• 0 Posts
  • 50 Comments
Joined 7 months ago
cake
Cake day: April 7th, 2024

help-circle











  • scsi@lemm.eetoAsk Lemmy@lemmy.world*Permanently Deleted*
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    23 days ago

    Along this line of thinking, I use Lemmy and Mastodon as complementary rather than competing, but not in the way people want/use X/Bluesky. Lemmy (reddit) is great for the use as you outline, Mastodon (and Pixelfed) supply a visual experience if you make it work that way and don’t expect/want an X like experience (so think more Instagram). Lemmy lacks multireddits which could solve some of this Mastodon use case, on reddit I have a multireddit named “Gallery” which combines a dozen picture-only subreddits.

    One can follow hashtags like #photography or #catsofmastodon, discover like-minded profiles who only post pictures and minimal talk/chatter (a lot of actual skilled photographers are present) and follow those profiles. It provides an experience that rounds out Lemmy, but I do admit I would love a “gallery” like view in the apps to streamline the hashtag viewing (Pixelfed does this specifically, but people are spread all over the planet - Mastodon proper pulls in federated data easier, IMHO)


  • To try and bake down the complex answers, if you are basically familiar with PGP or SSH keys the concept of a Passkey is sort of in the same ballpark. But instead of using the same SSH keypair more than once, Passkeys create a new keypair for every use (website) and possibly every device (e.g. 2 phones using 1 website may create 2 sets of keypars, one on each device) - and additionally embeds the username (making it “one-click login”):

    • creating a passkey is the client and server establishing a ring of trust (“challenge”) and then generating a public and private pair of keys (think ssh-keygen ...)
    • embedded in the keypair is the user ID/username and credential ID, which sort of maps to the three fields of a SSH keypair (encryption type, key, userid optional in SSH keys) but not really, think concept not details
    • when using a passkey, the server sends the client a “challenge”, the client prompts the user to unlock the private key (device PIN, biometric, Bitwarden master password, etc.)
    • the “challenge” (think crypto math puzzle) is signed with the private key and returned to the server along with the username and credential ID
    • the server, who has stored the public key, looks it up using the username + credential ID, then verifies the signature somewhat like SSH or PGP does
    • like SSH or PGP, this means the private key never leaves the device/etc. being used by the client and is used to only sign the crypto math puzzle challenge

    The client private key is stored hopefully in a secure part of the phone/laptop (“enclave” or TPM hardware module) which locks it to that device; using a portable password manager instead such as Bitwarden is attractive since the private keys are stored in BW’s data (so can be synced across devices, backed up, etc.)

    They use the phrase “replay” a lot to mean that sending the same password to a website is vulnerable to it being intercepted and used n+1 times (hacker); in the keypair model this doesn’t happen because each “challenge” is a unique crypto math puzzle generated dynamically every use, like TOTP/2FA but “better” because there’s no simple hash seed (TOTP/2FA use a constant seed saved by the client but it’s not as robust crypto).




  • Recently started a replay of the PS5 BioShock collection (1&2). In 1 the items shimmer to let you know they’re there to interact with, in 2 that setting is off/disabled by default and you don’t realize it until you go digging through the settings after wondering where all the stuff is/went because you sit 15ft/3m from your TV. Utterly frustrating dev choice on normal mode play defaults.



  • The other data shows that posts and comments are going up linearly (a little suspicious but OK), but I wonder how the modlog affects the data (meaning how is it captured and when). I made one comment to a honest post yesterday (hosted on a remote instance), which then the post was deleted by admins like so:

    Removed Post Any app for call recording ? reason: Rule 2: Please use [email protected] for support questions.

    So my comment shows in my history but cannot actually be accessed; was this comment counted? was that post counted? Was I counted as an active user yesterday if that was the only activity I did all day? Was the one person who upvoted my comment before the thread was deleted counted?

    Lies, damn lies and statistics. :)