Large companies are already heavily involved in Linux. Based on this data some of the biggest contributors this year were Meta and Google. Both companies are at the forefront of enshitification of the internet, but they built their mountains of shit on a foundation of Linux.

I’ll extend the truffle hate to all mushrooms. If I wanted food covered in fungus, I would have waited for it to start rotting.

There’s OVH. It would be interesting to see it hosting something other than malware.

Theoretically you could hit replacement rate by making everyone a millionaire but I don’t know how that could work.

I doubt this would work. Financially, my family is towards the middle of that chart now. We were lower when we had our first kid and only a bit improved when we had our second. And honestly, it was pretty touch and go whether or not we would have the second. Our first was a handful as a baby and it left us wondering if we could handle a second. Thankfully, he calmed down a lot (or we just got used to the new normal) by the time he was pushing 18 months. After we had the second one though, I fully embraced the “cut my nuts off” solution to birth control (vasectomy). I don’t regret that choice at all. None of that was ever about finances. It was simply about the fact that raising children is hard and takes a lot of time.

Ultimately, I think the decline in birth rates isn’t about finances or selfishness, it’s just a change in social norms. Society has spent decades training people to the “nuclear family”. Movies, TV, and other media has pushed the “2 kids and 1.5 dogs in a home in the suburbs” for so long, that people internalized it. So, folks who do want to have kids shoot for that. Having 4 or 5 kids is now seen as an oddity, rather than the norm.

There is also a much better acceptance of women as something other than a walking womb to be filled. We no longer look at an unmarried woman in her 20’s or 30’s as some sort of spinster to be shunned. Sure, negative stereotypes still exist (e.g. Crazy cat lady); but, it’s much rarer for fathers to be selling off their 16 year old daughters to 40 or 50 year old men as child brides to be kept barefoot, pregnant and in the kitchen for the next 30+ years of their life. Women are expected to have full lives now, which may or may not involve raising children. As one might expect, many have taken full advantage of that and simply chose to not have any. This move from what amounts to sexual slavery to being treated as an actual person is going to mean there are fewer women having children and many of them delaying until they are actually old enough to make an informed decision about it.

Depending on which version of Sleeping Beauty you’re reading, this isn’t that far off.

I’m not sure if they have tried a crossbow on the breastplate or brigandine. I do know Tod Cutler has, in the past, created a crossbow specifically to mimic the longbow Joe Gibbs shoots. So, my bet would be on it being pretty similar. At the end of the day, armor really did work and worked well. There is a reason it stuck around so long in history. Even to the point of firearms showing up. Some armor could stop early muskets.

So a couple possibilities come to mind:

1. Someone else has your password. Do you have kids and do they have access to devices which may have your Google account linked? You may want to change your password (use something long, hard to guess and unique).
2. Your local system is compromised in some way. This would be a really odd way for someone to use that access, but it’s always possible. Take a look at the apps and any browser extensions you have installed and make sure there isn’t anything you don’t recognize.
3. There is some sort of Cross Site Scripting (XSS) vulnerability which is being leveraged to subscribe you to stuff. I would expect Google to be better than to have an XSS on YouTube (they bought Mandiant a while ago, FFS). But, big companies doing stupid things is common enough. When you got the pop-up, was it in the YouTube app or a web browser. Did you have other tabs open? Other background processes from sketchy apps?
4. It is Google, them doing shitty things to their product (that’s you) for their customers (the advertisers paying for your eyeballs) is basically their business model. Don’t like it, de-google your life (warning: this is actually really hard).

Replace the screen, maybe? And now you have an extra laptop.

Well, here’s my TIL:
Fun fact: the earliest known appearance of the F-word in the English language is “Roger F$#%-by-the-Navel” who appears in some court records from 1310-11.

More info.

Funny enough, they tested something similar. They got a modified compound bow to push the same archer and he shot a replica 15th century breast plate. He also used a 70 pound compound bow to shoot the breastplate several times.

Give it a try, it might be. I actually have no clue what my Lemmy password is. I just semi-randomly smooshed out 16 characters. I use KeePassXC as a password vault and I let it generate, store and usually type my passwords for me. I haven’t the slightest clue what most of them are and can’t be arsed to care. I did check the length of my password while typing up my comment, but other than mentally processing the number of characters, I wasn’t paying attention to it.

Thanks for adding that. I mentioned salting in a parenthetical and then completely ignored it. This is a good addendum.

You made this, this is yours now.

It’s really a lot more in depth and interesting. In this one, they shot a lot of arrows against a target in brigandine, mail, and arming doublet with arm armor and gauntlets. Thanks to the volume of arrows shot, there were hits on basically every bit of it, including one hit to a eye slit in the salet.

I know you gotta store the passwords hashed but doesn’t that just move the goalposts?

Yes, kinda. Security isn’t about making things 100% secure, that’s not really an achievable goal. It’s about making it so hard to break the security that it’s either not possible with current technology, or at least hard enough that it’s not financially feasible. Password hashing is a great example for this, which gets to your second question:

How come someone can’t use the hashed end result to get into the service it was used for?

They can, though there are technical methods for preventing this. But, there is a whole class of attacks called Pass the Hash which do basically this. This is also part of the reason that many organizations are moving away from passwords alone (or at all) and more towards things like Pass Keys (which work in an entirely different way) or Two factor authentication, which pair a password with something else (biometrics, One Time Passwords, etc.).

To dig into the details of why passwords are hashed (and salted), it’s important to consider why that is recommended. This is really about slowing down an attacker’s ability to get your password back from the hash. Consider for a moment that I go and compromise a website’s server (say, lemmy.world). One of the pieces of information I am going to try and get away with (exfiltrate) is the database of usernames and passwords. Even better if that data is tied to email addresses. Now, if all of the passwords are stored in plain text, I can immediately start using those usernames and passwords both on the compromised site, but also on other sites across the internet. Many people still reuse passwords (or similar enough passwords that I can guess them) across different sites. Maybe only 0.1% of users will have the same email address and password used on their bank account as they do on the compromised website. For 10,000 users, that means I get to drain the bank accounts of 10 of them. If I average $1000 from each, that’s an easy $10,000 I walk away with, with almost zero effort.

Hashing makes this harder and take longer. First off, there is no mathematical way for me to go from a hash back to a password, it’s literally impossible. What I have to do is guess a password, run it though the hashing algorithm and see if that guess is a match. So, I guess “Password1” and that hashes to something, if it’s not a match, I try “Password2” and check if it is a match, and so on. Unlike the movies, I cannot discover the password one character at a time, either I get it perfectly right or I don’t, there is no information in between. If your password is “Password3”, I will get no information by guessing “Password2”. I’ll just know that “Password2” wasn’t your password. And while calculating a single hash value is reasonably quick, when the number of possible passwords I need to guess is mind-mindbogglingly big, the small increments of time add up really fast.

For example, my Lemmy password is exactly 16 characters. It contains the usual combination of upper and lower case letters, numbers and special characters. Let’s call this 70 possible characters in each position. So, there are 70^16 possible passwords, that is 332,329,305,696,000,000,000,000,000,000 possible passwords (assuming my calculator isn’t truncating digits, but close enough). If we assume Lemmy is using bcrypt (I haven’t checked) and the attacker has several modern GPUs to throw at the problem, they might be guessing 1,000,000 or so passwords per second (maybe a bit more or less, but what’s a few zeros between fiends). That translates to 3.32329305696 * 10^23 seconds of guessing, or about 10,000,000,000,000,000 years (rounding a bit). That’s likely a few years longer than I will have a Lemmy account. Even if they are guessing a thousand times faster than I used in my example, it’s still a really, really long time.

And so this is why hashing is exactly about “mov[ing] the goalposts”. All we’ve done is make it take a bit longer to get my password from the hash. But that “a bit” gives the defenders time to discover the breach and get users to update their passwords. If someone gets my password hash today and starts guessing, as long as Lemmy lets me know about it and I update my password before the heat death of the Universe, it’s probably fine.

There are some caveats to this. People are actually pretty bad at choosing passwords (me included). And we tend to pick predictable things and use common words or numbers (like birthdays). So, instead of guessing every possible combination, attackers can use wordlists with common changes to those words (numbers at the start or end, symbols at the start or end, replacing letters with numbers such as 1337 sp3@k, etc.) to crack some passwords faster. Which is one reason network defenders are pretty quick to pull the “please change your password” lever. They have no way of knowing if your password is “I Love Puppies 99!” or “r39%^0m’AferF@&B”. The former would fall out of a wordlist attack pretty fast, the latter is in the “heat death of the Universe” territory. You can also go in for Diceware passwords. Using 4-5 truly random words can also push that password cracking time close enough to “never”.

So, “doesn’t that just move the goalposts?”

Yup, it is. But when the goal posts are moved to “this will now take more time than might ever actually exist”, that’s plenty far enough.

Sadly, yes a lot of organizations didn’t get the memo. But this really is the current guidance. In NIST 800-63B Section 5.1.1.2:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

I deal with this sort of thing pretty regularly for the company I work for. We get threat intelligence from several vendors when they see our users show up in “dumps”. Basically, threat actors will package up stolen credentials in a large zip file and make that available (usually via bittorrent) for anyone to download. Security vendors (e.g. Mandiant, which Google bought) download those dumps and search for accounts associated with their customers and send out these warnings when they find one. On the customer side, if the breach was recent we’ll force a password reset and warn the user about the breached password, with a recommendation to change their password on the affected site and also change any passwords which might be similar elsewhere.

Why do we force the password reset, even when it wasn’t the account for our business which was breached?
There’s a couple reasons for this. First off, people still reuse passwords all the fucking time. Maybe this victim didn’t, but we have no good way validate that. Second, even without direct reuse, folks like to have one main password that they apply slight variations to. They might use “Hunter 42!” at one site and then “Hunter 69*” at another. This isn’t smart, attackers know you do this and they have scripts to check for this. Lastly, if an organization is following the latest NIST guidance, you’re not changing your password on a regular cadence anymore. With that is the expectation that passwords will be rotated when there is a reason to suspect the credentials are compromised. Ya it’s annoying, but that’s part of the trade-off for not having to rotate passwords every six months, we pull the trigger faster on forced rotations now.

If you get one of these, consider it a good time to think about how you come up with and store passwords. If you are re-using passwords, please turn off your computer/device and don’t come back to the internet until you have thought about what you have done. If you aren’t already using one, please consider a password vault (BitWarden or KeePassXC make great, free choices). These will both help you create strong passwords and also alleviate the need to memorize them. Just create a strong master passphrase for the vault, let it generate the rest of your passwords as unique, long (12+ character) random junk, and stop trying to memorize them (with the exception of your primary email account, that gets a memorized passphrase).

Ya, I actually run both uBlock Origin and NoScript in my browser on my phone and personal machine (desktop). On my work laptop, those are a no-go. So, I get the full ads experience on my work machine when traveling.

I run Pi-Hole in a docker container on my server. I never saw the point in having a dedicated bit of hardware for it.
That said, I don’t understand how people use the internet without one. The times I have had to travel for work, trying to do anything on the internet reminded me of the bad old days of the '90s with pop-ups and flashing banners enticing me to punch the monkey. It’s just sad to see one of the greatest communications platforms we have ever created reduced to a fire-hose of ads.

Every time I hear about these anti-vax idiots, I immediately think of a family friend who was ever so unlucky to get Polio before the vaccine for it got to her community. She spent time in an iron lung, but “survived”. And by survive, I mean she lived but basically lost the use of her left arm, has trouble walking, has no depth perception and has been dependent on others he whole life. She has survived into her late 70’s now, but she’s well aware that post-polio syndrome could crop up at any minute and take her out. But ya, let’s believe some junk science on how bad vaccines are. Fuck RFK and fuck every one of these assholes who want to kill children to satisfy their egos.