The Problem of Passkeys

 The Problem of Passkeys

This is not a deep study of passkeys, I am interested in how useful and usable passkeys actually are.  In particular by trying them myself in a limited way.

I have many issues with passkeys.  Asymmetric encryption is hard, technical and not suitable or secure for most normal (ie non-technical) people.  But clearly it's possible to use it to make reasonably secure systems like Signal.

I had a brief look at passkeys a while ago.  When I found that I couldn't use passkeys on MacOS without having my passkeys (my secret keys) copied into the icloud, I decided to give that a miss.  I don't want my secret key on other people's servers.  Apple could have decided to allow passkeys to stay on a device, but no, apparently they wanted to make passkeys easier for people to use.  On all their Apple devices!  

Easy to use is the bane of IT security.

Anyway, since then there have been developments, so I decided to try again.  Apple still allows passkeys on its systems only if you allow it to copy your secret keys to the icloud.  But there are now alternatives.

Apparently Strongbox.app, two versions of which appear to be supplied with my MacOS Tahoe reads and stores password data in a standard Keepass database.  Strongbox appears to be integrated with the MacOS password systems.  Apparently Strongbox can store passkeys but the methods are complicated and oh, require a paid upgrade, that might even work!  Not really interested.  

I found that KeepassXC is yet another Keepass app that reads and writes Keepass format databases.  It also has binaries for MacOS, Windows, and Linux and is free and open source.  It doesn't have an Android or iPhone app yet, I think.  KeepassXC has some interesting new features.  For instance you can use it to generate passphrases.  KeepassXC can store passkeys and it has browser extensions for a number of browsers to autofill passkeys and other stuff. It has browser extensions for Firefox and Brave/Chrome and Edge.   Maybe more in the future? 

It's not exactly simple to get autofill working with KeepassXC.  You have to add the browser extensions to your browsers.  There are settings that need to be set.  I managed to get it to work on Firefox, but not Brave, even though Brave managed to use passkeys without it.

Oh yeah, did I mention: Brave browser can store passkeys internally.  Who knew?

I dislike password wallets that do autofill.  I'm sure that many people find it easy, but frankly easy in computers is the cause of many security vulnerabilities.  I guess you have to use autofill with passkeys.  We can't allow users to copy and paste or drag and drop or generally control their own secret keys.  Also I often need to use different browsers for different sites and to test stuff.  I don't necessarily want all of them to login as the same user or even to login at all.  I definitely don't want one overriding autofill system run by Apple or Microsoft with them deciding where to store my secret keys and personal info.  

After getting passkeys with KeepassXC to work in Firefox, on a test site, I tried it for a real site, ie google.  Somehow it just wouldn't work.  Some part of Firefox or MacOS decided I needed to store my passkey in Apple's icloud and since that was not enabled, no passkey.  The process appears to be controlled by the website and the operating system and is opaque to the user.  I tried another website and it worked.  Mysterious.

One of the problems with passkeys is that most systems appear to take all control away from users.  Websites apparently control how you create your passkeys, how you store them.  If you want to store your passkey in a browser and the browser allows it, you will only be able to use your passkey from that browser.  You may not be able to use other browsers, other devices.  It's hard to see your secret key, hard to move it around or not.  One solution of the problem of moving your passkeys around for yourself to other browsers, other apps, other devices is to put them in a cloud.  Apple's solution and maybe Google's too and possibly Microsoft's.  A cloud is other people's computers.  The big corporates, social media desperately want you to save your secret keys on their cloud, so they can get access to copies of your secret keys. And access to when and how you use your secret keys.  Bonus for them.

It would have been simple for the designers to allow more than one passkey per account.  This would have solved some of those problems.  They could have used just one secret key for all your accounts.  This could have solved some of those problems too.  Having just one secret key is not the same sort of security issue that having the same password is.  I mean, if someone gets your secret key, they can access all your accounts, but if you have all your secret keys on your cloud and they get that, they also have access to all your accounts.

Why can't any of these systems allow users themselves to move their own passkeys between systems?  Of course they might stuff it up.  Of course a compromised system would mean your passkeys would be compromised, but that would be the case if they were stored in a cloud.  

Is it possible for a site to allow log in only with passkeys?  I don't think we are anywhere near to that.  How would we revoke a key then?

I just don't think passkeys are either ready nor has the design been thought through enough for the benefit of what we say in Australia: us mug punters.  Maybe it's almost OK for big companies.  Passkeys are great for a corporate network where the company controls everything.  Is that what we want for us ordinary people?  I think not.

 

A Random Annoyance - magnetic USB connectors

 A few weeks ago I bought a watch, perhaps a smart watch, perhaps a not very smart watch.  Anyway this is not really about the watch.  The watch had an interesting USB charging port.  

The USB "socket" has two plates also surrounded by two magnets.  

 

The USB connector has 2 pins and the pins are surrounded by two magnets.  I found it interesting.  The magnets meant that the connector would only contact and stick on in the right direction.  The socket was completely waterproof.  Cool.  

A couple of weeks later I got a bone conduction headset.  It had the same charging connector.

 

The magnets are buried.

And apparently the same cable and almost the same connector.  

 

Oh, I realised that the magnets were opposite polarity.  Ouch! I carefully marked the cables so as not to get them mixed up.  I checked the polarity of the power pins.  Same electrical polarity but opposite magnetic poles.

It's annoying that there isn't a standard.

Maybe there's a rectifier bridge inside the devices, but these are small devices and I don't want to test this, just in case.

Torch Review: Fenix E30R

I'd like to review my best torch ever.  I've had this torch for several years now.  It is my almost constant companion for working around the house, repairing electrical devices, installing computing equipment, fighting fires at night.  I have no connection with the company other than being a happy customer.  

The Fenix E30R

Small, bright and tough:
This torch is small, not tiny but fits into a pocket easily.  Aluminium makes it light and tough.  It has a maximum brightness of 1600 lumens.  It has only one side button and does lots of things but is fairly easy to get used to.   

Travel lock:
It has a travel feature that works: double clicking the button when the torch is off, puts the torch into and takes it out of travel mode.  In travel mode clicking the button causes the torch to flash twice.  In travel mode you can't burn through your bag or pocket, even if the button is pressed.  

No memory:
One thing that I really like and find essential.  It doesn't have a memory function.  The torch always starts at minimum brightness.   Short presses increase the brightness in 4 steps to maximum and then back to minimum.  Why torch makers insist on having a memory function that turns the torch on to the last brightness level I really don't know!  Some random brightness level I used maybe a day ago or a week ago is unlikely to be right for what I want now.  I have other torches I use sometimes that have this memory function.  One goes to 6000 lumens.  I hardly ever would want it to start on this brightness level.  Yet because of the memory function, every time I use a higher than minimum brightness level I have to cycle through the brightness levels until I get to the minimum before I turn it off.  What a pain.  I can sort of understand why some people might like this function but it would be really good to be able to turn memory off or have a starting brightness level chosen by the user no matter what the previous level was.  I understand that torch makers think it's a great idea to have memory and have worked hard to put it in and don't want to allow users to turn it off.  Grrr.

Black:
Why do so many gadget makers make their gadgets black?  So easy to get stuff lost, in your pocket, under the sofa, in the dark, in your bag with all the other black gadgets, on a burnt fireground.  Make it a bright light colour, how hard is that?

Charger:
The torch has a peculiar and unique magnetic charger.  It doesn't compromise the water proofity (technical term here) of the torch and it works, are the only things that can be said of it.  

Pros: Small, 1600 lumens, no memory

Cons: Black, weird charger, they appear to have discontinued it.  Damn!

That horrible rubbery plastic coating that turns sticky

 I hate that horrible rubbery plastic coating, that they sometimes put on small electronic devices, that turns sticky after a year or three .  If I want to keep using the device, I have to remove the coating which has turned sticky, which is a major undertaking.

To clean the rubbery coating I need to use eucalyptus oil, ti tree oil, citrus oil, alcohol, propyl alcohol or a mixture of one or two of them and some old cloth.  The process is messy and time consuming.

Just stop it. 

Browsing slightly more safely and privately

Companies and governments glean massive amounts of data from users on the web.  This data gets to huge data warehouses where it's matched together and used by many companies and not for your benefit.  Part of the issues are the secrecy and lack of oversight and control by the users themselves.  Often you are paying in multiple ways for them to collect your data.  Remember if it's free on the web, then you are the product, not the customer.  Just because you pay doesn't mean that changes either.

There are a number of things you can do to make web browsing safer and more private and give yourself more control.  I use Firefox because although it has issues, it is flexible and has lots of useful extensions that help make browsing safer.  Just remember that as you get more safety browsing, browsing can become more difficult.  Many sites use scripts from other places to do many things but those scripts often track you and snoop on you.

You can use other browsers but they all have issues.  Chrome is OK but it desperately wants you to sign in to Google and then once you do that, everything you do, every site you go to, every search you make, belongs to Google.  I can't really tell you about Edge as I usually don't use Windows.  I expect Edge browsing is part of the extensive Windows telemetry gathered by Microsoft.

Defaults:

Don't leave browsers on their default settings.  Although they make it hard, you can change important things like the default search engine.  Most browsers are paid in some way by search engines for the privilege to be the default search engine on that browser.  Or like Edge and Chrome they have a default from the company that supplies them.  I should mention here that you should try and avoid Google or Bing for your searches.  For a long time I used duckduckgo.com but I learned a while ago that they use a lot of data from bing although I think they have their own indexing, and some links redirect through bing.   It is still my fallback search engine and rarely I still use Google too.  Learn how to change your default search engine.  I prefer to have a separate navigation bar and search bar and not to allow searching from my navigation bar.  I actually sometimes type out full URLs.  That's all harder on a phone though.  Don't use google search if you're logged into google.  All that data goes straight into your Google history.   Remember you don't always have to use the same search engine.  Sometimes specialised search engines are much more useful, for example wikipedia, youtube, google maps, etc.

My favourite search engine at the moment is Searx Randomizer.  This sends your search to a random searx instance. Searx is an open source meta-search engine.  Official Searx website Searx Wikipedia Entry  Your search is relayed to many other search engines but without information about you, the searcher being relayed.  It often gives me unusual and interesting search results and useful, did I mention useful?  Google tends to show you results it thinks you want or it thinks you should have.  Also note that searx instances are quite fluid, coming and going occasionally.  In part, because the big search engines don't appear to like non-humans doing searches.  Google, who has robots trawling every web page on the planet, apparently doesn't like anyone doing Google searches without it knowing who is doing it.  Bing ditto but they have taken to using special Bing links that redirect through Bing.  Because of this, sometimes I'll have to repeat a searx search because it fails the first time.  Slow down. 

Fingerprinting.  Fingerprinting is a way tracking companies have of identifying you using features of your browser.  Things like languages, fonts, page size, operating system, IP address, colours of pixels on your monitor.  Why do browsers even give out this information?  Some of the extensions that follow make fingerprinting much harder.

Firefox extensions

Firefox has a number of useful extensions for safety and privacy.  

Adblockers: 

Apart from getting rid of objectionable and sometimes unsafe and even malware filled ads, these help lower your bandwidth.  There is a huge war between advertisers and adblockers that has been going on for a while.  

I use uBlock Origin. uBlock Origin website I'm sure there are many other adblockers that work. 

No Mining:

No Coin Stop scripts that use your browser to mine bitcoin for someone else. Sigh. 

Fingerprint Blocker:

CanvasBlocker  This add-on allows users to prevent websites from using some Javascript APIs to fingerprint them. Users can choose to block the APIs entirely on some or all websites (which may break some websites) or fake its fingerprinting-friendly readout API.

Tracker Blockers:

I tend to use a few of these.  There is just so much tracking at the moment. 

Privacy Badger by The Electronic Frontier Foundation.

Ghostery is a tracker blocker.  It is a commercial company but I've found it's quite good and easy to use.

Duckduckgo Privacy Essentials  A whole bunch of privacy features.  Also blocks fingerprinting.

Decentralize Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.

AdNauseum not only blocks ads, it obfuscates browsing data to resist tracking by the online ad industry. To throw ad networks off your trail AdNauseam “clicks” blocked and hidden ads, polluting your data profile and injecting noise into the economic system that drives online surveillance. Just a bit of fun.

TrackMeNot An artware browser add-on to protect privacy in web-search. By issuing randomized queries to common search-engines, TrackMeNot obfuscates your search profile and registers your discontent with surreptitious tracking.  Just a bit of fun too.

Cookie Autodelete When a tab closes, any cookies not being used are automatically deleted. Keep the ones you trust (forever/until restart) while deleting the rest. Containers Supported. 

Facebook Container Prevent Facebook from tracking you around the web. The Facebook Container extension for Firefox helps you take control and isolate your web activity from Facebook.  Facebook is a surveillance company, it's not what you thought.

F.B Purity While you are logged onto Facebook, this lets you hide all the Facebook Ads, Suggested Posts / Related Posts / Sponsored Posts / Sponsored Posts / Upcoming Events / Games your Friends are playing / Games You May Like / Similar To / Related Articles / More Like / More From etc, etc.

Cross-site script blocking:

uMatrix Prevents cross-site scripting.  Warning: This extension can make it harder to use webpages.  You need to understand how to use it and you often have to enable scripts to get the page to work.  If you're prepared to deal with the hassle, it's very good.   Unfortunately even IT professionals find this one difficult to use, other alternative suffer from the same issues.

Smart Referer Every time you click on a link, your browser helpfully tells the website the link takes you to, what web page you came from.  This extension stops that. In tech speak: Automatically hide HTTP Referer and JavaScript document.referrer for cross-domain requests!

Redirector Some pages have links that redirect through their own site so they see what you click on.  Google and Bing both do this.  This extension might help with that, but it requires a bit of work.  May not be worth it.

Making pages more readable:

Remove/Crop to Selection Sometimes you may want to print or save only a part of a web page. With this add-on you can select a part of a web page (text, images, etc), right click on the selection.  Remove parts of a webpage (it's not permanent, just reload the page).  Remove annoying animations etc.

Kill Sticky Remove fixed headers or buttons that obscure or limit content on a web page.  Again, non-permanent but can be very useful.  Based on Alisdair McDermid's Kill Sticky.  This is a javascript bookmarklet not an extension as such.

Lots of tabs users:

Tab Session Manager Save all your tabs and restore them.

Tree Style Tab This extension provides the ability to work with tabs as "trees".  What can I say, I usually have a lot of tabs open.

Update (2025-04-12):

Since I wrote this post there are a couple of updates.  Apple has disallowed extensions on browsers other than Safari and Google has stopped adblocking extensions on Chrome.

iphones and ipads:

Unfortunately on IOS, Apple has forbidden browsers other than its own browser Safari to have extensions.  On iphones and ipads you can install Adguard extension for Safari.

Chrome:

Google has stopped extensions being able to block ads, use Brave instead.  Brave is based on Chrome and has an adblocker built in.  It works on IOS, MacOS, Windows and Linux. 

Review of Neal Stephenson's "Fall, or Dodge in Hell" (spoilers)

Neal Stephenson - Fall, or Dodge in Hell
Warning Spoilers

I really love some Neal Stephenson books, but some I find unreadable.  I think his book "The Diamond Age" one of the best science fiction books I have ever read.  I loved Anathem, although I had issues with the ending.  His endings are often strange.  I can't actually read his "Baroque Cycle" trilogy - only ever got a couple of pages into it.  I find many of his books just OK, Snow Crash - OK; Cobweb - a good potboiler, Cryptonomicon - ditto; Reamde - meh, OK if you like 'Murrican Ayn Randian libertarian cyber westerns; Seveneves - couldn't read, got about a third of the way through.

I liked Fall but some things just gave me the screaming irrits.

Warning Spoilers ahead:

The book is a continuous story but I'll divide it into 4 different sections, where there are different main characters, and scenarios. 

Fall has like Stephenson's other books, a lot of technical detail.  Interesting if you like that sort of thing, and I usually do.  IT people are often good at technical detail but not so good with biology (non-technical biology), sociology, or economics.  For instance, there are no discussions about different ways of making societies.  Everyone has two options.  An Ayn Randian libertarian feudal structure with Dodge as top alpha male superman and an Ayn Randian libertarian feudal structure with El as top alpha male superman. 

Section 1

In the first section Dodge is still alive and then dies and has his head frozen.  This section ends around when his brain is destructively scanned and uploaded into a computer.

Section 2

Dodge's brain in the computer creates a virtual world.

My first real gripe with the story is that the second section, really doesn't make much sense, here's why:  Dodge's brain has been scanned and uploaded into a computer.  Just his brain.   Actually, just his neurone connecting structure.  There appears to be no communication between the uploaded brain and all the living people around it in the real world.  Putting a living person into complete sensory deprivation for even a short length of time will make them quite insane and surely that's what they did. He is just a brain with no body, no senses and they made him alive in the simulation that way.  Instead of going mad, Dodge, after some time, creates a virtual world in the computer.  A kind of multiplayer online role-playing game all by himself with not even senses, just his brain.  But still no communication with the outside.  They can sort of vaguely see the virtual world that he's created but not communicate with Dodge.  I know it's a story artefact done to divide the current world and the virtual world to keep the story going but it just doesn't really make much sense. All that technology and they can't even make vibrations in his ears or listen to vibrations in the air of the world?  How do the virtual inhabitants communicate with each other?

Section 3

Then more and more people are uploaded into the computer network that grows over time.  No-one apparently thinks of having more than one virtual world.  Virtual inhabitants don't appear to remember their "previous" lives. Dodge's world grows much more complex and Dodge becomes the creator and alpha male king or god of his world with a pantheon of uploaded characters who have special powers and many ordinary uploaded people.  Dodge's world has a very simple societal structure - a feudal hierarchy with an alpha male at the top.  One of his pantheon, a woman, manages to create self-reproducing life and eventually manages to create native self-reproducing humans.  (It had to be a woman to do this?  Like women are better at biology?)  Dodge's nemesis El doesn't like Dodge's world, in part because he has to pay for the computer resources to maintain the self-reproducing native life, but rather than create his own world, he makes plans to take over Dodge's world.  El, dies and gets uploaded with lots of people who have paid him to be uploaded, some of whom become powerful "angels".  El and his angels take over Dodge's world and kick him out, Dodge ends up a prisoner in a distant corner of his world (the "Fall").

Uploaded people appear to be able to die in the virtual world but come back, at least some times, a sort of virtual reincarnation.

Section 4

A complicated quest among friends of Dodge in the El dominated world eventually allows Dodge to come back and fight El and somehow kill him.  Will El reincarnate?  Not known.  So it comes down to a giant shoot out at high noon between the alpha males, which Dodge wins.  Just a change to the alpha-male at the top.  The feudal society with all its faults goes on.

The basis of randomness

I was thinking today about the basis of randomness.



I'm still thinking about how to write this down so bear with me here.

After the invention of calculus, mathematicians saw the world as a sort of giant clockwork machine.  "Give me the initial conditions and the law of motion, and with calculus I can predict the future -- or better yet, reconstruct the past."  Einstein's spacetime implies the same thing, that all of time and space are fixed, that we can move forward or back, given the mathematical ability.  There is no randomness in this view of the universe.

And so we thought until the discovery of quantum theory.  The problem being that the world is not infinitely divisible.  Eventually everything must collapse into particles.  This collapse introduces a rounding or truncation error, that is the basis of randomness.  The universe is really digital not analog.  The present is the moment that the continuous changes into steps, quanta.  It's the present that changes infinitely divisible potential into particular actuality.  The collapse of the present is the reason we can't go forward or backward - forward - we can't know the future before it arrives, backward - we can't tell exactly what happened from what we know about the present.

Update: I have been thinking about this and I think the point of collapse is simply the present.  I am not sure what the present is exactly, when considered in the light of Einstein's general relativity, but then as I said before, spacetime and quantum collapse don't seem compatible anyway.  The idea that the point of collapse is the present does not require an observer or multiple universes, although I do wonder if the collapse releases energy and/or information.