@tokumei @perfectasshole super bump, but yeah you can totally use keybase with a smartcard pgp key (in fact pgp is a lot less needed than it used to be), as well as upload just the public side of the key and not have them do your key management.

The TEE makes an offline attack like the one you mention impossible on Android and iOS. Only an online attack is possible on recent versions of both major mobile OS, and then you get hit with the rate limiting on the online mode (wait 30 seconds on Android, or wait a very very long time on iOS).

Until I unlock my phone by entering credentials, you cannot access any decrypted files on said device. You can't exfiltrate the file to crack because until Android trusts the device you're targeting, nothing will be exposed over MTP.

@Condor Mine is currently 6 digits. At 5 attempts/30 secs that's a solid 55 hours of trying to get into my phone.

@Condor I'm confident in my PIN, as well as having nothing only exist in one place that lives on my phone. While I'd be out the money, if my phone were lost or stolen and not recovered, I'm confident having a PIN that is meaningless is plenty.

@Condor I'm not saying it's bad (I've also read the compatibility definition document), I'm just saying I'd much prefer a situation where a fingerprint sits above a secure PIN, rather than the fingerprint being the only security measure.

Everyone who has ever been in OPM's database can strike the security of fingerprints as being a little worse :v

@Condor the ultrasonic one Qualcomm is working on is significantly better from what I've heard, but there's a chance Google will no longer approve new optical implementations for Trustzone.

But more to the point, if you've only got fingerprint, if I'm police or fed, I just say "unlock your phone with your fingerprint". If you have a pin or you secured your phone by turning off fingerprint temporarily, there's no way for them to get in.

@Condor Currently Google is deciding whether or not the optical sensor in the 6T is secure enough to be a valid trustzone security method.

@Condor Considering iPhone acts the same way I think you're a little off base. The purpose of the fingerprint sensor isn't to be the super secure authentication, it's to make using a very secure pattern or PIN less of a PITA. I think I have to enter my PIN on my Pixel 3 once every few days when I wanted to use Pixel Imprint due to security. Throw in the legalities of compelling fingerprints vs PIN, no fallback if biometric system fails, and I'd run far away from a ROM that would just let me set a fingerprint and call it a day.

@Condor the fingerprint secure zone isn't unlocked until you decrypt it with your PIN.

@ItsNotMyFault archlinux wiki "what doesn't work on Surface Book 2": Cameras

"What has bugs":
keyboard base
hibernation only works if touchscreen disabled

That's all dealbreaker for me.

@ItsNotMyFault And if I want a non crappy laptop I buy Surface Book, and gimping pen/touch support just so I can use linux would be stupid.

"Google Registry is excited to support G Suite in their innovative use of .new for new actions in Docs, Sheets, Slides and more. The .new TLD is open, secure by default, and will be available to everyone for registration in 2019. Please check back soon for more details."

But that's kind of my point. People use country code TLDs that aren't for sites they're based in, the whole com/biz split disappeared when everyone thought com sounded better

plus we're already at the point where .pizza is a tld

But it's not a harmful idea either. It's not like it suddenly ruins every other TLD.

And I'm sure Charleston Road Registry told ICANN "you guys don't mind if we do this with .new right?".

Fact of the matter is that standards and practices change. Remember when having TLS on your site was some wild concept only for banking?

@devios1 by that logic, is .me only acceptable when it's referring to Montenegro?

@igorsantos07 and anyone could register a domain with .app, and Google is the registrar of record for that too. If Microsoft gives them money, I am sure they would.

@devios1 do you also hate .xyz, .computer, and all the other ones I can't think of off the top of my head?

Is there a standard that says "don't buy verb gTLDs"

I didn't think so. They went through the process, got it approved, so what

Also frankly if we listened to everyone who screamed about bastardization of protocols we'd still be using lynx to browse the world wide web

@devios1 but realistically there's very few organizations who can afford to just pay the fee for a gTLD anyway so why does it matter?

My two cents, I think this is really petty on your part. Not everyone you socialize with is going to know everything about what you do. I don't know all the intricacies of Human Communication or Statistics when my partner talks to me about it, but she doesn't go "well he doesn't know about Shakespeare so I'm breaking up with him".

Also, the biggest problem with working from home is the concept of "work". Realistically, to make working from home work (heh), I'm of the opinion that you need a space dedicated for work, that acts as your office. Don't program on the couch in the living room, because that makes you available and not in that work mindset. You go to your "office", now you're in the mindset to get shit done, the people who live with you know "they're working, I shouldn't disturb them".

@Braed If someone is arguing from a point of absolute lunacy, why should I make the effort to meet in the middle? If someone is saying that gays don't deserve to live, why would I waste debating energy on this.

@Braed I was unaware telling people to not be literal Nazis or hate others based on who they want to bang is equivalent to fascism.

@brunofontes options have a cognitive load. When you ask someone to make a decision about an option they don't care about, it's even worse.

Nearly 20 years old (!!!), but still relevant today: https://joelonsoftware.com/2000/04/...

@bittersweet but people don't give a shit about protocols. The average computer user literally doesn't care what stack Facebook messenger runs on, or that you could use IRC. The ship has long since sailed on keeping protocols alive for anything more than a niche market.

I mean what do you define as low paying? Took me 3 months to find this job straight out of my degree, I'm making 23.xx an hour with full time.