Readit News logoReadit News
anfedorov commented on Dark mode in a website with CSS   tombrow.com/dark-mode-web... · Posted by u/teaspoon
the8472 · 6 years ago
that can be like a lighthouse in a dark night. flux can help of course, but if you are serious about supporting dark mode then you should eliminate as much white space as managable.
anfedorov · 6 years ago
I think he means if you're serious about dark mode then design two graphs one light, one dark. Solving "how do I turn a well designed light mode image into a dark mode image" is an AI task that would be a nice research paper, not something a designer can hack together with a bunch of if-then rules.
anfedorov commented on ProtonMail now offers elliptic curve cryptography   protonmail.com/blog/ellip... · Posted by u/_eigenfoo
KirinDave · 7 years ago
This announcement is an example of why I am not using ProtonMail anymore. There are a lot of things they do that sound very good on marketing materials, but upon examination are security theater.

For example, they claim, "We have chosen a particular elliptic curve system known as X25519, which is fast, secure, and particularly resistant to timing attacks. It’s simple to implement".

However, previously they've said that they use Indutny's library [0]. This library is somewhat infamous because its leadership deciding to discard any pretense of defending against timing attacks on the grounds that would make the library "too slow." [1]

There are other options. They could have used something with good timing attack resistance from WebCrypto. Those options exist. Folks with more skill than I have recommended P-256 as an option.

[0]: https://protonmail.com/blog/openpgpjs-3-release/

[1]: https://github.com/indutny/elliptic/issues/128#issuecomment-...

anfedorov · 7 years ago
Worth noting, in similar vein — https://protonvpn.com/support/macos-ikev2-vpn-setup/

Deleted Comment

anfedorov commented on California Moves to Require 100% Clean Electricity by 2045   bloomberg.com/news/articl... · Posted by u/dsr12
jzoch · 8 years ago
I understand this is amazing and totally love my state for doing it, but man seeing 2045 is always a little dismaying as I wish we could be even more aggressive. 2035 for example. I realize I am being too ambitious, but we went to space in a decade why not 100% clean energy in 1.5?
anfedorov · 8 years ago
Also, what does "Clean Electricity" mean? I signed up for CleanPowerSF which only cost me 2¢/kWh more, if I remember right: https://en.wikipedia.org/wiki/CleanPowerSF
anfedorov commented on Google: Security Keys Neutralized Employee Phishing   krebsonsecurity.com/2018/... · Posted by u/sohkamyung
Phrodo_00 · 8 years ago
which is why I'm wary of using my password manager for OTP, and use a separate one. Not sure if it's too paranoid, but it doesn't make sense to me to keep the 2 in the same place.
anfedorov · 8 years ago
There appear to be two points being conflated — 1/ 2FA via secrets stored on a separate device from your primary device with a PM provide more security than those stored on one device, and 2/ once you use a PM with unique password for every site, much of what OTP helps with for is already mitigated.

Both seem true, and what to do to protect yourself more depends on what kinds of attacks you're interested in stopping and at what costs. Personally, PM + U2F seems the highest-security, fastest-UI, easiest-UX by far — https://cloud.google.com/security-key/

anfedorov commented on Stripe Issuing – An API for creating physical and virtual cards   stripe.com/issuing... · Posted by u/zuck9
hartator · 8 years ago
That’s awesome. I wonder how easy would it be to code an easy service that generates a different card for every subscriptions. No more hassle to cancel this gym membership!
anfedorov · 8 years ago
That may be a bad idea — you have entered into a contract, one that likely doesn't account for that sort of "cancellation" and so gyms could legally keep charging you, consider the account delinquent for awhile, then close it and sell that debt to a collection agency. On the other hand 24h fitness auto-canceled my membership when I didn't go for a little while, so at least some have some kind of incentive to not have people hate them.
anfedorov commented on Google: Security Keys Neutralized Employee Phishing   krebsonsecurity.com/2018/... · Posted by u/sohkamyung
dwaite · 8 years ago
It creates a race condition in transit - if they can use the code before you, then they win. I can intercept at the network level, but also via phishing attacks - there is no domain challenge or verification in TOTP.

I know having someone malicious get into your account multiple times vs once is likely worse, but its hard to quantify how much worse it is - and of course using that one login to change your 2FA setup would make them equivalently bad.

anfedorov · 8 years ago
Not quite exactly "equivalently bad", since a user is more likely to notice a 2FA setup change than they are a phishing site's login error and then everything working as usual, but yeah, perhaps it's splitting hairs at that point.

Deleted Comment

anfedorov commented on Google: Security Keys Neutralized Employee Phishing   krebsonsecurity.com/2018/... · Posted by u/sohkamyung
SpaethCo · 8 years ago
If you're using a password manager to have unique passwords for every site, what does TOTP 2FA even protect you against?

Since 2FA only comes into play for protection if the password is compromised, if you're using a password manager that should mean that data breaches at unrelated sites shouldn't be a risk.

So we're down to phishing and malware/keyloggers being the most likely risk -- and TOTP offers no protection against that. If you're already at the point that you're keying your user/pass into a phishing site, you're not going to second guess punching in the 2FA code to that same site. I'd even argue push validation like Google Prompt would be at a significant risk for phishing, unless you are paying close attention to what IP address for which you're approving access.

anfedorov · 8 years ago
> If you're using a password manager to have unique passwords for every site, what does TOTP 2FA even protect you against?

Sounds a little obvious to write it out, but it protects against someone stealing your password some way that the password manager / unique passwords doesn't protect you against. Using a PM decreases those risks significantly, mostly because how enormous the risks of password reuse and manual password entry are without one, but it certainly doesn't eliminate them entirely.

anfedorov commented on Grand Jury Indicts Russian Officers for Hacking Related to the 2016 Election   justice.gov/opa/pr/grand-... · Posted by u/ccnafr
myko · 8 years ago
Is it overboard to consider Paul Manafort a Russian asset? He seems to have influenced Trump and his governing style pretty drastically.

I don't think anything in my comment was particularly inflammatory.

anfedorov · 8 years ago
I haven't read all the indictments and so might be wrong, but at this point I think it would be speculation. Time will almost certainly tell for sure. The wikipedia definition of the term seems easy to agree on — https://en.wikipedia.org/wiki/Asset_(intelligence)
a

u/anfedorov

KarmaCake day365October 2, 2011
About
(currently) andrey@sig.ma

(formerly) andrey@heapanalytics.com andrey@desmos.com andrey@humblebundle.com anfedorov@google.com andrey@invitemedia.com andrey@gamechanger.io andrey@conductor.com

View Original