site banner
PaperclipPerfector  8mo ago (text post)   38265 thread views

Culture War Roundup for the week of July 8, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

13
Top Bottom Old Controversial Comments
Jump in the discussion.

No email address required.

Continuing my theme of thinking American election processes remain sketchy, the House just passed the SAVE act, ostensibly to prevent non-citizen voting. We all know how the battlelines are going to be drawn on that with the usual wailing and gnashing of teeth about how all of the totally legitimate citizens wouldn't actually be able to show that they're citizens and would be unfairly disenfranchised, and honestly, I suppose that's right to some extent. What's way more annoying is the drumbeat of people that say this is already illegal and doesn't happen. In a piqued fit of curiosity, I thought I'd take a look at what exactly California's process is for making sure only citizens are able to vote. Here's their registration application. It includes something a bit odd, checkboxes to simply indicate that you don't have a driver's license or social security number.

Well, if you check those boxes, there isn't really going to be sufficient unique identifiers to be crosschecked with a database to verify citizenship. Surely that disclaimer means you'd need to bring proof when you vote though, right? Well, here's what they say you need:

However, if you are voting for the first time after registering to vote by mail and did not provide your driver license number, California identification number or the last four digits of your social security number on your registration form, you may be asked to show a form of identification when you go to the polls. In this case, be sure to bring identification with you to your polling place or include a copy of it with your vote-by-mail ballot. A copy of a recent utility bill, the sample ballot booklet you received from your county elections office or another document sent to you by a government agency are examples of acceptable forms of identification [emphasis mine]. Other acceptable forms of identification include your passport, driver license, official state identification card, or student identification card showing your name and photograph.

Really? You can register with nothing that would identify you as a citizen, then show up to vote and identify yourself with the mailer you got when you signed up to vote. I have no idea how this process would stop a non-citizen from voting even in theory. Am I missing something? This seems like you can just straightforwardly vote in California as a non-citizen and the only thing that would stop you is a fit of conscience about checking the box that says you're a citizen. Are other states doing better at actually verifying the citizenship of voters? I would guess that some are and some aren't, but the claim that verifying citizenship would prevent quite a few people from voting kind of suggests that there isn't currently much of a process to do so.

Yeah, sometimes security really is that bad.

For a less serious example, "somebody" walked into the phone store, asked for a replacement SIM for my account (providing the phone number and possibly my name, but no other information), and walked out a few minutes later with the old SIM deactivated and the new card in their possession. That person was me, but they had no way of knowing that because they never asked or checked.

I think elections should at least be protected against that level of fraud.

This is why SMS is not a recommended second authentication factor for high-security or high-profile accounts: this can and has been abused before, many times.

This is why SMS is not a recommended second authentication factor for high-security or high-profile accounts: this can and has been abused before, many times.

What do the recommendations for account security in 2024 look like?

As a bank employee, I am expected to use a token tied to a physical device - either one of those SecurID tags which generates time sensitive 6-digit codes or a soft token loaded onto a phone app (which stays on the single phone and is not uploaded to iCloud etc.)

For multifactor authentication, specifically:

  • The gold standard is a Yubikey, but this is obnoxious to setup and maintain, so you probably can't unless it's your full-time job.
  • For everyone else, virtual key-based two-factor authentication, either tied to your physical phone or running on an (ideally not-device-you're-logging-in-on) computer. Authy is the Google version, there's a bunch of free third-party ones that are pretty not-awful. (If you use an Android phone, avoid sideloading onto the same device as your 2FA app, and limit browsing/weird app installs from the stores if you're paranoid).
  • Most have an online backup option. Whether you want to use it depends on your threat model -- having a fast backup option from 'phone exploded' is nice, but compromise here is pretty bad.
  • When you set up key-based 2FA for important account, you should get some number (usually 3-5) 'emergency codes'. Print two copies out: put one with your birth certificate, and one off-site (safe deposit box, friend's house, among your personal effects at the office).
  • Avoid giving phone numbers to vendors whenever possible; even if you don't use them as a 2FA setting, businesses will almost always treat them like one, except going through their tier 1 tech support instead of an actual process. Unfortunately, not possible for a lot of things like business/bank accounts.
  • If your account is high-risk or high-profile, try to contact your vendor ahead of time and specifically disavow phone-based account recovery. Probably won't work, but can be worth trying.

For passwords :

  • The Standard Advice is to use a good password manager. Firefox and Google have built-in options, as does the iPhone, but 1Password has some nice benefits in terms of Just Working. If you're willing to do the synchronization yourself, or only have a couple machines you login from, KeePass. Use them to autofill password forms; if they don't, check for likely compromise of the site (though there are a few other possible causes). Make sure your login passwords for these tools are unique, long, and memorable, and harden the password store against external attacks.
  • Whatever tool you use, make sure it's separate from your 2FA app, and that your password store isn't getting backed up to the same place your 2FA backup.
  • ... the non-standard advice is to have a unique, long, and memorable password for every major site that you memorize. This can be a very useful skill if you might need to log in at arbitrary locations from computers that you don't have a lot of chance to set up, but most people can't do it, and you're slightly more vulnerable to simple brute force attacks than password managers.

More generally:

  • Get and use an ad blocker. Because of the iPhone, piHoles are the best option, but if you mostly browse from a desktop uBlock Origin works well enough. Ads are an attack vector.
  • HTTPS-everywhere (now default in most browsers) is nice. If you're tech-savvy, knowing how to tunnel both DNS and HTTP(s) to a server you control can also be nice, especially if you're on the road a lot. The former is more realistic a concern for more threat models, but a surprising number of important but small sites will not support HTTPS.

Good comment. My additions:

  • Use masked email for most things. For example, Firefox automatically offers to fill in email fields with their Mozilla Relay service.
  • Even within a password manager, autogenerate passphrases rather than passwords. A six-word passphrase has much more entropy than a fifteen character random string. And it has the benefit of being more memorable. See this relevant xkcd.
  • Get notified by HaveIBeenPwned if your account is found in a breach.
  • Don't use SSO for online services, unless it's like part of your job. Yeah it's convenient to just click "Sign in with Google" but if your Google account ever gets nuked for whatever reason (just go on HackerNews and search for "Google account", most posts are stories about people losing accounts), then you also lose access to the non-Google service. A password manager plugin offers the same convenience as SSO, so just use that.

That is one hell of an answer, thank you for typing all that!

I have heard reasonable explanations of the new passkey systems that the big tech companies are slowly trying to roll out. It's effectively replacing a symmetric password (client and server both know the password) with an asymmetric signature (my client can prove itself to the server without the server itself learning enough to do so itself). It doesn't solve the two-factor problem itself, but probably could change how user passwords are handled.

On the other hand, they are distinctly too complex to commit to memory, so they end up having to be stored in a physical device, which has its own issues. Also viable backups and account restoration have conflicting concerns with privacy: keeping a copy of your credentials on Big Tech servers is, for some, the antithesis of the goal.

Passkeys don't necessarily solve the two-factor bit, but if the device is bioautheticated as most phones are this is kind of/mostly a moot point. A more relevant trifecta when it comes to the point of passwords/authentication is 1) something you know, 2) something you have, and 3) something you are.

Passkeys are nice because they swap the (something you know which you can be tricked into giving + something you have which less-commonly via sim-swapping or the like the system can be tricked into thinking someone else has) for the equation of (something you are, which is really hard to fake + something you have, with similar weaknesses). Note that you can't really lose accidentally or give away "something you are", like biometrics, so as long as the authentication protocol is solid, the passkey approach patches a major weakness. And since some passkey protocols try to verify that the something you have is physically located next to the actual access point, it's also a stronger something you have, even if it's not necessarily exactly the same as 2FA.

At least that's my understanding. Haven't yet migrated, but am very close to doing so.

Of course still excellent points about the cloud-passkey paradigm, but since passwords are just so easy to make weak (even with fancy rules to attempt and make them more secure), it still seems like an order of magnitude security improvement.

What is this place?

This website is a place for people who want to move past shady thinking and test their ideas in a court of people who don't all share the same biases. Our goal is to optimize for light, not heat; this is a group effort, and all commentators are asked to do their part.

The weekly Culture War threads host the most controversial topics and are the most visible aspect of The Motte. However, many other topics are appropriate here. We encourage people to post anything related to science, politics, or philosophy; if in doubt, post!

Check out The Vault for an archive of old quality posts. You are encouraged to crosspost these elsewhere.


Why are you called The Motte?

A motte is a stone keep on a raised earthwork common in early medieval fortifications. More pertinently, it's an element in a rhetorical move called a "Motte-and-Bailey", originally identified by philosopher Nicholas Shackel. It describes the tendency in discourse for people to move from a controversial but high value claim to a defensible but less exciting one upon any resistance to the former. He likens this to the medieval fortification, where a desirable land (the bailey) is abandoned when in danger for the more easily defended motte. In Shackel's words, "The Motte represents the defensible but undesired propositions to which one retreats when hard pressed."

On The Motte, always attempt to remain inside your defensible territory, even if you are not being pressed.


New post guidelines

If you're posting something that isn't related to the culture war, we encourage you to post a thread for it. A submission statement is highly appreciated, but isn't necessary for text posts or links to largely-text posts such as blogs or news articles; if we're unsure of the value of your post, we might remove it until you add a submission statement. A submission statement is required for non-text sources (videos, podcasts, images).

Culture war posts go in the culture war thread; all links must either include a submission statement or significant commentary. Bare links without those will be removed.

If in doubt, please post it!


Rules


Recommended Posts And Communities

Recommended Realtime Chats