• 1 Post
  • 24 Comments
Joined 1 year ago
cake
Cake day: July 18th, 2023

help-circle








  • Forget your existing cloud. Your 2FA backup doesn’t need to be protected by 2FA; just encryption and a strong/unique passphrase. Your 2FA backup can’t be used to access any account on its own, without each password. Most OSS E2EE services allow you to create a free account; many without an email. Pick 2 for redundancy, create a NEW account, and set a NEW passphrase (like your 2nd “master” password). Before you transit upload your OTP backup to both of them.

    This approach is probably more secure than SMS to access 2FA, especially vs a closed source provider like Authy, and especially if your 2FA export is also encrypted with a different password. If you’re already using a password manager and unique passwords for everything, you’re already 95% more secure than everyone else, and removed the primary need for 2FA (password reuse and theft). If you’re doing everything else right, 2FA only makes you 5-10% more secure, and covers far less-likely threats (email takeover, MITM, etc). Sys admins have been raw dogging SSH and PGP keys every day without a 2nd factor, for decades.








  • Custom domains mean that if the alias provider enshittifies, you can switch to any other provider near-instantly. As long as you never use the domains to host illegal or dodgy shit it’s extremely unlikely you’ll ever lose them — far less likely than losing a gmail or whatever.

    With SL you can avoid spam by using the “beta” (been beta for 3+ years lol) “auto create” option instead of a catch-all, meaning that you can direct emails to different inboxes (or do nothing) based on specific regex strings you control — up to 100 of them. I had a catch-all regex (.*) as my # 100 and it took 2 years to receive catch-all fishing spam. Then I removed it and now have only random strings (e.g. .*fgyu.*) so new emails must have them if they want to get somewhere. Everything else bounces. All previous emails continue to work until you disable them individually.

    I use a mix:

    • SL-domains: anything I don’t give a shit about.
    • Non-PII domain: anything I would want to persist if I changed provider, but don’t need my identity, or can give out a unique email in-person.
    • PII-domain: banks and all other services tied to my identity.
    • Top-Secret-PII-domain: critical services that could compromise all others (password manager, email/OS accounts, domain name registrar).

  • Notice how you’re angry at the people who released the info instead of the people who were corrupt and deplorable? PsyOps mission accomplished!

    My understanding is that, while it’s likely the source of those leaks was Russia, it’s never been proven wikileaks withheld info about Republicans. I’ve seen the claims dozens of times, but never the evidence, so please share if you do… Otherwise, it’s insane to hate a journalist for withholding information they don’t have, just because it hurts your preferred political party.

    EDIT T+2hrs: 35% downvotes and zero replies or supporting evidence. FYI I asked the same thing on Reddit about a dozen times over the last decade, and the result was always the same — If your position is “I can find no evidence for my claims, and don’t know why I hate WikiLeaks or Assange. I just do.” then you’re probably a psychological warfare victim…