deleted by creator

Noted going forward. Sorry about that! ❤

Without knowing why you think they suck, it’s hard to say. I like having unphishable uncopyable credentials, and it irritates me that they aren’t more widely supported. On my desktop or laptop, they’re less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.

I’ve come around a bit since posting yesterday (after looking into the various hardware key options, like OnlyKey). The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it’s the added complexity of “use this physical device” and the concern I had about recovering accounts if I lost the Yubikey. Their page on spare devices does not inspire confidence.

Whilst there isn’t really such a thing as “too secure”, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so there’s simply no space to squish all that extra entropy you’re providing into the output… it might not be any more secure than a password a quarter of its length (or less!).

128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.

Fair point! I chose 128 because it’s the maximum allowed in Bitwarden (if it’s going to be copy-pasted anyway, who cares). Assuming I didn’t fuck up basic math, the entropy of a passphrase of length n selected uniformly at random from characters in A is given by nlog|A|, so to reach 128 bits of entropy with 70 chars (lower + upper + digits + special) requires a passphrase of length 21.

A note to the effect of:

You have basically no control over how Apple handles your data. When iOS users opted out of data collection, Apple still collected the data, they just didn’t allow third-party access to it.

is a good idea if I ever do recommend a Mac.

I believe ungoogled-chromium does have MV2 support. Unfortunately, there are still real security concerns with Firefox. The good news is that Trivalent (a hardened version of Chromium developed by the Secureblue folks) has ad/content blocking built in. I am still mostly using Firefox, but the small amount that I have used Trivalent has been good.

Spent the last week playing with some security shit (thinking about a career change, since it looks like I will be mastering out of my PhD program) and fuck me everything about hardening your personal devices is exhausting. We are nowhere close to accessible privacy and security in our computers. The best solution right now may be “buy a Macbook and learn MacOS”, which is so depressing.

Still deciding on a web browser. Used to be I could recommend Firefox because Righteous-Opposition-to-Google, but that doesn’t really track anymore with Mozilla’s behavior. Now I guess I would recommend Chrome, but it feels so gross (and I am unsure about things like Ungoogled-Chromium, for security reasons).

As far as passwords, the only password I have to memorize is the one to my Bitwarden vault. Everything else is stored in Bitwarden. The passwords (except for my phone PIN) are 16 characters if I ever need to type them in manually (e.g. LUKS password), whereas passwords that will always be copy-pasted are 128 characters. I am looking into integrating a yubikey, but am leaning towards “fuck that shit, why would anyone actually want to use this?” If anyone here has comments on this (am I missing an obvious pitfall? do yubikeys suck as much as it looks like they suck?) I would be happy to hear them.

Anyway tl;dr is I spent the last week hardening all my devices and it sucks. In some cases it was a complete waste of time (my Steam Deck does not appear to have a way to set a password in the BIOS). In other cases (e.g. my Framework), it was probably worth it but a deeply terrible experience.

also which issues

I know this one!

1. lefty on weed or sex work or w/e
2. but fuck identity politics and what is this ladder doing here

I have the outline of a write-up about about category errors and measuring proxies (e.g. reported sexual orientation). I think I am a poor writer but the only critique I’ve ever gotten was from a “colleague” who writes like he gets paid by the word¹. I will consider sharing the post once it is finished. ❤

1: one rejection on a collaboration with this guy was essentially “have you nerds heard of ‘brevity’ or ‘wit’?” — from computer scientists 😭

Well, this Andy dipshit gave an absolute dogshit apology on reddit.

Snippets below:

deleted this because i realized i can’t even explain how email works, why am i proposing anything

deleted by creator

I agree. Currently I can’t recommend any email providers. Hopefully Posteo works out, but at this point I am strongly considering just starting my own competitor in the vein of Signal messenger. Basically “we think of email as a public good.”

Thanks! I actually plan on putting a couple of things on Mataroa:

1. “Here is a list of shit you can do to make your computer suck less (would contain the above)”
2. “Here is how to make your Pixel phone less frustrating in 2024 (basically, how to use user profiles to create a dumb phone without the massive security issues or headache of ‘oh, actually I do need that app occasionally’)”

(Aside: if anyone can recommend a better blogging platform, I would appreciate it. I like Mataroa for its privacy focus, minimalism, and low cost-of-leaving. The only issue I have is lack of KaTeX/MathML/however-the-fuck-omg-why-is-TeX-still-trying-to-hurt-me-in-2025 support.)

Thanks for sharing this. Also

using your own head must weigh far too heavy

absolute chef’s kiss

Here is their response:

@mav Yes, this was bad. I did not take a screenshot back then (the post was deleted after 30 minutes), but I scrolled all my way through Mastodon to find our apology:

https://mastodon.social/@Tutanota/108910936764865962

https://mastodon.social/@Tutanota/108910937813834878

This was a mistake, we apologized & we made sure that we would never post something similar again.

At Tuta, we foster honesty, respect & diversity.

We are here to fight for privacy & against Big Tech surveillance. We want everyone to get the respect they deserve.

and this:

@shalf We set up guidelines that all team members on social media duty need to adhere to. We also created a social media review group where we post & discuss every proposal before actually publishing. And it has worked fine ever since. :)

Last time this came up, I considered Posteo but decided to hold off (I think it was actually you who suggested it ❤). There was a concern I had about deleting an account due to inactivity, but I think I just misunderstood or misremembered something on PrivacyGuides. This might be a good choice.

As far as Filen for photos, I am reasonably confident that Ente will stick around (they seem to take sustainability seriously). Stuff like this worries me about Filen (emphasis mine):

What else is planned for Black Friday this year?
As every year, we’ve planned a special surprise to give back to our loyal users this Black Friday. Just like in previous years, we won’t be revealing any details just yet. All I can suggest is to check in with us around November 18th—you won’t want to miss it!

Are lifetime plans stackable?
Yes, we’d like to emphasize once again that all types of our plans can be easily combined. Subscription plans only expire based on their individual purchase dates.

I am also in the “scream and cry” phase of this. However, I have already decided on the following replacements for non-email:

1. Mullvad VPN
2. Ente for photos and photo backup
   2a. their authenticator also slaps
3. Filen for cloud storage^[1]
4. Bitwarden for password management
   4a. Keyguard is great if you are on Android. I am looking into^[2] other (non CLI) Bitwarden-compatible password managers for Desktop I should not have suggested Keyguard, since I am not aware if it has been audited. It was probably a mistake for me to use it at all. Sorry everyone.

edit: Should mention that I am also looking into a calendar replacement.

edit2: maybe mailbox.org? They are recommended on PrivacyGuides.org.

1: This is more like a stopgap for me until I confirm they are worth sticking with or find someone better. The 29.99€ 100GB lifetime storage may be worthwhile for this (though I cannot say whether I am confident they will be around in 5 years, this can at least serve as a short-term solution).
2: lassitude

my pants are an anti-embarrassment protocol

After reading some of the counterpoints here, I began thinking about how I considered Excel a hyperkludge if you qualify it enough. I realized the qualifications apply to every programming language (good ol’ Turing Completeness). I think, in my case, the common scenario of

1. this tool^[1] is just a proof of concept/prototype
2. it costs less to maintain our tool than to write a more appropriate solution from scratch
3. our infrastructure is now the tool

had me erroneously criticizing the tool instead of its application^[2]. In the case of Excel, I worked a few jobs where the spreadsheets used when the company was small led to an absolute nightmare after the company grew.

I appreciate the thoughtful responses from everyone. <3

1: Usually a spreadsheet, in my experience.
2: Noting that, while “it’s not the tool, it’s the application” is a common refrain from people using tools in shitty ways, there is a distinction between “this is the wrong tool for the job” and “this tool will hurt people”.

I need an excuse to learn Rust and have wanted to do a “parse, don’t validate / make invalid states unrepresentable” project for a while. I will definitely share it if I get anything done.