Posts by AdamWill

Re: Unclear on this whole employment thing

"Maybe its a modern thing but someone should have explained to these people some of the basics about employment. One is that you don't make (critical) statements about your employer in public."

It has not, AFAIK, been reported that they did this. This was an "open" letter in the sense that it was circulated *within the company*, it was not officially released to the public.

It then got leaked to the press, but none of the reporting I've read so far states that the authors of the letter were also the ones that leaked it.

The mail from SpaceX management also does not appear to say that people were fired for posting the letter publicly or leaking it.

Re: A close reading...

That's what SpaceX management would *like* you to think, sure. Of course they're going to paint it in as bad a light as they can manage. An *even closer* reading, though, suggests they're being vague about it. So they sent it to "thousands" of people? Well, yeah, if you want to circulate an open letter, you send it to everyone you can. Why not? It's an *open* letter. That's sort of the point. Not much point in writing it and sending it to nobody. So they sent it "repeatedly"? What does that mean, exactly? Would, for instance, it count as "repeatedly" if they sent it to a mailing list, there was some discussion, and they replied to it? Would it count as "repeatedly" if someone sent it twice? Is that a firing offence, do you reckon? Does it count as "repeatedly" if two different people sent it?

Re: Why

"If my seat is comfortable"

Don't worry, it won't be.

Re: New approach to an old piece of fun?

...although the photographer probably still owned the copyright...

Re: Will it finally fix the bluetooth HSP/HFP issue

I mean, it's very likely the case behind the scenes in Windows too. Microsoft has Bluetooth devs and audio devs.

You just don't get to see inside the sausage factory in that case.

Apple and Microsoft also have a hell of a lot more resources to fund paid developers on these things, and the makers of the hardware generally don't care whether it works on Linux and so don't work to fix it if it doesn't, leaving it all up to the maintainers of the stacks to figure out the problems and fix them.

weeeeelll

"The Linux community wants widespread/mainstream adoption of Linux as a desktop OS - in use by general Tom, Dick & Henrietta users for whom a computer is just a means of doing their daily job, hobbying, etc - they don't care about the OS."

I'd say your premise there is a bit shaky. Especially these days. The desktop wars were kind of a 90s/00s thing. It feels a bit weird these days when desktop/laptop computers are less of a big deal overall anyway.

I suspect quite a large chunk of "the Linux community" doesn't actually give much of a toss what anybody else runs on their computers, they just like Linux. I don't really care what Tom, Dick or Henrietta is doing any more.

Things are similar for the big Linux companies. None of them make money from desktop users. All of them tried to before, and found it doesn't work. The other commercial Linux companies of the past also tried it, and went broke. The money turns out to be in the enterprise, and not the enterprise desktop. RH, Canonical and SUSE don't really care what Joe Public runs on their desktop or laptop computers, if they even have one any more.

"Has anyone considered that if the community put all of that effort into making a distro which is as good as it possibly can be, rather than effectively duplicating effort across multiple distros, the less tech-savvy people might embrace LInux?"

Only about ten zillion internet commenters. But, again, there are some problems here. "Too many cooks spoil the broth" is a real thing.

In theory, you certainly could make one bigger better distro by combining all the work that goes into several different ones. But there are some devils in the details. The work that would really help out the bigger distros is probably not the work that people who maintain smaller distros want to do. It's often kind of thankless behind-the-scenes stuff like rote testing of updates or maintaining lesser-used packages or updating documentation or doing user support. You're not necessarily going to get anywhere by saying to people working on Mint "hey, how about you stop doing the fun stuff on Mint and start updating documentation for Ubuntu instead?", and so on.

Basically, people aren't just pawns to be moved around a chess board at will, especially when a lot of them aren't getting paid.

At the level of people getting paid, the major players paying people to work on Linux - Red Hat, Canonical, SUSE - are essentially competitors and have zero motivation to combine into a super-distro, or make a serious move on the consumer desktop space. It's just not going to happen.

Re: Ready for your grandmother

I think you must've misunderstood something - I don't think we ever had May 24th down as a release date for 36. It was actually delayed a couple of times, the original "well...we *might* hit it..." early target date was 2022-04-19 , and the more serious "we really *want* to hit it" date was 2022-04-26. We missed that by two weeks and released on 2022-05-10 instead. See https://fedorapeople.org/groups/schedule/f-36/f-36-key-tasks.html .

Glad you're enjoying it, though!

Well, we definitely do not advise anyone to run it in production, and stuff can still go wrong. But in truth we (and I personally - as noted above, I work for RH on Fedora as the QA team lead) have been working quite hard for a few years to make Rawhide much less scary than it used to be, and most of the time it is. I run it on my personal system sometimes (my policy is to run "the next version", so after a stable release I upgrade to Rawhide, then when the next release branches off from Rawhide I follow that branch until release, then go back to Rawhide) and it's fine most of the time. We have quite comprehensive automated testing of each Rawhide compose, which you can refer to to see if anything blew up in the latest compose, and avoid upgrading if it did - see https://openqa.fedoraproject.org/tests/overview?distri=fedora&version=Rawhide&build=Fedora-Rawhide-20220512.n.0&groupid=1 for today's test results for instance.

My latest effort is to enable automated testing not just for the daily *composes* of Rawhide, but for individual Rawhide updates, as we already do for stable and branched release updates. Ultimately I'd like to have those updates gated on the testing, again as they are for stable and branched releases, so updates that break core functionality would never make it to a compose. For now the Rawhide update tests are running in the test instance of the QA system for the last couple of weeks, and have already helped us identify the package responsible for one critical bug - https://bugzilla.redhat.com/show_bug.cgi?id=2082359 - and find and fix a subtle bug in a recent systemd release candidate - https://bugzilla.redhat.com/show_bug.cgi?id=2083374 . Once we get to the stage of gating Rawhide updates on these tests, those issues would never make it to a Rawhide user.

So, Rawhide is still officially scary and you really shouldn't use it on a critical system, but in practice it's already less explode-y than it was a few years ago, and we're actively working to make it ever less explode-y over time!

Re: Ready for your grandmother

"Multiple ways to confuse people. Fedora has its own branch of YALD."

We (I work for RH on Fedora, as the Fedora QA team lead) do try hard to avoid this, which is why if you go to the download page - https://getfedora.org/ - you are directed prominently to just the three core Editions, for very distinct purposes: Workstation, Server, and IoT. Other flavors of Fedora are intentionally de-emphasized a bit and shown lower down.

On btrfs, we do actually get some benefit from it; since Fedora 34, zstd-based transparent compression has been enabled by default, which usually saves quite a lot of space. The folks pushing the incorporation of btrfs in Fedora also have grander plans down the line, we're just moving carefully on it to ensure folks don't get bitten by the vaunted "btrfs stability problems".

Stratis is not actually a next-gen filesystem effort, that's slightly inaccurate (though to be fair RH docs do refer to "Stratis filesystems", which makes this a bit unclear). Stratis is actually a management layer on top of a bunch of pre-existing technology - LVM, device-mapper, and the xfs filesystem. It aims to provide next-gen filesystem-like functionality by marshaling all those technologies together. See https://stratis-storage.github.io/ for more on this.

It's a third-party addon that sits on top of systemd-networkd, a network manager. It had a vulnerability because its author didn't think hard enough about the possibility of malicious strings being sent to it via DBus. None of this has anything to do with systemd, per se. The same vulnerability could equally well have existed in the NetworkManager equivalent, NetworkManager-dispatcher, which does the same thing on top of NetworkManager; it just doesn't happen to because it wasn't written the same way.

This is kind of a subtle point. For 'true' two factor security, yes, you shouldn't be able to log in using only a single device. Your phone can be a second factor when logging in with something else, but it can't be a second factor when logging in on the phone. You must have a, uh, second second factor for that.

And FIDO knows this, and has *already* produced standards for that scenario. You can buy a Yubikey with NFC support for exactly this purpose, in fact.

The problem is, we live in the real world, and - as the white paper points out - we have several years of evidence to prove that people just aren't doing this. Even for highly-sensitive things like bank accounts, in most of the world, true 2FA is not being implemented. Banks aren't sending out hardware tokens to their customers. A *minority* of banks in a *minority* of places are doing this, but in most places, banks have only just got around to doing SMS-based "2FA" - which, as you point out, isn't 2FA at all if you're logging in on the phone to which the text is being sent.

The system described in the white paper doesn't meet the standards of "true" 2FA, but that's kind of intended: the idea is that we acknowledge that in most cases, "true" 2FA is just sufficiently cumbersome that it's not going to be used. We need an alternative that's as secure as possible, but lets you log in on a smartphone without needing any other hardware.

The answer proposed is basically "secure storage on the phone, usually with biometric authentication". PIN authentication is an alternative, but since that has most of the same drawbacks as passwords, isn't preferred. In general, when you go to log in to your bank, you'll have to pass fingerprint ID or face recognition on the phone; in the background this allows a token to be sent from the phone's secure store to the bank. It's not 2FA, but - as long as the biometric implementation is solid, and the secure store isn't hacked - means not just any Marlon Rando who finds your phone can log in to your account. It's not perfect, and the white paper doesn't pretend it's perfect; it specifically says that the existing FIDO standards for true 2FA are stronger and should be used where both parties are willing to deal with the inconvenience.

This is something that's *already happening* in a not-so-standardized way, BTW. My bank's phone app requires authentication each time it's run to access anything important; optionally this can be via phone biometrics rather than entering the account password.

Re: Who are these people?

Yes, but *only the organization knows the association between the token and the identity*. And they already *know* your identity. So the token isn't causing any net increase in loss of privacy. The token is not a problem. If the organization wasn't using this form of authentication at all, they would still have all the same personal information about you.

It's possible to use this kind of authentication system to authenticate to an account with ExtremelyAnonymousCo which has absolutely no personal information about you at all, or to an account with ExtremelyInvasiveCo which knows your name, phone number, address, social insurance number, bank account details, and inseam measurements. The token system doesn't care, and does not know any of those details, and does not provide a mechanism by which any of those details can be leaked from ExtremelyInvasiveCo to anybody else. It's your lookout whether you sign up for an account with ExtremelyInvasiveCo or not, and it doesn't have anything to do with this authentication system.

Re: What's the fallback mechanism?

I'm not saying the scheme is perfect. But I *am* saying it's very hard to come up with a system that provides a decent level of security and convenience for most people, and it's very *easy* for commentards to laze around on comment threads poking holes.

The system we have now is *definitely not it*. For most people, passwords do not provide sufficient security, because they use bad passwords, and reuse them; and they are not convenient, because typing in passwords sucks, especially on phones. Current widely-implemented 2FA schemes add substantially to the inconvenience, while still having significant security issues (especially SMS-based 2FA). Something better is desperately needed. At least FIDO is *trying*, and on the whole, there's a lot of good ideas in the things it has come up with so far.

Re: What's the fallback mechanism?

I think you (and several others) are missing the bit where you can't just use the tokens from any phone you get your hands on. You have to pass the authentication - biometric or PIN - to access them. Unless someone finds a flaw in the secure storage, of course, which is one of the bigger potential weaknesses in the overall system. But then, no system is perfect.

Re: Who are these people?

Nothing FIDO maintains "identifies" anyone. The standards are all about the interchange of tokens. Very simply put, you create an account with SomeOrg and agree with SomeOrg that "this magic token" is associated with that account. The token itself doesn't identify you, or SomeOrg. It's just a thing you've both agreed on. All FIDO standards cover is the process of generating and exchanging those tokens.

These standards also don't leak between organizations, so whatever SomeOrg knows about you, even if you also use webauthn to authenticate to your account at SomeOtherOrg using the same authenticator, neither SomeOtherOrg nor SomeOrg gets any information about you that is held by the other.

If you're worried about privacy, FIDO-defined standards are a better option than giving SomeOrg your phone number (a very sensitive identifier) so they can text you an authentication code.

I do wish people would do like five minutes of research before jumping into the comments with their tin foil hats on. FIDO's work isn't perfect, but it's a hell of a lot better than the alternative, which would be that Google or Apple just make this stuff up themselves.

Re: What's the fallback mechanism?

Upvoted for the kangaroo joke.

As to the question...the answer seems to be a bit complex. In the case where you replace an Apple phone with another Apple phone (or a Google phone with another Google phone, or a Samsung phone with another Samsung phone...), the answer is mostly "it's up to Google/Apple/Samsung to determine you're the same person and sync the tokens to the new device". How they do this is also left up to them. The paper implies this is already something they have processes for; I don't know if that's true.

In the case where you switch vendors, the answer seems to be "you keep the old device and sync the tokens from it to the new device via Bluetooth". This does seem to leave a rather large gap where the old device is lost or broken and you don't want to get a new device from the same company.

Another answer is sort of implied but not stated: keep an old device with the tokens on it around as a backup. Not everyone has two 'devices', of course, but lots and lots of people do. If this setup gets any momentum, as time goes on, it'll be more and more likely that you have an old device you can keep as a backup to seed a new device from if you lose or break your 'active' device. That's a lot of usable phones lying around in drawers just as identity backups when they could've been sold second hand and reused, though, I guess.

There's also a wrinkle to both answers, which is "if the app/site/whatever that's trying to authenticate the user doesn't want to just trust the process of syncing the tokens, it can choose not to: it will be told when the user is trying to authenticate from a device they haven't authenticated from before, and can then add its own steps to verify the user's identity, whatever they may be".

Re: The way I read this...

You're understanding it wrong, because this is not about protecting you, Apparent International Super Spy, from an adversary who would go to the extreme lengths of kidnapping and torturing you. It's about protecting J. Random Person In The Street from using the same bad password on all 1500 accounts they have, and getting phished.

This is a solid effort to try and improve security and convenience in the vast majority of real-world applications for real-world people. Who do *not* use password managers, or safe passwords, who hate passwords, who constantly forget them, and who do not have adversaries who would expend huge amounts of resources to compromise them. For such a person, "we'll authenticate you using a system where your phone checks your biometrics then sends out a safely-stored key" is both more secure and more convenient than "we'll authenticate you with that terrible password you use for both your bank account and fifty shoddily-coded PHP web forums, plus *maybe* a 2FA code we'll send you via a protocol known to be insecure and easily redirected, if you're lucky".

If you actually are an International Super Spy, this is not the standard for you. There are others (including ones set by FIDO) for your use case. By all means use them.