A certificate’s first main purpose is being the vehicle vy which the public key is distributed, but additionally it contains information ABOUT the owner. Then the whole thing is digitally signed with the private key (and also a trusted CA’s private key), so that a receiver can validate the authenticity of the cert with the public key.

    The “info” in the cert can theoretically be anything, but the most important one is the domain. Your browser knows that visiting google.com is secure because it checks the cert it gets from google.com to see if it states that it owns the google.com domain, and then we trust the root CAs around the world to make clients prove they own that domain, before issung a cert for it.