2SV vs 2FA, Briar, Dentrite, Versions, Protocols, Snowflake

1. I've been often wondering why it's often two step verification, and not two factor authentication (@ Wikipedia). As example I would prefer option where password + TOTP (@ Wikipedia) code is given at once. So if you guess right password you don't know it. Also it could be actually "one step" verification where as example password is suffixed or prefixed with the TOTP code. - As example with basic auth, it's necessary to implement it like that, because the prompt doesn't support other alternatives. It also nicely covers for the case which is known problem, that there's no "logout" for basic auth. So now the logout for the basic auth part happens automatically in 30 seconds. Yet of course it's up to the service to decide how long it will allow the access cookie to be used.

2. Got a few questions about the Briar Connector Bot. First question how can you trust it. My very clear answer is, that you shouldn't trust it. Trust isn't being delegated by the bot at all. Both parties still use their own public keys, which are untrusted at this point anyway. Just like with any new chat / contact on any platform. Only thing the bot does, is that it forwards the contact request.  " - Hi X, want's to chat with you. Accept? ". It comes absolutely no any direct trust attached. This brings me to the problem which actually is that people think that technology can provide trust. The actual trust is created somewhere else. It's not a technology at all. I just yesterday laughed about long thread of fake NTF discussion. But NFSs are cryptographically safe, there's no way to fake NFTs... Oh wait... Similar discussion about web-browsers. If a website shows padlock symbol, it's certified to be secure, and you can trust it with your money, private information, and life? Hmm, no... Long thread about this on Twitter a few days ago as well.

3. XMAS hobby, tried running Matrix Dentrite server on my own home server with docker, it worked fine, including federation. Which I verified with federation tester and chatting with my-self using alternate instances I'm currently using. But because I don't have time to actively maintain it, I shut it down, and prefer using better maintained and monitored services instead. But maybe, at some point, if I feel like it, I might run instance and maybe even not for my-self alone.

4. So sick'n'tired of people re-releasing same versions. This is a textbook example of how things shouldn't be done. This is version 1.1 and this is version 1.1 except the second version 1.1 is released two years later and is wildly different version. So if there's now a bug or vulnerability in version 1.1, do I have it or not?

5. Phew, lot's of discussion about TLS versions, DMARC, DKIM, SPF, SSL VPNs. Async programming and all the classic stuff.

6. Few interesting Tor posts (not from Tor Project) Tor 0day: Snowflake (@ hackerfactor.com) - Strange post, blocking Tor doesn't prevent malware getting downloaded.  That identifiable handshake stuff was true.  Also the stun fails seems quite classic, if true. And why would he just make it up? Also it's good to mention that Tor was never designed to protect from Nation states or other powerful adversaries. - Let's see the links mentioned in the post. Tor 0day: Burning Bridges  (@ hackerfactor.com) - First of all, technical post, nice. On basic level looks good and it seems to be true that the protocols are identifiable. But most protocols are. Only sad thing is that the "arms race" isn't going forward as mentioned. Also adversary with proper back end, can also run active tests after suspecting that IP:port combination is providing Tor services. Just connect it and see if works out and then cache the results for a suitable time. I'm pretty sure as example that China can easily do something like this, even if cheap firewalls wouldn't. But this isn't surprising at all, many people seem to think that Tor is some kind of magic bullet.

7. Watched James Webb Telescope (@ Wikipedia) Arine 5 launch live, great great. Fingers crossed that it'll work to the end and humanity get great scientific results!

2023-03-05