they could steal stuff! better make rectal spyware control posts at the exit, so that nobody can smuggle something out.
Would be at least consistent with BBC's position towards EME. Not firefox should get the blame and the shitstorm.
U+1F4A9
Don't forget that when the code gets transmitted, it can be compressed down to 71 kb.
I guess very well. In fact, there is a project called peerCDN, which P2P based on WebRTC as a CDN. So Maelstrom can already be achieved by firefox and chrome.
You mean as something like this already has been suggested by lennart poettering? Yeah, there is something to it. Funnily the first dude answering the shuttleworth post was a systemD + btrfs fanboy...
But its good Ubuntu ppl removed this stupid btrfs requirement. I'm myself a fan of btrfs, but things should be exchangeable.
2 is one of my main concerns too. Let application developers develop their applications and library developers develop their libraries. Not every OSS application contributor wants to apply security updates in their free time.
And what is the U2F protected by? Nothing. Anybody who gets hold of the dongle can use it, at least getting into the system protected by a mobile app would require them to steal the device *AND* get the password. And not all phones are locked with a password. There are phones locked with biometrics, or patterns that couldn't quite be called a password.
All those mechanisms can also be implemented by the company as a first factor. Indeed, a system with dongle only is insecure, but security is increased when you have 2 factor.
TFS is about "passwordless authentication". When people are on the "no passwords" train they should consider that phones also have passwords. What they want to say is perhaps they want a master password. But thats something else.
On top of this, there is also the possibility of de-authorizing the device on the server-side with the 2FA provider.
You can do the same with a dongle, I've already pointed that out.
it still requires that the system be configured to let random keyboards/USB devices be plugged in.
I'm sure that when the need arises, some smart company will develop an USB adapter that only allows U2F devices to communicate with the host.
The smartphone can be lost/forgotten, but at least smartphones tend to be encrypted/locked with the option to remote-wipe. A U2F dongle that is lost would seem to offer no such protection.
What is a phone encrypted/locked with? A password. So thats a second factor. Whether you enter it at the companies computer or at the smartphone is no big difference. As a company, I wouldnt rely my security on unlock passwords. How often do you enter your unlock password when other people could, in theory, watch you? How can you as company ensure your employees do this never?
Same for remote-wipe. You set it up with a password. When your dongle (or phone) is lost you don't even need remote wipe, as you can simply call your employer and say it was lost (I admit if you use your dongle for more than just one party it can be a bit of work). With remote-wipe you can never be sure whether the attacker didn't crack the phone, and now just sent a fake "I'm wiped" message.
The apps for 2FA services tend to offer a rotating key, so it's not a fixed password that can be guessed.
With passwords I've meant what I've described in the upper paragraphs. Those rotating keys are yet another thing U2F is better at. Do you want to copy supid strings from your phone to your computer? Also, this kind of 2FA is dangerous, as its only time based and allows for MiTM attacks. U2F protects from those too by also authenticating the server.
The app also needs to be installed on a smartphone, which you can also lose/forget. If the app allows you to log in from arbitrary devices, its just passwords again.
Oh I've forgotten U2F's best point: its cheap.
use u2f, its the best authentication token on the market. Either as second factor, or as lone factor. It doesn't enforce any lock-in at all, and its experience is just like keys: you have cheap tiny things you stick into holes (please spare me with any childish dick/buttplug/etc comparisons).
If they only need to survive online attacks, the 8 character limit is enough for Passwords. However you would need to add some meaningful brute-force and weak pw recognition.
The birthday paradox is more than that. It also includes that the probability that you are close to some other planet is far more smaller than the probability that there is some 2 close planets. So the ideas are related.
So whats new?
Memory fault - where am I?