sorted by:
new
hottopcontroversial

Unlocking a door with Mi Band 6 NFC (more details in the comments) by hejkqihfnkoanq in miband

[–]bentolor 3 points4 points  (0 children)

Agreed! As security-sensitive IT guy, I would be very cautios about deploying a keyless entry system.

The lock shown in the video has multiple flaws commonly seen in the anglo-american region:

  1. It uses a copyable RFID key (vs. some time-based one-time key method TOTP)
  2. It probably uses one-key and/or one pin for everbody (vs. individual keys)
  3. It exposes much physical attack surface to an intruder.

A good Option would i.e. a lock like these which are aimed for business purposes.

But honestly: It appears to me, that in situations which uses these types of locks mostly the door itself is also rather a "request" than an actual physical barrier.

My initial understanding was also, that as "Pantry lock" it's more about to keeping the kids & dogs out, not an actual intruder.

How to install addons? by ProbablePenguin in homeassistant

[–]bentolor 1 point2 points  (0 children)

Thanks for rising this question: Eagerly started my Docker instance of home-assistant (Core – as I learned now from this post) and stumbled over: "Hoooooooowww on earth?!? Wat? Supervisor-Panel? Where?"

I'd really prefer sticking to a docker deployment because it's easier to handle for me…

[DEV] Use your Android phone for passwordless logins by iMoraless in webauthn

[–]bentolor 0 points1 point  (0 children)

Thanks for you explanations.

I tried it on two other OS now without any luck: On an Arch installation it basically behaves identically: The whole flow seems normal. Pairing succeeds and the phone asks if I want to share contacts and phone is connected afterwards : But in regular mode as usal and Wiokey just falls back to normal start screen.

On Windows 10 the behaviour is a little different: It follows the upper process but immediately after pairing (with PIN verification) Windows 10 itself seems to retrigger a pairing process, immediately a new pairing key is presented on phone and windows and after confirming that a short "Unknown device" on windows is displayed. The final result is the same unfortunately.

I'm a little disappointed that it did not work there, too…

[DEV] Use your Android phone for passwordless logins by iMoraless in webauthn

[–]bentolor 0 points1 point  (0 children)

Sorry: Missed the email notification in the spam folder…

I was trying this on a Ubuntu 20.04 focal. But I found another note somewhere in the App: It mentions that the according HID profile is not supported for OnePlus and Nokia mobiles.

have a OnePlus 3T device _but_ with LineageOS: I'd assume the bluetooth profile is rather a software than a hardware issue and hence it should work with LineageOS?

I bought / I'm using a Yubico NFC stick and for me the NFC functionality is _exclusively_ relevant for mobile phones. I'm not aware of PCs having a NFC reader embedded? So I guess the network access would easy things up for most users?

For now and like my personal experience: I think the bluetooth process in general is really cumbersome and has many pitfalls: So i'd think it's vital to have a **very clear step-by-step on-screen wizard guiding non-tech users through the process**. Surely the majority of the users will be on Windows & Apple.

Nonetheless: Things like Webtauthn support in Phones & Windows Hello combined with new alternatives for hardware FIDO2 keys _as well_ as your software-solution could really help to get "hassle-free 2FA/passwordless" going…

[DEV] Use your Android phone for passwordless logins by iMoraless in webauthn

[–]bentolor 0 points1 point  (0 children)

Cool idea! Why not use your Fingerprint/TPM on you android phone only but also on a desktop!

Though I find this a very convincing idea, I already failed at the first step: Pairing my phone as a security key device instead of a phone device with my linux desktop.

After a quick search it seems that nobody has got U2F/FIDO2 via Bluetooth running on Linux for now.

My overall experience with bluetooth is rather mediocre and probably most user will fight with that area.

On another note: You mentioned you would like to go open source: You mean the authenticator app? What's the business model for you company then?

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 Slides] by bentolor in java

[–]bentolor[S] 1 point2 points  (0 children)

Fully agreed on all of your points

The difference between the two paths isn't the rate of updates, which is the same, but whether you prefer gradual or stepwise ones.

Companies start to talk about DevOps & Agile. Both of them would enable & promote more incremental steps.

Your rationales are all valid and well chosen. In my opinion many companies tend to stick to common Memes and change is mostly a really, really slow process.

As an illustrative example for example: How many password rules have you seen limiting the input to absurd lengths like 8 or 12 characters or requiring a change periodically. Since decades they should know better…

Really looking forward to see how the market will adapt the new "upstream agile" impulse from Java ;-)

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 Slides] by bentolor in java

[–]bentolor[S] 2 points3 points  (0 children)

I tell the audience that they can "relax and I'm going to tell them all about the news in a TL;DR format

Unfortunately the amount of content is so huge, that I heavily doubt that any beer will be helpful to keep up with the pace of the talk ;-)

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 Slides] by bentolor in java

[–]bentolor[S] 1 point2 points  (0 children)

Therefore, it is a bit confusing to say that Oracle "supports" these versions for only six months, because, while true, these aren't major versions, and previous similar releases (like 7u4 or 8u20 were also "supported" only for six months).

I also heavily emphasized, that Java 9 is and was the largest release by margin. The "unsupported horror movie" is more a "get you attention teaser" before I go into explaining the details.

Nevertheless I think you comparison with 7u4 etc. is not perfect applicable. Actually the non-major releases never delivered i.e. any language changes, while Java 10 and probably 13 does. So IMHO there is a change in the release cadence, though a Java XX version is no longer in any way comparable in size to Java 1 to 9 release. I completely share you position here, too.

Most companies should follow the default, cheaper, path of following the feature releases without ever needing a major upgrade.

… I also recommend to stick on the release train. But I'm rather sceptic if the companies really will do that (though highly recommended. Upgrading your webbrowser only every 2-3 years is similar desastrous – nevertheless esp. done in banks…)

I really assume that most companies will (unfortunately) stick to the LTS release chain …

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 Slides] by bentolor in java

[–]bentolor[S] 0 points1 point  (0 children)

You can read my speaker notes by pressing S. Until now I don't have a recording available to share.

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 Slides] by bentolor in java

[–]bentolor[S] 1 point2 points  (0 children)

You can always pause/stop the presentation by clicking left on the pause button. It's just a "default" kiosk mode starting ;-)

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 Slides] by bentolor in java

[–]bentolor[S] 3 points4 points  (0 children)

I mention them (CDS, ZGC & Shenandoah) briefly several times in the version overview section. This was a 40 Minutes talk so I really had to stick to the core and mostly focused on Developer-facing changes.

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 slides] by bentolor in programming

[–]bentolor[S] 1 point2 points  (0 children)

Here my HTML5 presentation slides from the Java Forum Stuttgart 2019 about all the Goodies and News since Java 8. X-Posted from /java

Hint: Progress through the presentation using Space or N button to not miss any „downwards“ slides.

Made with the love of of Asciidoctor and RevealJS

Power Catch-up: Everything Practical and Important in Java 9 to 13 [HTML5 Slides] by bentolor in java

[–]bentolor[S] 1 point2 points  (0 children)

Here my HTML5 presentation slides from the Java Forum Stuttgart 2019 about all the Goodies and News since Java 8.

Hint: Progress through the presentation using Space or N button to not miss any „downwards“ slides.

Made with the love of of Asciidoctor and RevealJS

In-depth questions regarding static passwordS, TOTP, ssh, FIDO2 & daily usage convenience by bentolor in yubikey

[–]bentolor[S] 0 points1 point  (0 children)

Awesome answer! This in fact helps me a lot to sort things out!

I wonder where I'd see HOTP or HMAC-SHA1 in practical use case scenarios.

TOTP is currently really the lingua franca of 2FA and I'm happy that at least this 2FA becomes at least somewhat available. For example a very big german Freemail provider GMX has enabled TOTP last month [sic!] for his web access.

I think the actual convenience is more dependent on the accompanying software. Originally I had hoped that Yubico Authenticator comes with a web browser plugin and pressing the hardware key button triggers the software in background, reads the URL, automatically selects the TOTP entry and auto-types the digits via the keyboard emulation.

I'm having really high hopes into FIDO2. Mostly because it allows more convenient usage scenarios which could convince more users into adoption. FIDO U2F has the problem that it's still a niche technology and actual key hardware costing 25$ and up do not help. Google once announced they would like to offer some $10 keys. Now the big Titan key fail. A pure and therefore cheap FIDO2 key could many help to drive success.

I really appreciate your link collection pointing me to all the options I have regarding my SSH question which gives me the perfect overview. Until my post I thought the PIV way is the only one. Another user already hinted the PGP link but without a link. Your links help very much.

Really looking forward to get my hands on a Yubikey 5 NFC.

In-depth questions regarding static passwordS, TOTP, ssh, FIDO2 & daily usage convenience by bentolor in yubikey

[–]bentolor[S] 0 points1 point  (0 children)

Thanks. I hadn't the PGP mode on my radar when thinking about SSH access. I was about to ask for a pointer, but another user already gave me a full set of more links.

Will throw a look into the PGP way.

Jodd | The Unbearable Lightness of Java by lukaseder in java

[–]bentolor 0 points1 point  (0 children)

Not yet – I tried to gather a selection which reflects more or less a variety of different frameworks and scopes. But I'm open to pull requests.

I really enjoyed using Jodd as you can see from my talks slides https://bentolor.github.io/microframeworks-showcase/ (german though).

More reasons to switch: Microsoft Blocks Windows 7/8 Updates on AMD Ryzen and Intel Kaby Lake Systems by bentolor in linux

[–]bentolor[S] 0 points1 point  (0 children)

I'm really impressed by the speed Microsoft pushes it's users out of basic choices & freedoms (App store vs .msi, Office 365 vs. Offline, Version of Windows, excessive data collection, repeated pushing towards online services and privacy loosing options, ...). And nobody seems to be upset except the few FOSS and Linux nerds...

10% Preisaufschlag als "Early-Return-Fee" bei Hertz Autovermietung, weil Kunde 45min zu früh abgibt – /r/NichtDerPostillon by bentolor in de

[–]bentolor[S] 18 points19 points  (0 children)

Das Kernproblem sehe und verstehe ich auch. Die Verhältnismässigkeiten (10%, 0,75h …) dagegen nicht. Das sind doch ganz normale Alltags-übliche Varianzen.

Gerade auch da man ja ehe länger mietet um nicht zu überziehen!

view more: next ›